In June 2019, the Department of Defense announced that it is introducing a new cybersecurity standard for contractors — the Cybersecurity Maturity Model Certification (CMMC). With cyberattacks and cyber-warfare in the news week after week, it’s no surprise that the Department of Defense is ready to take a harder line on enforcing cybersecurity standards for defense contractors handling sensitive information. The aim is to protect the supply chain and the Defense Industrial Base (DIB) from attack by foreign states or rogue actors.
If your business depends on defense contracts or subcontract work, then you’ll want to make sure that you understand the new regulations, and that you’re prepared as they take effect over the next few years.
What are the Current Cybersecurity Standards for Defense Contractors?
Cybersecurity requirements for contractors are already spelled out in the Defense Federal Acquisition Regulation Supplement (DFARS), in DFARS Clause 252.204-7012, often called DFARS 7012. This regulation requires that contractors handling controlled unclassified information (CUI) follow the security controls outlined in NIST Special Publication 800-171, plus a few other requirements specified in DFARS 7012. This includes things like authentication, access control, configuration management, and other basic cybersecurity requirements for systems that deal with CUI.
Currently, contractors may self-certify that they are complying with DFARS 7012 — there are no third-party auditing requirements in place. However, this has created gaps in the way NIST 800-171 controls are implemented, which has led to some serious cybersecurity breaches involving defense contractors.
Therefore, the DoD announced the creation of the Cybersecurity Maturity Model Certification to address these gaps in compliance and enforcement of cybersecurity regulations.
How Will CMMC Work?
The latest information on CMMC is available in the Draft CMMC Model v1.02 documents, published in March 2020. As of now, CMMC outlines 171 practices organized into 43 capabilities in 17 security domains. While these practices map closely with the controls specified in NIST 800-171, there are some additional controls that are drawn from DFARS 7012, NIST 800-53, and other DoD guidance.
CMMC specifies 5 maturity levels, with each one requiring an increasing number of controls to be implemented. DoD contracts, RFPs, and RFQs will specify which maturity level is required to bid on that contract. Additionally, each maturity level requires increasing sophistication of process institutionalization – the degree to which your organization has documented and is following defined cybersecurity processes.
How Will CMMC Affect My Business?
As of November 2020, the DoD has moved forward with CMMC implementation by adding its requirements to DFARS as Clause 252.204-7021. This specifies a phased rollout process, where an increasing number of contracts from FY 2021 to 2025 will include a CMMC maturity level requirement. This culminates on October 1, 2025, at which point all DoD contracts will include a minimum CMMC maturity level requirement.
Most significantly, CMMC requirements specified in the prime contract will flow down to all subcontractors in the supply chain that handle CUI or FCI. This means that nearly every organization that does defense contract work will need to have a CMMC certification by 2025.
But what steps can you take now to get ready for CMMC?
The majority of the practices required by CMMC are directly taken from NIST SP 800-171, 800-53 and DFARS 7012, so these publications can be used to further clarify CMMC requirements. Reading through and discussing each one of the CMMC practices with your IT personnel and other stakeholders will be critical to successfully achieving certification.
Create a System Security Plan and Gap Analysis
Once you understand the requirements of CMMC, it’s time to put into writing what compliance with those requirements will look like in your environment. This document is called a System Security Plan (SSP).
At this point you will also need to decide the CMMC certification level that your organization needs, as it will affect which practices need to be included on your SSP. Level 3 will likely be the most common certification level for small- to midsize contractors, and will be the minimum requirement for contractors handling CUI. Smaller contractors that only handle FCI (Federal Contract Information) may only need Level 1 certification, while larger Prime contractors may need Level 5 for some contracts.
To create an SSP, you will need to document your current systems and what needs to be done to secure them in compliance with CMMC. Likely this will involve several key people within your organization, including senior management, IT, and human resources. The more people that understand the requirements, and give input on how to meet them, the easier it will be to get the SSP written and implemented.
Then, it’s time for a preliminary assessment and gap analysis. This will show the gaps between your current security posture and where your SSP indicates you need to be. Bringing in a third-party assessor will be useful here to make sure there are no blind spots in your gap analysis and SSP.
Create a Plan of Action & Milestones (POA&M)
Your initial assessment and gap analysis will likely reveal a number of improvements that need to be made before you’re ready for the actual CMMC assessment. The next document to write up is called a Plan of Action & Milestones (POA&M – pronounced “Poe-Am”). The POA&M describes how your organization plans to implement the security controls or mitigations that are required to meet your SSP. This should include milestones, or specific timeframes when you expect to be able to implement the security requirements.
Get A CMMC Assessment from a C3PAO
Once everything on your POA&M is complete, it’s time to bring in the auditors. The CMMC-AB is currently training and registering Certified Third-Party Assessor Organizations (C3PAOs) to carry out official CMMC audits and certifications. You’ll schedule a CMMC assessment directly with a C3PAO.
After the audit, you’ll have 90 days to correct any deficiencies that the auditor found. Once the results are finalized and approved by the CMMC-AB, congratulations! You’ll be issued a CMMC certification that is good for three years.
Find a Partner for CMMC Certification
With all of the changes that CMMC will bring, it will pay to find a trusted partner to help guide you through the requirements. Many small businesses are turning to cloud providers — such as Office 365 GCC High — for turnkey compliance with many CMMC and NIST 800-171 controls.
Additionally, a Managed IT Service Provider (MSP) can provide you with on-demand cybersecurity expertise, guidance, and services. Here at E-N Computers, we’re already helping several of our clients to get ready for CMMC certification by preparing SSPs, gap analyses, and POA&Ms, and we can help you too.
If you would like to learn more about how you can prepare for CMMC, we invite you to schedule a free CMMC strategy session with our CEO, Ian MacRae. In this no-obligation, 30-minute session, you’ll have a chance to discuss your specific situation and determine the next steps that will get you moving toward certification quickly.
Simply click the button below and pick a date and time that’s convenient for you.