By: Tom Cupples, Ed. D., CISSP, CAP, CMMC-PI, Security Controls Assessor & Senior Cybersecurity Trainer at Cerberus Sentinel
The Cybersecurity Maturity Model Certification (CMMC) has been around for a few years. And, in its short tenure, it has, itself, matured. The current version of the CMMC is 2.0, released in November 2021. In the latest version of the model, the original five-level model hierarchy was collapsed into three distinct levels: Foundational, Advanced, and Expert. The purpose of the update was to simplify the process of becoming certified and the understanding of the appropriate level for certification for each organization.
CMMC and DFARS
CMMC revolves around four primary regulations directed toward the Defense Industrial Base (DIB), “the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.” These are enumerated in Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012, 252.204-7019, 252.204-7020, and 252.2014-7021.
- DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting mandates that covered contractor information systems be subject to National Institute of Standards and Technology (NIST) Special Publication 800-171, currently in revision 2, as proof of Adequate Security, per the regulation. It also gives authority to the United States Department of Defense (DoD) to monitor and participate in activities related to Cyber Incident Reporting.
- DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements mandates that “to be considered for award of DoD contracts, the contractor is required to implement NIST SP 800-171 and have a current assessment, no less than 3 years old, as required under DFARS 252.204-7020 for each covered contractor information system that is relevant to the offer, task order, or delivery order.” It also mandates the summary level result of that assessment be recorded in the Supplier Performance Risk System (SPRS) no later than 30 days following the completion of the assessment.
- DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements defines the levels of assessment and their requirements of Basic, Medium, and High. The Basic Assessment requiring a self-assessment against NIST SP 800-171 would result in a confidence level of Low. The Medium Assessment requiring an assessment against NIST SP 800-171 by the government would result in a confidence level of Medium. The High Assessment requiring an assessment against NIST SP-800-171A by the government would result in a confidence level of High.
- DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirements mandates that a “contractor shall have a current, not older than 3 years, CMMC certificate level required by the contract and maintain the CMMC certificate at the required level for the duration of the contract.” It also mandates that the “contractor insert the substance of [the] clause in all subcontracts and other contractual instruments, including the subcontracts for the acquisition of commercial items, excluding commercially available off-the-shelf items”; and also mandates that [before] awarding [a contract]to a subcontractor, ensure that the subcontractor has a current, not older than 3 years, CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.
What does this mean for your organization?
If your organization is currently in a contract or plans to be in a contract with either the DoD or a contractor of the DoD (i.e., as a subcontractor), the organization needs to be assessed and gain CMMC certification at the level of the contract the organization intends to service.
When does my organization need to be certified?
The DoD is presently in a 9–24-month rulemaking period that is intended to result in the codification of the requirement that the clause requiring CMMC certification be included in ALL contracts by December 31, 2025. Some contracts will begin to have this requirement as soon as July 2023.
How does my organization become CMMC certified?
The Office of the Under Secretary of Defense – Acquisition and Sustainment (OSD/AS) has contracted with the CyberAB (formerly the CMMC Accreditation Body) to provide an ecosystem to facilitate this endeavor. The process is simple yet treacherous for the uninformed.
The CyberAB is currently giving oversight to the training and certification of certified assessors. Although the CyberAB does have Registered Practitioners (RPs) and Registered Practitioner Organizations (RPOs), ANY firm experienced in gap analysis can assist your organization in finding gaps and assisting in bridging those gaps. Additionally, CyberAB Licensed Training Providers (LTPs) have courses that can assist your organization in learning how to do the work in-house. A list of LTPs can be found in the CMMC Marketplace at https://www.cyberab.org.
Ultimately, to become certified to earn a contract with the DoD, an organization will need to obtain the services of a CyberAB CMMC Certified Third-Party Assessment Organization (C3PAO) listed on the CyberAB Marketplace. Although this can be a lengthy and expensive process, starting now to prepare is essential. The sooner your organization works to become prepared for the assessment, the better prepared the organization will be to succeed.
Does everyone have to be certified by a C3PAO?
No. There are two categories of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Understanding the difference takes more time than is allotted to this article. However, these categories relate to the three levels of certification.
- Foundational (Level 1 CMMC) is for those organizations that process, store, or transmit only FCI in non-federal information systems. These organizations are allowed to self-attest that they have met the 17 foundational practices of CMMC. This must be repeated on an annual basis. However, there are legal and civil penalties for those who misrepresent their status.
- Advanced (Level 2 CMMC) is for those organizations that process, store, or transmit both FCI and CUI in non-federal systems. The organizations MUST be certified by a C3PAO that they have met all 110 practices listed in NIST SP 800-171. This certification process must be repeated triennially.
- Expert (Level 3 CMMC) is for organizations selected by the DoD to meet this higher standard, usually prime contractors. The DoD must certify these organizations directly that they have met all 110 practices of NIST SP 800-171, plus certain additional practices of NIST SP 800-172. This certification process must also be repeated triennially.
Regardless of the level at which an organization is required to become certified, there is much work to be done. Whether your organization attempts to prepare alone or with an experienced partner, the time to prepare is now. Extended delays could result in higher costs in time and money due to having to rush to make last-minute changes or taking the risk of failing the assessment. Do not delay.