With cyberattacks on the rise, the DoD is tightening its cybersecurity controls for contractors with a CMMC requirement.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a unifying standard framework that the Department of Defense (DoD) is now using to verify that Defense Industrial Base (DIB) companies, or any contractors that conduct business with the DoD, are implementing sufficient cybersecurity practices and processes. CMMC practices combine multiple standards (e.g. NIST SP 800-171, NIST Cybersecurity Framework, ISO 27001) and are intended to protect Federal Contact Information (FCI) and Controlled Unclassified Information (CUI) within unclassified networks.
CMMC is a unifying standard framework that the DoD is now using to verify that Defense Industrial Base companies, or any contractors that conduct business with the DoD, are implementing sufficient cybersecurity practices and processes.
The CMMC framework consists of five maturity levels:
Level 1 – performing basic cyber hygiene
Level 2 – documented processes for intermediate cyber hygiene
Level 3 – managing a documented system of good cyber hygiene
Level 4 – verifying effectiveness of system and proactively addressing risks / opportunities
Level 5 – optimizing system to implement and continually improve advanced cyber hygiene.
Each maturity level requires an increasing number of practices for each of the seventeen Capability Domains (e.g. Access Control, Asset Management, Awareness and Training, Personnel Security, System and Information Integrity, etc.). Within each maturity level, companies will have to demonstrate that they have the respective processes and evidence of performing the respective practices.
What is the difference between CMMC and NIST SP 800-171?
The five maturity levels of CMMC collectively provide more practices (for example, CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171) and therefore CMMC is overall considered to be more substantial for cybersecurity controls. In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s maturity processes. CMMC will additionally require regular external assessments from authorized and accredited ‘CMMC Third Party Assessment Organizations’ (C3PAOs) for companies to become certified.
Which contractors need to implement CMMC, at which Maturity Level?
The initial implementation of the CMMC will only be required for DoD contractors (and their subcontractors) and will be implemented through DFARS clause 252.204-7021. The Department will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs), but essentially if a contractor is touching CUI and they have a DFARS 7021 in their contract clause, they will need to be at least CMMC Level 3.
When do contractors need to implement CMMC?
In short: if a contractor is planning to do any business with the DoD [apart from exclusively providing Commercial Off-The-Shelf (COTS) products], better to act now and be ready. As a DoD-focused contractor, Tetra Tech’s Federal IT Group (EGlobalTech, BlueWater, Segue) is initiating steps to tighten its cybersecurity controls and be in a ready position to serve.
In detail: the Defense Federal Acquisition Regulation Supplement (DFARS) rule for CMMC implementation became effective in 2020, however the DoD introduced a phased rollout approach for contractors. During the first year of the rollout (2021), the Department will require no more than fifteen new Prime acquisitions to meet CMMC requirements as part of a CMMC pilot program. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors. For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts while increasing the quantity of Prime acquisitions that include a CMMC requirement to the following targets:
In the interim: DFARS Provision 7019, “Notice of NIST SP 800-171 DoD Assessment Requirements,” will require companies to have at least a NIST SP 800-171 Basic Assessment [i.e. an estimated 30-minute self-assessment using the organization’s existing System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate their own score and then entering it on the Supplier Performance Risks System (SPRS)] on record with the DoD to be considered for award, and DFARS Clause 7020 will require contractors to grant access to their facilities, systems, and personnel for the government to run Medium or High Assessments (for organizations handling CUI).