A Preview of the New Cybersecurity Maturity Model Certification (CMMC)

What is DFARS?

Defense Federal Acquisition Regulation Supplement (DFARS) was established in 2012 to address the need for contractors working with the federal government to provide assurance that Covered Defense Information (CDI), Controlled Unclassified Information (CUI), and Controlled Technical Information (CTI) were being protected in a manner commensurate with its sensitivity.

This can include the following types of data:
• Critical Infrastructure
• Defense
• Export Control
• Financial
• Immigration
• Intelligence
• International Agreements
• Law Enforcement
• Legal
• Natural and Cultural Resources
• Nuclear
• Privacy
• Procurement and Acquisition
• Proprietary Business Information
• Provisional
• Statistical
• Tax

That looks like a lot of information, and each organization needs to understand the type of information it gets or holds from the Department of Defense (DoD). This information needs to be properly protected.

How DFARS Fell Short

Originally, federal contractors were able to self-attest that they aligned with DFARS compliance by reporting their alignment to NIST Special Publication 800-171 (Rev. 1). Also part of this original DFARS implementation was a lack of a Certified Third Party Assessment Organization (C3PAO) validation activities to attest to the compliance of these contracted organizations.

Potentially due to this self-attestation, there were still instances of Intellectual Property (IP) theft due to malicious cyber-attacks on improperly protected federal contractors. Some industry experts estimate the loss of CUI data from the insufficient implementation of cybersecurity controls amounts to almost 600 billion dollars every year. It is estimated that there over 350,000 DoD subcontractors within the Defense Industry Base (DIB) that could be affected by these new requirements.

To reduce this risk and other potential vulnerabilities, the government needed additional controls to ensure that contractors had an appropriately mature cybersecurity program in place to secure the protection of data that is commensurate with its sensitivity.

The CMMC Response

The Cybersecurity Maturity Model Certification (CMMC) is a new certification standard that will leverage parts of several different benchmarks to provide a set of flexible maturity requirements. It was established to provide the DoD a process and metric to monitor a contracted organization’s ability to protect the CDI, CUI, CTI that they store, process, or transmit on behalf of the DoD. Currently, only DoD contractors have this additional CMMC requirement. The government has not yet determined if they will implement this requirement for other federal departments.

CMMC is not a replacement for DFARS. As a basis for establishing the maturity levels, CMMC will leverage elements form the following frameworks and standards:
• Title 48, CFR (Code of Federal Regulations): Federal Acquisition Regulations System
• DFARS (Defense Federal Acquisition Regulation Supplement)
• NIST Special Publication 800-171 (Rev. 1)
• United Kingdom’s Cyber Essentials
• Australia’s Essential Eight

CMMC Details

The DoD will determine the maturity level needed for their subcontracts and will assign a minimum baseline maturity level from CMMC Level 1 to CMMC Level 5. It will be up to the DoD contractors to achieve the appropriate certification level for the projects they want to bid on and support. The current draft version of CMMC has outlined the following number of controls needed per maturity level as follows:
• CMMC Level 1: 17 Controls
• CMMC Level 2: 72 Controls
• CMMC Level 3: 131 Controls
• CMMC Level 4: 157 Controls
• CMMC Level 5: 173 Controls

CMMC levels are cumulative so a contractor must have all the controls at the previous levels completed prior to adopting a higher maturity level. An additional note to understand is the DoD will establish the minimum CMMC level in contracting sections L & M of the Request for Proposal (RFP) and if a contractor is not certified at that level by a C3PAO, they will not even be able to respond to that RFP.

CMMC removes all self-certifications, therefore, all DoD contractors must partner with a C3PAO to perform the certified assessment. There is some good news for all of this. Since this will now be a requirement, it has been indicated that DoD contractors can now add it into their RFP as an “allowable cost” whereas previously any security aspects that had to be performed by the contractors was absorbed by the contractors as the “price of doing business” with the DoD.

The CMMC Implementation Timeline

There is a roadmap for CMMC implementation, the CMMC board is aiming for a kickoff in June 2020. The current status is:
• The CMMC Board has been established and issued out Draft v.7 of the CMMC in December 2019 for review.
• CMMC v1 was scheduled for release at the end of January 2020, but it has not yet been released.
• CMMC Accrediting Body has been formed and is looking for a headquarters.
• The CMMC Accrediting Body will need to establish the accreditation standards to certify C3PAO to conduct assessments against the CMMC requirements and issue a CMMC certification.

Tevora holds the ISO 17020 as accredited by A2LA R335 Specific Requirements – Cybersecurity Inspection Body Program for DFARS 252.204-7012 (NIST 800-171r1), Enterprise Security Risk Assessment (NIST RMF) and NIST Cybersecurity Framework (NIST Cybersecurity Framework v1.1). Tevora is well versed in providing total customer care for all aspects of meeting your Federal compliance needs.
Tevora has registered to be part of the CMMC Auditor Marketplace as an interested company to pursue C3PAO certification.

Webinar Resource

DFARS and NIST 800-171 Updates: How to Stay Compliant with Imminent Changes

About the Authors

Troy Dahlin is a Senior Information Security Consultant at Tevora.
Kait Bestenheider is an Information Security Analyst at Tevora.