A Preview of the New Cybersecurity Maturity Model Certification (CMMC)

Updated November 20, 2020 with the latest on CMMC

What is DFARS?

Defense Federal Acquisition Regulation Supplement (DFARS) was established in 2012 to address the need for contractors working with the federal government to provide assurance that Covered Defense Information (CDI), Controlled Unclassified Information (CUI), and Controlled Technical Information (CTI) are protected in a manner commensurate with their sensitivity.

This can include the following types of data:
• Critical Infrastructure
• Defense
• Export Control
• Financial
• Immigration
• Intelligence
• International Agreements
• Law Enforcement
• Legal
• Natural and Cultural Resources
• Nuclear
• Privacy
• Procurement and Acquisition
• Proprietary Business Information
• Provisional
• Statistical
• Tax

That’s a lot of information, and each organization needs to understand the type of information it gets or holds from the Department of Defense (DoD) and ensure that it is properly protected.

How DFARS Fell Short

Originally, federal contractors were able to self-attest that they aligned with DFARS compliance by reporting their alignment to NIST Special Publication 800-171 (Rev. 1). Also part of this original DFARS implementation was a lack of  Certified Third Party Assessment Organization (C3PAO) validation activities to attest to the compliance of these contracted organizations.

Potentially due to this self-attestation, there were still instances of Intellectual Property (IP) theft due to malicious cyber-attacks on improperly protected federal contractors. Some industry experts estimate the loss of CUI data from the insufficient implementation of cybersecurity controls amounts to almost 600 billion dollars every year. It is estimated that there are over 350,000 DoD subcontractors within the Defense Industry Base (DIB) that could be affected by these new requirements.

To reduce this risk and other potential vulnerabilities, the government needed additional controls to ensure that contractors had an appropriately mature cybersecurity program in place to secure the protection of data that is commensurate with its sensitivity.

The CMMC Response

The Cybersecurity Maturity Model Certification (CMMC) is a new certification standard that will leverage parts of several different benchmarks to provide a set of flexible maturity requirements. It was established to provide the DoD a process and metric to monitor a contracted organization’s ability to protect the CDI, CUI, CTI that they store, process, or transmit on behalf of the DoD. Currently, only DoD contractors have this additional CMMC requirement. The government has not yet determined if they will implement this requirement for other federal departments.

CMMC is not a replacement for DFARS. As a basis for establishing maturity levels, CMMC will leverage elements from the following frameworks and standards:
• Title 48, CFR (Code of Federal Regulations): Federal Acquisition Regulations System
• DFARS (Defense Federal Acquisition Regulation Supplement)
• NIST Special Publication 800-171 (Rev. 1)
• United Kingdom’s Cyber Essentials
• Australia’s Essential Eight

CMMC Details

The DoD will determine the maturity level needed for their subcontracts and assign a minimum baseline maturity level from CMMC Level 1 to CMMC Level 5. It will be up to the DoD contractors to achieve the appropriate certification level for the projects they want to bid on and support. The current draft version of CMMC has outlined the following number of controls needed per maturity level:
• CMMC Level 1: 17 Controls
• CMMC Level 2: 72 Controls
• CMMC Level 3: 131 Controls
• CMMC Level 4: 157 Controls
• CMMC Level 5: 173 Controls

CMMC levels are cumulative, so a contractor must have all the controls at the lower levels completed before adopting a higher maturity level. Notably, the DoD will establish the minimum CMMC level in contracting sections L & M of the Request for Proposal (RFP). If a contractor is not certified at that level by a C3PAO, they will not even be able to respond to that RFP.

CMMC removes all self-certifications. Therefore, all DoD contractors must partner with a C3PAO to perform a certified assessment. There is some good news for contractors with all of this. Since this will now be a requirement, it has been indicated that DoD contractors can now add it into their RFP as an “allowable cost.” Previously, any costs for required security-related work was absorbed by the contractors as the “price of doing business” with the DoD.

CMMC Implementation Plan

The DoD is currently rolling out its CMMC implementation roadmap. Here’s a summary of progress to date and future plans:
• The CMMC Board has been established.
• CMCC version 1.0 was released on January 31, 2020.
• CMC version 1.02 was released on March 18, 2020, to correct administrative errors identified in the initial 1.0 version and provide a more accessible version of the model (in Excel format). There are no substantive or critical changes in this version relative to version 1.0.
• The CMMC Accrediting Body has been formed and is looking for a headquarters.
• The CMMC Accrediting Body is establishing the accreditation standards needed to certify C3PAOs to conduct assessments against the CMMC requirements and issue a CMMC certification.

Tevora holds the ISO 17020 as accredited by A2LA R335 Specific Requirements – Cybersecurity Inspection Body Program for DFARS 252.204-7012 (NIST 800-171r1), Enterprise Security Risk Assessment (NIST RMF) and NIST Cybersecurity Framework (NIST Cybersecurity Framework v1.1). We are well versed in providing total customer care for all aspects of meeting your Federal compliance needs.

Tevora has registered to be part of the CMMC Auditor Marketplace as an interested company to pursue C3PAO certification.

Webinar Resource

DFARS and NIST 800-171 Updates: How to Stay Compliant with Imminent Changes

About the Authors

Troy Dahlin is a Senior Information Security Consultant at Tevora.
Kait Bestenheider is an Information Security Analyst at Tevora.