CMMC: Cybersecurity Maturity Model Certification
CMMC is the acronym used to describe a future cybersecurity certification process that will apply to DoD Contractors. CMMC stands for Cybersecurity Maturity Model Certification. The certification program along with the certification of assessors will be governed by the Cybersecurity Maturing Model Certification – Accreditation Board (CMMC-AB: https://www.cmmcab.org)
CMMC requires formal certification from a qualified entity licensed by the CMMC-AB. This entity, the CMMC-AB is the only body recognized by and authorized by the Department of Defense (DoD) to assess vendor cybersecurity and certify that their program complies with DoD requirements. Certifications will be valid for a period of three years and will require recertification to maintain eligibility for award of DoD contracts.
There will be costs involved. There will be costs associated with the company’s preparations and ongoing maintenance efforts. There will also be costs for the formal assessment. At this time, costs associated with the formal assessments have not been promulgated.
Overview of DFAR Clauses
The requirements to comply with CMMC are detailed in DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements (Nov 2020) which became effective on November 30, 2020. However, due to the planned phased roll out of this requirement over the next several years, use of the clause is restricted, and until “September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation. ” <https://www.acq.osd.mil/cmmc/faq.html (see question 26).
Until DFARS 252.204-7021 is included in solicitations, businesses must comply with DFARS 252.204-7020, which requires the following actions:
- Compliance with DFARS 252.204-7012
- Development of a System Security Plan
- Identify Security Requirements that apply but which are not fully implemented and list these in the company’s Plan of Action
- Conduct the DoD Basic Assessment
- Assemble and upload the required data to the Supplier Performance Risk System (SPRS)
Companies must also comply with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems (Jun 2016). Both the DoD Basic Assessment and requirements for CMMC (Level 1) include all the requirements of FAR 52.204-21. However, since FAR clauses apply to all Executive Agency solicitations/contracts these requirements are stated separately. Additionally, FAR 52.204-21 specifies 15 requirements which translate to 17 requirements in CMMC Level 1.
Overview of Information Requiring CMMC Certification
DoD information that requires CMMC certification is subdivided into two broad classifications categories – Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Knowing the classification of information that will be handled or expected to be handled is critical to designing and implementing a company’s cybersecurity program and the level at which the company will need to certify. Companies that handle FCI will be required to certify at CMMC L1. Companies that handle CUI will be required to certify to CMMC Levels 1 and 2 and either CMMC Level 3, Level 4 or Level 5. It is expected that only a few companies will be required to certify at either CMMC Level 4 or Level 5 which will be driven by the sensitivity associated with the information. Cybersecurity programs supporting these levels will be the most complex, mature and costly to maintain.
It is expected that most companies that handle CUI will be required to certify to CMMC Level 3 which also includes CMMC Levels 1 and 2. Level 2 is not a formal certification requirement used in solicitations. Level 2 is deemed to be a “bridge” level – an intermediate step that includes additional security requirements beyond those in CMMC Level 1 but does not include all CMMC Level 3 security requirements.
With respect to CMMC certification size does not matter. A company of one will be required to demonstrate the same cybersecurity capability as any other larger business for the same level of CMMC certification. Companies “must demonstrate both the requisite institutionalization of processes and the implementation of practices for a specific CMMC level and the preceding lower levels in order to achieve that level.” (See page 2; CMMC Assessment Guide – Level 1 | Version 1.10)
The following list of terms identifies at a high level important concepts related to the CMMC program.
- Documents (evidence)
- Integration among related security requirements/programs (ITAR/JCP/NOFORN/Other)
- Integration with other programs including physical security
Program maturity to include processes and procedures is the core idea. A company may have a plan – policies and procedures but if the plan is not used on an ongoing basis, periodically reviewed updated to reflect greater capabilities and skills how can it be determined that the plan as written is sufficient. If the plan is not implemented and used on a routine basis how will the company generate documentation – the evidence needed – to demonstrate the plan as written works?
The term institutionalization is emphasized in CMMC documentation. As used, the underlying ideas associated with this term seeks to determine whether the ideas, processes, procedures are fully engrained throughout the organization at all levels from the most senior – ownership, executives, to the most junior. In addition to positions within a company it is important to ask whether all these ideas are also present in all employees, from the most recent hire to those with the longest tenure, that have or will have contact with CUI.
The crux of the CMMC assessment will be can the company prove (show) the assessment team evidence that the policies and procedures being used are sufficient and therefore they comply with CMMC. A logical question might be – if the assessor asks a staff member to walk through the steps related to a specific security requirement what will happen? If the staff member seems totally unfamiliar with the documents or cannot locate them, skips a critical step, doesn’t follow the procedures and doesn’t document the actions – collectively those are facts that may be viewed as negative and lead to one of many conclusions and additional question.
Naturally, if any member of the staff can fluently respond to the assessor’s questions, that will help to create a positive impression that the plans, policies and procedures are functional assets, which meet CMMC requirements and are more than words written on paper or in a computer file.