CMMC

UPDATE: The Office of the Under Secretary of Defense (OUSD) A & S and the CMMC - Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.

What is CMMC?

  • The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.
  • In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA & M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for missrepresenting their cybersecurity efforts.
  • Documentation as a Service: Ticketing, Quarterly Reporting, Annual Review
  • Management as a Service: Asset & License Management, Patch Management, Remote Management (NOC & Help Desk Annual Review)
  • Monitoring as a Service: System & Network Utilization, Threat Logging, Real Time Alerting
  • Support as a Service: Remote Help Desk, Network Operations Center, Dispatch & Field Support

about e2in
  • Several select DoD RFPs will include a requirement that all bidding contractors must meet a minimum of level 1 CMMC certification to qualify. These certification requirements will continue to be phased in an over the next several years until it is a pre-requisite to bid on any contract with DoD.
  • The best way to comply with these requirements is to follow the path to CMMC as outlined in this diagram
  • UPDATE: The Office of the Under Secretary of Defense (OUSD) A & S and the CMMC - Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.

What is CMMC?

  • The Cybersecurity Maturity Model Certification (CMMC) program is a new set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber-attacks. This is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD's response to significant compromises of sensitive defense information located on contractor's information systems.
  • The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.
  • In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA & M) in response to DFARS 252.204-7012. This request from contracting authorities was often post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.
  • Contractors were responsible for implementing, monitoring and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC changes this paradigm by requiring third-party assessments of contractor's compliance with certain mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats from adversaries.
  • DoD will require CMMC certification prior to any company/business/contractor winning a DoD contract. DoD delivered CMMC 1.0 standards (later updated to version 1.02) to a new non-profit governing organization, the Accreditation Body (AB). The AB will certify third-party inspectors who will then certify companies/businesses/contractors against the different CMMC standards/levels. Third-party inspectors will provide companies/businesses/contractors certification levels to the AB for tracking and provision to the DoD. The AB will not make CMMC certification levels publicly available.
  • CMMC contrasts DFARS 7012 by forcing the requirement before award, or 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher your company certifies, the more contracts you will be eligible to bid on.
  • How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
  • At a minimum, all subcontractors will be required to carry CMMC Level 1 Certification to continue to participate in DoD contracts. Additionally, a prime contractor may require Level 3 Certification for a contract while subcontractors may require different levels of certification. Prime contractors will work with contracting officers to determine the CMMC levels required for subcontractors.
  • How will CMMC compliance be different from compliance with NIST SP 800-171 through DFARS 252.204-7012?
  • CMMC merges several cybersecurity control standards, including NIST SP 800-171, into a single, unified standard. It goes beyond NIST SP 800-171 to include the assessment of organizational cybersecurity practices and processes in addition to the assessment of technical systems and practices. However, CMMC compliance will not imply NIST SP 800-171 compliance. NIST SP 800-171 includes 63 non-federal organization controls that are not covered by CMMC. At this time, contractors will have to continue to comply with DFARS 252.204-7012 requirement.

The CMMC framework

The CMMC establishes five certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information on contractor's information systems. The five levels are tiered and build upon each other's technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.

about e2in