In late January, the Department of Defense released the final version of the Cybersecurity Maturity Model Certification (CMMC v. 1.0), outlining how contractors’ security regulations will shift with the new supplier cybersecurity compliance program.
As contractors have to adjust to the changing guidelines, it is crucial that they stay informed on the differences between the two programs. One of the most important changes to the model is that CMMC requires defense suppliers to be certified by CMMC assessors.
Under NIST 800-171, contractors could self-certify, meaning that they could claim current compliance, or they could claim their intention to be compliant. With DoD’s CMMC, third-party assessments will be required.
Additionally, the DoD will require that defense contractors meet CMMC regulations to receive contract awards for Requests for Proposals. In June 2020, selected Requests for Information will refer to CMMC requirements. In September 2020, selected RFPs will begin to include CMMC requirements.
Although large contractors and primes may be focusing on obtaining their own CMMC certification, that may not be sufficient. With the new requirements, defense subcontractors may also require CMMC compliance for selected awards.
The DoD has planned to enhance the cybersecurity maturity of smaller defense suppliers. To do that, CMMC scales down the NIST 800-171 requirements for smaller companies.
CMMC specifies five levels, with levels 1 and 2 being for smaller suppliers consisting of 300K companies. Level 5 companies include 171 different controls or practices, Level 1 suppliers only need to comply with 17 of them. Level 2 suppliers must comply with a total of 72 practices.
CMMC Level 3, the average, requires suppliers comply with NIST 800-171 level of practices. For Levels 4 and 5, additional domains, practices, and processes must be met.
There are more than 30 new practices for Levels 4 and 5 that have no relationship with NIST 800-171; instead, the practices are drawn from FAR clause 52.204-21, NIST 800-172, and practices from the Center for Internet Security, CERT Resilience Management Model and NIST Cybersecurity Framework.
DoD has added an additional three domains to the CMMC compared to NIST 800-171, including asset management, recovery, and situational awareness. NIST 800-171 has also been focused on controls and related practices, while CMMC has a practice focus and has a process requirement starting at Level 2 suppliers.
Finally, while CMMC has retained emphasis on access control, audits, configuration management, media and personnel security from NIST 800-171, DoD has included more regulations concerning the nature and speed of cyber threats.
CMMC has added a number of practices that are focused on situational awareness, cyber threat alerts and cyber threat intelligence. As the year progresses, and the regulations become integrated into business, it is imperative that GovCon members stay informed on cybersecurity, and how the new model will continue to shape the practices, supply chain security and other aspects of the federal market.
Potomac Officers Club will host its CMMC Forum 2020 on April 2. Click here to register for the event.
Katie Arrington, chief information security officer at the Office of the Assistant Secretary of Defense for Acquisition and a 2020 Wash100 Award recipient, will serve as a keynote speaker at the CMMC Forum 2020. She will address the CMMC’s timeline, how the certification process could change and will provide a memorandum of understanding with a newly established CMMC accrediting body.
A full expert panel will include Ty Schieber, senior director of executive education and CMMC-AB chairman of the University of Virginia and Richard Naylor of the Defense Counterintelligence and Security Agency (DCSA) among other members of the federal sector and industry.
Register here to join Potomac Officers Club for its CMMC Forum 2020 on April 2nd to learn about the impact DoD’s CMMC will have on cybersecurity practices, supply chain security and other aspects of the federal market.