What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems.

The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.

Previously, contractors were responsible for implementing, monitoring and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC changes this paradigm by requiring third-party assessments of contractors’ compliance with certain mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats from adversaries.

What actions should DoD contractors take now?

DoD contractors should immediately learn the CMMC’s technical requirements and prepare not only for certification, but long-term cybersecurity agility. Details on how the CMMC assessments will be conducted, and how to challenge those assessments, are anticipated soon. DoD contractors that have already started to evaluate their practices, procedures and gaps when the details are finalized will be well-positioned to navigate the process and meet the mandatory CMMC contract requirements for upcoming projects.

The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ where contractors can keep up to date on the certification process.

The CMMC framework

The CMMC establishes five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels are tiered and build upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.

• Level 1: A company must perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or certain transactional information.
• Level 2: a company must document certain “intermediate cyber hygiene” practices to begin to protect any Controlled Unclassified Information (CUI) through implementation of some of the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information.
• Level 3: A company must have an institutionalized management plan to implement “good cyber hygiene” practices to safeguard CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.
• Level 4: A company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
• Level 5: A company must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.

Who must comply with the CMMC?

All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ CMMC levels.

When will CMMC compliance be required?

The DoD predicts that it will begin to include minimum certification requirements in requests for information (RFIs) as early as June 2020 and in select requests for proposals (RFPs) in September 2020. DoD has also indicated that a prime-level certification requirement will not necessarily be the same certification level required throughout its entire supply chain for a given contract. Differing certification levels on a single contract have the potential to raise complex implementation challenges for primes and subcontractors alike.

CMMC legal implications and takeaways

Certification preparation starts now. Accreditation procedures and accreditors have not yet been established, but we expect details soon. The DoD estimates that the DIB includes more than 300,000 contractors that will all need certification to continue to compete for DoD contracts.
Early preparation could result in a more efficient assessment with positive end results. Contractors should begin taking immediate steps to:

• Clearly document practices and procedures with those requirements that already comply with CMMC practices or processes.
• Plan for and implement further procedures and practices to obtain the highest certification level possible.

Prime contractors also should begin (or continue) working with subcontractors throughout the supply chain to assist in developing compliance programs where necessary or reviewing programs already in place.

Engage with agencies. Offerors should closely review RFIs and RFPs that include minimum certification requirements to ensure the assessed level is not unnecessarily burdensome and that it provides enough clarity for the certification level required throughout the supply chain. Offerors should consider providing feedback to DoD during the market research stage and during an RFP’s question and answer process.

If the issue is not resolved to the offeror’s satisfaction, the offeror could consider bringing a pre-award protest—although, as a general matter, the US Government Accountability Office and the Court of Federal Claims likely will be deferential to DoD on questions related to national security and technical requirements.

Follow the development of assessment challenges. One of the most significant concerns for contractors of all sizes is what type of due process will be available if a certification level or audit result is erroneous. The CMMC assessments could have a significant impact on contractors’ ability to meet minimum contract requirements, and a low rating could limit a contractor’s ability to meaningfully compete for work.

Currently, the CMMC does not establish a contractor’s right of appeal, although DoD indicates it is coming. This is an important development to follow. Where possible, contractors should provide DoD detailed feedback on any proposed due process procedures to ensure it is adequate.

Prepare to be agile. CMMC certification will soon be a minimum requirement to be eligible for DoD contract awards, but this does not mean that contractors should view their cyber-compliance as “complete” once certification is achieved. DoD has emphasized that the CMMC is a starting point for transforming contractors’ internal cybersecurity culture and that industry must focus on preparing for evolving threats, not simply achieving CMMC certification. Contractors that foster a culture of cyber resiliency and flexibility within their organizations, in addition to obtaining CMMC certification, will be best positioned to compete in a marketplace that is and will continue to be less tolerant of accepting cyber-related risks.