On Dec. 13, 2019, the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Draft 0.7 of the Cybersecurity Maturity Model Certification (CMMC) framework. The CMMC framework will be used by third party auditors to certify that members of the Defense Industrial Base (DIB) sector are complying with the Department of Defense’s (DOD’s) baseline cybersecurity requirements. In Fall 2020, DOD will begin including CMMC certification requirements as go/no go evaluation factors in some of its procurements and, eventually, DOD CMMC certification will be required for all DOD contractors, subcontractors, and suppliers working on defense contracts.
Background
As discussed previously in GT client alerts (see New Cybersecurity Certification Requirements for Government Contractors) and articles (see FEATURE COMMENT: Cybersecurity For Government Contractors: DOD’s New Cybersecurity Maturity Model Certification Rapidly Taking Shape), the CMMC framework represents a departure from the DOD’s current approach to baseline cybersecurity for the DIB sector. Defense contractors will no longer be permitted to simply self-certify their compliance with cybersecurity standards or rely upon Plans of Action and Milestones (POA&M) to fill gaps in their System Security Plans. Rather, third-party auditors, regulated by a yet-to-be-determined non-governmental organization, will be responsible for certifying contractor compliance with the CMMC framework.
The CMMC framework will establish five tiers of cybersecurity maturity, with Level 1 certification representing “Basic Cyber Hygiene,” and Level 5 certification representing “advanced or progressive cybersecurity.” The CMMC framework consists of 17 domains, such as “Access Control” and “Personnel Security.” For each cybersecurity level, the CMMC framework requires contractors to demonstrate compliance or adoption of increasingly stringent “capabilities” and “practices,” in each of these domains.
What is New?
-
Draft 0.7 now includes “capabilities” and “practices” for CMMC Levels 4 and 5. Many of these “capabilities” and “practices” are drawn from the controls set forth in the U.S. Department of Commerce’s National Institute of Standards and Technology’s (NISTS’s) Draft Special Publication (SP) 800-171B, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.” Level 4 incorporates or partially incorporates 13 Draft NIST SP 800-171B controls; and Level 5 includes an additional five controls. Levels 4 and 5 also include “capabilities” and “practices” drawn from other standards, such as the International Organization for Standardization (ISO): Information Security Management ISO/IEC 27001:2013 and the CMMC working group. Therefore, compliance with NIST Draft SP 800-171B alone will not necessarily be sufficient to achieve Level 4 or 5 CMMC certification.
-
Draft 0.7 also includes “Discussion and Clarification” sections for CMMC Levels 1-3. These sections provide helpful guidance clarifying the DOD’s expectations for how contractors should demonstrate compliance with the various “capabilities” and “practices” included in the CMMC framework. In some cases, DOD has provided examples showing how contractors might demonstrate compliance. In other cases, the information included in these sections is not readily apparent from the CMMC requirement language or citations.
What is Next?
In January 2020, DOD plans to issue CMMC 1.0, which is expected to be the initial comprehensive version of the CMMC framework. While many questions remain regarding the content of the final CMMC framework and how DOD will implement CMMC requirements, DOD has repeatedly expressed its intent to require CMMC certifications for procurements starting in fall 2020.
For many organizations, achieving CMMC compliance will require significant effort. Accordingly, contractors should continue to carefully review draft CMMC documents and to take steps to begin implementing required CMMC “capabilities” and “practices.” Absent such advance planning, contractors risk falling “behind the curve,” or compromising their competitive position in future DOD procurements. Additionally, contractors should begin discussing CMMC implementation with their subcontractors and lower-tiered suppliers to ensure they are aware of DOD’s new requirements and are prepared to achieve CMMC certification as needed.