How Will Cybersecurity Maturity Model Certification (CMMC) Affect U.S. Defense Contractors?

Issues concerning the cybersecurity of U.S. defense industry contractors have been raised. Similarities between components in China’s J-31 aircraft and the U.S. F-35 Joint Strike Fighter, among other incidents, have led many to conclude cyber spying is an increasing problem. In response, the Department of Defense (DoD) is introducing the Cybersecurity Maturity Model Certification (CMMC) to secure its Defense Industrial Base (DIB).

In 2015, the DoD published the Defense Federal Acquisition Regulation Supplement (DFARS). This is part of an initiative to protect the US’s defense supply chain from both domestic and foreign cyber threats and reduce the overall security risk in the sector.

DFARS mandated private DoD contractors to adopt cybersecurity standards according to the National Institute of Standards and Technology (NIST) cybersecurity framework NIST SP 800-171. This was monitored mostly on trust, without a verification component in respect to cybersecurity requirements. It was not unusual to find contracting authorities and prime contractors requesting the required System Security Plan (SSP) and Plan of Action and Milestones (POA&M), under DFARS 252.204-7012, only after the contract award had been made. This resulted in several companies misrepresenting their cybersecurity efforts, for which they received severe penalties.

WHAT IS CMMC?

At the 2019 Federal Acquisition Conference, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, reported how many contractors still hadn’t implemented NIST SP 800-171 within their information systems. Her speech made it clear that, alongside the preexisting acquisition criteria – cost, performance, and schedule – security must now also be a criterion.

The DoD has developed CMMC to address this issue in a cost-effective and affordable way. It updates existing regulations and ensures contractors have the relevant controls in place to protect sensitive data, including Federal Contract Information and Controlled Unclassified Information (CUI). To achieve this, it has taken the best practices from a variety of cybersecurity standards, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, and created a single cohesive cybersecurity standard.

The standard covers seventeen ‘Domains’, many of which came from the Federal Information Processing Standards (FIPS) 200 security-related areas and the NIST SP 800-171 control families. They include:

1. Access Control
2. Asset Management
3. Audit and Accountability
4. Awareness and Training
5. Configuration Management
6. Identification and Authentication
7. Incident Response
8. Maintenance
9. Media Protection
10. Personnel Security
11. Physical Security
12. Recovery
13. Risk Management
14. Security Assessment
15. Situational Awareness
16. Systems and Communications Protection
17. System and Information Integrity

IMPLEMENTATION OF CMMC

In contrast to the requirements of DFARS 252.204-7012, CMMC demands cybersecurity measures are in place before the contract is awarded. In addition to documentation and policies, contractors will be evaluated based upon their implementation of actual technical controls – the maturity of their cybersecurity practices.

The contractor will then be certified to a level 1 to 5 – “Basic Cybersecurity Hygiene” to “Advanced”. The higher your company certifies, the more contracts you will be eligible to bid on. There are two advantages to this system for contractors. Firstly, it makes it more cost-effective for smaller companies that only require basic levels of cybersecurity. Secondly, if a contractor achieves a higher level, they are automatically able to bid for a greater variety of contracts.

Unlike current measures, CMMC is not based on self-certification. Instead, certified independent third-party organizations will conduct audits that inform the level of risk in the contractor. The contractor coordinates directly with the independent certification organization to request and schedule the assessment. In addition, they can specify the level of certification they wish to be assessed for, based on their business requirements.

Once the assessment has taken place and a certificate has been obtained, the level is made public but details regarding specific findings are not made public. The DoD will only have access to the certification level.

Contractors in the DIB are expected to the see the requirements of the CMMC becoming part of their Requests for Information from June 2020. Version 1.0 of the CMMC framework was made available in January 2020 to support contractors with their training requirements.

The introduction of CMMC will eliminate ambiguity among contractors, some of whom have often struggled to grasp compliance and how the DoD enforces it.SGS has a long history of successfully executing large-scale, complex projects such as CMMC adoption. Our experts can work with you in an efficient and cost-effective fashion, helping you receive the required CMMC to allow you to bid for contracts for the U.S. DoD.