Premier Federal understands the security demands faced by both the contractors and US federal agencies. In particular, contractors currently doing business or planning to do business with the U.S. Department of Defense (DoD) are required to meet certain parameters of the Defense Federal Acquisition Regulation Supplement (DFARS). This is a government regulation that is currently applied via various NIST regulations such as 800-171, 171B, 53, etc. However, in 2020 and beyond any business / contractor planning to do business with DoD will be mandated to achieve a certain level of third party certification called Cyber Security Maturity Model Certification (CMMC).
Protecting the U.S. Department of Defense (DOD) organizations critical information is a unique responsibility. This enormous security challenge must be implemented in an environment of very large and complex networks.
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
In 2016, the DoD implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through the release of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The DFARS directed DoD Contractors to self-attest that adequate security controls were implemented within contractor systems to ensure that CDI confidentiality was maintained. In 2019, the Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started the process of creating the CMMC with the finalization of the CMMC v1.0 expected in Q1 2020.
When fully operational, the CMMC will be mandatory for all entities doing business with the DoD at any level. Prime contractors, and their subcontractors, will be required to meet one of the five CMMC trust levels, and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities.
In Q1 2020 the CMMC will release a checklist for contractors which will allow them to identify how well they currently comply with the framework, and to assist with planning and implementing security maturity tasks. The CMMC will be included as a component of Requests for Information (RFIs) in mid-2020 and is expected to be included in Requests for Proposal (RFPs) by late 2020. The required CMMC compliance level will be contained in sections L & M of RFPs, making cybersecurity an “allowable cost” in DoD contracts.
The CMMC model framework categorizes Cyber Security best practices at the highest level by domains. Each domain is further segmented by a set of capabilities. Capabilities are achievements to ensure Cyber Security objectives are met within each domain. DoD contractors will demonstrate compliance with the required capabilities by adhering to practices and processes which have been mapped across the five maturity levels of CMMC. Practices will measure the technical activities required to achieve compliance with a given capability, and processes will measure the maturity of a company’s policies. Within each domain, DIB contractors will be accredited under the CMMC if they can demonstrate compliance with the required practices and mature processes as required for the given CMMC level.
There will be five cumulative Certification levels to the CMMC:
It is important that organizations understand that the CMMC will require a CMMC 3rd Party Assessment Organization (C3PAO) to perform an annual independent assessment of their CMMC implementation for the security controls protecting CUI data. This would be in place of NIST 800-171 compliance through self-attestation.
In a recent audit of 10 DoD contractors servicing contracts with a value in excess of $1 million, who self-attested to compliance with NIST SP 800-171, eight were deemed deficient in implementing basic cybersecurity controls. Upon further analysis, it was determined that deficiencies were due to NIST SP 800-171 requiring compliance without regard to strength or maturity of the controls as implemented, and deficiencies in the process of ensuring ongoing, consistent control execution.
Process institutionalization (policies, plans, processes and procedures to manage the environment where the CUI resides) will be a big differentiator in CMMC because it provides assurances that the practices are being implemented effectively and in a sustainable manner.
CMMC Domains will also include four additional controls that are not currently covered under NIST 800-171:
Still have questions? You can find answers to many of your CMMC questions under FAQs.
For more information regarding CMMC certification process, please contact us at: firstname.lastname@example.org
When it comes to Cyber Security threats, no one....
Enterprises in virtually every industry are tra....
We are amidst the 4th Industrial Revolution, a....
“Infrastructure Modernization” is fast beco....