DoD to contractors: Your cybersecurity is not good enough
The Cybersecurity Maturity Model Certification (CMMC) is an initiative lead by the Office of the Assistant Secretary of Defense for Acquisition. This is an office in the Department of Defense (DoD) which helps set policy for DoD contract requirements.
DoD contractors who handle Controlled Unclassified Information (CUI) are already required to self-certify compliance with the NIST SP 800-171 set of cybersecurity best practices. However, as pointed out by Ms. Kate Arrington during the CMMC Listening Tour this year, self-certification is not working. DoD contractors have been successfully targeted by cyber adversaries because they haven’t fully secured their networks.
To force DoD contractors to implement cybersecurity, the CMMC will require every DoD contractor to get an audit and certification from a third party auditor. It doesn’t matter whether the contractor manages CUI or not. They still need to get audited.
CMMC enforcement timelines
The current timelines (as of May 2020) are:
- Mid 2020: 3rd party auditors begin applying for accreditation
- Late 2020: Several (less than 20) DoD contracts are chosen to be the first ones that will require CMMC certification
- Late 2020: Bidders to the specified DoD contracts start getting audited
- Feb-Mar 2021: DFARS 7012 rule is modified to replace NIST 800-171 with CMMC requirement
- Between 2021 and 2025: New Requests for Proposals (RFPs) gradually begin requiring CMMC certification. This means that most DoD contractors won’t be directly affected by CMMC for several years.
CMMC levels and requirements
The DoD recognizes that their contracts have different risk profiles, so each RFP will list a CMMC level requirement from 1-5. Having proof of certification at that level would be a requirement to even submit a bid.
The lower levels (1-2) apply to DoD contractors who don’t deal with Controlled Unclassified Information (CUI). I expect most resellers will fit into this category. Other than purchase orders and possibly human resources information, they don’t hold government information on their corporate networks. The security requirements for these levels are much less stringent.
In middle levels (3-4), DoD contractors handle CUI. This is information like schematics for DoD equipment. Data which lets adversaries reverse-engineer or learn about military capabilities. For example, a shipyard might have maintenance plans for submarine equipment on a CUI network. This requires a level of protection very similar to the current NIST SP 800-171 recommendations.
At the highest levels, (4-5), the CUI being protected is high stakes. These networks will be targeted by cyber adversaries. Examples of this information would be weapon test results or detailed manufacturing schematics. Securing your network up to level 4 or 5 is likely to be very expensive.
Resources to get started with CMMC
Check the menu above for dozens of articles about CMMC, how to prepare your company, and how to become an assessor yourself.
Official DoD homepage for CMMC: https://www.acq.osd.mil/cmmc/index.html
Security policy templates, training, and tools: https://www.cmmcaudit.org/policy-templates-and-tools-for-cmmc-and-800-171/
Glossary of CMMC terms and key players: https://www.cmmcaudit.org/cmmc-glossary-terms-and-definitions-whos-who-in-cmmc/
Are you just looking for a CMMC audit provider?
Right now, no company is authorized to perform audits (the CMMC is still in development). The sponsor of CMMC Audit (Kieri Solutions) has started the process to become an auditor and is building a wait-list for audits in early 2021. Other audit providers will be listed on the CMMC accreditation body website as they are approved.
Are you just looking for help preparing for the CMMC?
We encourage you to reach out to the sponsor of CMMC Audit, Kieri Solutions, if you like what you see on this website. At the least, they are happy to chat for 30 minutes and give you free advice. The CMMC accreditation body website is also expected to have a list of “Registered Providers” and “Licensed Training Providers” in the next several months.
Can you help give advice to others?
CMMCaudit.org is looking for contributions. We need cybersecurity professionals to write articles about specific practices and topics in the CMMC. Send us an email if you have a thoughtful (non-sales-y) article you would like to share, we will be glad to credit you and your company!
We are particularly interested in deep-dives on individual practices!
CMMCaudit.org is not a representative of the DoD or the CMMC Accreditation Body. This website is meant to be public resource for CMMC audit preparation.