Cybersecurity Maturity Model Certification (CMMC) Coming Soon to a Contract Near You!
For those companies that have been complying with, or trying to comply with, the Defense Federal Acquisition Regulation Supplement (DFARS) on protecting Government controlled unclassified information (CUI), the question most often put to DoD officials is “how will you enforce it?” When Ascolta met with officials from the office of the Undersecretary of Acquisition and Sustainment (OUSD(A&S)) in December of 2018 we were told that an enforcement mechanism was in the works. We now know that the enforcement mechanism will come in the form of the Cybersecurity Maturity Model Certification (CMMC) due to be published in early January 2020.
Defense contractors have struggled to meet the cybersecurity requirements established by DFARS rule, specifically the implementation of the 110 security controls contained in the National Institute of Standards and Technology (NIST) Special Publication 800-171 Rev1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. And that was when companies could self-attest to meeting compliance; now companies will be assessed by an accredited and independent third-party commercial certification organization.
For those companies that were wondering if the Government is serious about enforcement, look no further than the Federal District Court for the Eastern District of California. On May 8, 2019 that court issued a decision to allow a case related to allegations of non-compliance with DFARS 252.204-7012 against Aerojet Rocketdyne Holdings, Inc. and their alleged false self-attestation to proceed. The case is based on allegations of non-compliance with Federal procurement cybersecurity requirements. The Aerojet decision is likely to be the first of many more decisions involving false claims act allegations focused on non-compliance with cybersecurity procurement regulations.
In part to avoid the hole “self-attestation” mess DoD is planning to adopt the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect CUI that resides on the Department’s industry partners’ networks. According to the OUSD(A&S) CMMC website the intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity.
The CMMC is anticipated to be published early 2020 with implementation beginning in June with RFIs and September with RFPs. Some of the key items as described by Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber during a CMMC listening tour event on July 17, 2019 (see the presentation here) are:
A single DoD standard used for all contracts starting in 2020, regardless of whether CUI is involved or not
It will initially be based on the 110 NIST SP 800-171 Rev1 controls and eventually incorporate 800-171 RevB controls as they are published
Will require a third-party assessment
Considered a “go/no-go” requirement for future contract awards
Will identify five levels of data security so that contractors can implement reasonable security for the data they deal with. Encourages government contract officers to pick an appropriate tier (not everything requires level 5)
Required CMMC level will be contained in RFP sections L & M
Makes cybersecurity an “allowable cost” in DoD contracts
Not a checklist but a tool to help businesses to identify what’s important
As of mid-July, the draft CMMC Levels are depicted below. All companies doing business with the DoD, regardless of what that business is or what level of data they are handling will be required to obtain CMMC level 1. Contracts involving CUI will be required to obtain CMMC level 3.
Contract solicitations will specify the certification level required based on contract requirements and then prospective suppliers will work through an independent third-party assessment organization to perform the assessment and award a certification at the appropriate CMMC level based on demonstrated maturity in capabilities and organizational maturity. Some of the higher-level assessments (levels 4 and 5) may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
Obtaining the proper maturity rating for the contract you are bidding for will be required and judged on a go/no go basis. If the work requires a maturity level of 3 and you only have a 2 you won’t be considered. Certification will be required at the time of RFP submittal.
Ascolta has been addressing the challenges of NIST 800-171 compliance since the new supplement took effect in December 2017. The Ascolta Greenfield cloud environment was created with security and compliance in mind. It addresses all technical controls of the NIST SP 800-171 security controls in a single, easy-to-implement environment and assists with people and process controls. Greenfield provides:
Continuous monitoring capabilities to provide alerts when something occurs that takes you out of compliance
Ascolta’s Managed Security services protect you and your data 24/7 from security incidents and can assist in remediation efforts
Complete documentation, such as System Security Plans (SSP) and Plan of Actions and Milestones (POA&M)
Security policy templates that are easily adaptable to your organization
Cybersecurity training for your employees
Greenfield environments can be tailored to meet the required maturity level you need and provide a ready to be certified environment within a few days. If you don’t win the contract? No problem, you’ll only be charged an initial fee. Win the contract and you’ll find Greenfield is an affordable and effective solution. Learn more about Ascolta’s Greenfield Solutions.
 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm  https://casetext.com/case/united-states-ex-rel-markus-v-aerojet-rocketdyne-holdings-inc  https://www.justice.gov/sites/default/files/civil/legacy/2011/04/22/C-FRAUDS_FCA_Primer.pdf  https://www.acq.osd.mil/cmmc/faq.html