The Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) is presenting Defense Industrial Base (DIB) contractors with some very rigorous requirements to achieve certification and ultimately retain their ability to bid on government contracts past July of 2020.
Along with these new requirements come a mountain of questions for those DIB Contractors looking to meet one of the 5 levels of CMMC certification.
Chief Information Security Officer for DOD Acquisition Policy, Katie Arrington’s talk at DreamPort helped answer some of the many questions that may be at the top of your mind as a DoD Contractor looking to take steps toward CMMC certification.
Why did the DoD create the CMMC certification?
The DoD created CMMC certification to ensure that all organizations and individuals who touch-sensitive government information keep that information as secure as possible.
In an effort to help incorporate cybersecurity “at the base of what [DoD contractors] do every single day,” the CMMC framework seeks to ingrain cybersecurity best practices into every interaction with sensitive data.
As technology advances, so too does the need for increased security.
Consider advancements toward quantum computing. You may think of your current network as a house, constructed with a roof, walls and security doors to keep everything inside safe. But with changes in how networks are built and accessed, by 2025 that house will have no roof, no walls, no doors and you will be exposed to adversaries and competitors across the globe.
As such, the DoD wants to be ahead of the curve, rather than behind in matching these changes with increased security and protection.
The DIB is the basis of our country’s national defense because the DoD doesn’t build most of the products it relies on, so if organizations that make up the DIB are compromised, so too is our national security.
“Cybersecurity is foundational. It can not be traded off for cost, schedule or performance” - Katie Arrington.
How many organizations have achieved CMMC certification?
There are not yet any CMMC accredited organizations. Because the DoD is in the midst of a rule change from the Defense Federal Acquisition Regulations Supplement (DFARS) to CMMC, there aren’t (as of this writing) any organizations that have gotten CMMC certified.
Currently, any business that does work with the government signs a contract with DFARS included. CMMC itself builds upon DFARS, clause DFARS 252.204-7012, which is specifically about safeguarding defense information and cyber incident reporting.
Even though there aren’t any currently certified organizations, that will change rapidly. There are about 300,000 organizations within the Defense Industrial Base today. While every DIB contractor will need to get at least CMMC Level 1 certification, less than 15,000 of those organizations are cleared to touch Controlled Unclassified Information (CUI) and therefore will be required to get at least CMMC Level 3 certification.
What is the difference between CMMC and DFARS?
The rules that apply today started in 2014. At that time, President Obama signed an executive order stating that members of the DoD that touched CUI had to apply the 110 cybersecurity controls from NIST special publication 800-171 Rev. 1.
This is recorded in DFARS rule 252.204.7012. Essentially, if you have this in your contract, you are officially telling the government you are executing all 110 of those NIST controls today.
In actuality, almost none of the current DoD contractors are implementing all 110 controls, putting them in direct violation of their contracts.
The idea behind CMMC, which builds upon DFARS, is to make it easier to comply and to help organizations actually take the steps needed to achieve compliance.
The major change from DFARS to CMMC is the fact that organizations are no longer allowed to self-assess, but must receive an assessment from a third party.
CMMC is not meant to be a checklist, seeing as that hasn’t worked up until now. Instead, it is built to help organizations think critically about cybersecurity.
Instead of just checking the box on an audit, you will now be required to really think about why those requirements are in place.
The DFARS and NIST rules are great for understanding what boxes need to be checked, but it was clear that the government needed to be a better way to help companies understand and implement those rules (and ensure compliance with them was actually happening).
The updated DFARS rules will have a CMMC level requirement in all government contracts once they are in place.
How long do I have until I have to be CMMC certified?
The official rule change to DFARS will have a public hearing in late April or early May of 2020, and you can expect that you’ll need to be CMMC certified by September 2020 in order to bid on new DoD contracts.
You should be preparing now for your first audit.
When the CMMC accreditation body has its first class of auditors approved, you should request an assessment, having done a self-assessment and gotten a solid idea of what level of CMMC compliance you think you’ve achieved.
CMMC certification will be mandatory in all government contracts by 2025. Most current contracts are built on a timeline of one base year, plus four optional years which is why the U.S. Government is looking at a 5-year window before CMMC will be 100% baked into new contracts.
Most likely, all DIB contractors will be certified within the next two and a half years. Because CMMC applies to all branches of the DoD, and as contracts come up for renewal, it will be expected that those who bid will need to be certified. Most likely this will result in approximately 1,500 organizations certifying within the first year and up to 7,500 organizations certifying within the next two years.
How much does CMMC certification cost?
One of the most common questions from DIB contractors is around the cost of certification.
The first Requests for Information (RFIs) that will include CMMC certification will come in June of 2020. The rule change itself will take effect in October 2020, and you can expect that CMMC certification will be included in most new Requests for Proposals (RFPs) by the end of 2020.
Because it will incur additional costs, existing contracts won’t require CMMC certification, so it will only apply to new contracts or acquisitions.
So, essentially, if you know your contract is coming up for bid, you should prepare to have your certification-ready.
The cost to obtain CMMC Level 1 accreditation should fall into the range of $3,000-4,000 or under. Level 3 certification could total as much as $250,000.
Keep in mind, the total cost for organizations to come into CMMC compliance will depend upon both the organization’s current security posture and the level of compliance it is seeking to achieve.
How long does a CMMC certification last?
Once you are certified, your CMMC certification is good for 3 years.
Does CMMC certification only apply to DIB contractors?
Initially, yes, CMMC will only apply to DIB contractors. However, other federal agencies and even other countries are looking into requiring it as well.
Overseas manufacturers who work with DoD contractors will also need to get certified as part of the process, which is prompting foreign governments to consider putting similar certification requirements in place as well.
How can I learn more about CMMC certification?
The Defense Acquisition University (DAU) is a great resource to learn more about CMMC certification. The Adaptive Acquisition framework outlined by the DAU is important to understand, as one size does not fit all and it outlines what is necessary for each unique situation.
The DAU website has cyber credentialing courses that help you understand cybersecurity basics, in addition to CMMC certification.
Which level of CMMC certification will I need?
As mentioned above, every DoD contractor will need to get at least CMMC Level 1 certification.
CMMC Level 2 shouldn’t be in any contract, as it is just meant to be an interim step to guide DIB contractors moving from Level 1 to Level 3, which involves a very large jump in maturity.
Those DoD contractors that handle CUI will be required to get at least CMMC Level 3 certification.
CMMC Levels 4 and 5 are reserved for only the most critical technology.
Section C and Section L in all government contracts will say exactly what CMMC level contractors that are bidding must meet.
Final Thoughts
The most important takeaway from Katie’s talk was that DIB contractors, and those interested in doing business with the Department of Defense, should be preparing now.