If your company is a US government defense contractor, you are likely already on contract to comply with National Institute of Standards and Technology (NIST) SP 800-171. This information security standard codifies the requirements that any non-federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. There is no certification process for NIST 800-171 so compliance has always been by self-attestation, meaning that each organization conducted its own internal assessment (or paid for one by a third party) and then signed off regarding its compliance to the Department of Defense (DoD).
But starting this year, the Cybersecurity Maturity Model Certification (CMMC) framework aims to build upon the Defense Federal Acquisition Regulation Supplement (DFARS) rules and NIST frameworks by requiring every DoD contractor to be assessed and certified by a third-party auditor. The model prescribes five levels of cybersecurity maturity that measure processes and technical controls and ensure alignment with relevant organizational policies. Eventually, the CMMC certification will determine whether contractors will be able to bid on a DoD contract, and most firms will be certified at either Level 1 or Level 3.
CMMC builds upon DFARS 252.204-7012 and NIST 800-171 by clarifying some controls and adding additional requirements. Per the DoD, the DFARS clause is being re-written to embed the CMMC requirements. This update should be released for public comment in 3Q2020 and will be the trigger for the inclusion of CMMC requirements in new DoD contracts. Once finalized, all companies doing business with the DoD including subcontractors will need to be certified at one of the five CMMC maturity levels to be eligible for future contract awards.
How This Affects You
CMMC Maturity Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. At Level 1 organizations may receive and hold Federal Contract Information (FCI). If you hold (or create) any government data in the performance of your contracts, you likely hold at least FCI and possibly CUI as well. FCI is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. The 17 technical controls at CMMC Level 1 prescribe basic cyber hygiene and represent the minimum any current DoD contractor should already have deployed. These practices establish a foundation for the higher levels of the model and must be completed by all certified organizations.
CMMC Level 3 indicates an ability to protect and sustain an organization’s assets and CUI. CUI is a designation for identifying unclassified information that requires proper safeguarding in accordance with federal law, regulations, and government-wide policies. If you store, process, or transmit CUI, you will need at least Level 3 certification. Note that export controlled (e.g., ITAR) data is considered CUI and will be subject to CMMC Level 3 or higher. At Level 3 an organization is expected to adequately manage, resource, and review their compliance to policies and procedures, demonstrating management of practice implementation. Organizations certified at Level 3 will have demonstrated good cyber hygiene and effective implementation of all 110 controls in NIST SP 800-171, along with an additional 20 practices required by the CMMC framework (130 in total).
Contractors that are already NIST 800-171 compliant are starting with a good foundation. But if you are starting from scratch, you should plan for at least six months to become compliant. Writing policies, integrating and deploying multiple solutions, and making the necessary culture changes are all efforts that take time. Now is the time to review your current portfolio of DoD contracts, and if they do not require you to maintain CUI you can likely limit your compliance efforts to Level 1. But if you do hold CUI or other sensitive data, you should plan on Level 3 as a starting point. Then begin implementing the controls required at your desired CMMC level.
A self-assessment can identify the gaps in your information security management plan. For smaller companies with limited bandwidth, it may be in your best interest to have a professional compliance organization perform your assessment and provide a gap analysis. We help our clients assess their readiness now so they can proactively address any gaps and respond to prime contractors’ questionnaires and government RFIs regarding their ability to pass a CMMC audit. Whether you are starting from scratch or perhaps just need an external assessment to validate your most recent internal audit, we have the expertise to help.