In what is certain to be a wakeup call for many organizations involved in Department of Defense contracts, The Cybersecurity Maturity Model Certification (CMMC) is set to become a part of life in 2020. Much like previous requirements, the CMMC requirements will also apply to subcontractors, and all Requests for Proposal (RFPs) will require CMMC levels. Levels will be determined by a third-party assessor and will range between 1-5, with 5 being the rating for the organizations deemed to be most secure.
Per a summary from The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)):
- The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- The intent is for certified independent 3rd party organizations to conduct audits and inform risk.
The CMMC is in draft form now and is expected to be released as version 1.0 in January of 2020. In June of 2020 it will be included in government Requests for Information (RFIs). In Fall of 2020 it will be included in government RFPs. For those interested, the draft is available here.
For organizations that have fully implemented NIST 800-171, CMMC will be an easier road. But where NIST 800-171 allowed self-attestation, the CMMC will require third-party validation. As anyone who has been through a third-party audit or assessment knows, standards for evidence and testing procedures are often more stringent than internal assessments. This means that organizations that have leaned toward “saying yes” without fully understanding or implementing the requirements will face significant challenges when a third-party assessor seeks to validate compliance. The assessment will consider not just the existence of the controls and documentation, but also their effectiveness and how they have been operationalized.
The plan is for RFPs to designate which CMMC level is required, and organizations that are not certified at or above the designated level will not be considered. For many organizations, this will mean a loss of current or future business if they are not certified to the required level.
If the requirements are pushed to your organization, it is important to seek guidance as to what level of certification will be necessary. While certifying to lower levels should be more cost effective, certifying to higher levels will likely be far more onerous.
It is still being determined how the certification process will work and who will be authorized perform these assessments, but now is the time for organizations that are in the supply chain for the DoD to begin preparations.