CMMC – What Your Business Needs to Know
Every week we are seeing major cyberattacks take down giants from Microsoft to Target. But it is the hacks on businesses that we never hear about that has the government most concerned, especially those with government contracts. The Department of Defense (DoD) considers it a matter of national security, which is why they have implemented the Cybersecurity Maturity Model Certification (CMMC), a cybersecurity standard that is required of any defense contractor or vendor or any company that wants to be a defense contractor or vendor.
What is CMMC Compliance?
CMMC compliance is primarily based around safeguarding any data or information created or possessed by the government or by any entity on the government’s behalf across the DoD’s supply chain. The DoD refers to this data as Controlled Unclassified Information (CUI). CUI is broadly interpreted and can include intelligence, infrastructure, financial, legal, export control or other information and data.
The DoD recognizes that each contractor holds varying levels of CUI data. Accordingly, the DoD has broken CMMC certification into a tier system with three CMMC certification levels. Each step up in certification level increases the requirements of the previous tiers. There are 5 CMMC certification levels described briefly below:
- Level 1 – This is the lowest level of CMMC certification and requires “basic cyber hygiene” practices, including implementing antivirus software and ensuring employee passwords are regularly chained. The priority is protecting Federal Contract Information (FCI) which is defined as data or information provided or generated for the government based on a contract to develop or deliver a product or service to the government and that data is not intended for public release.
- Level 2 – If a government contractor is handling any CUI then they will need to reach an “intermediate cyber hygiene” level. This requires implementing a US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 security requirement (NIST 800-171 r2).
- Level 3 – Level 3 requires implementing “good cyber hygiene” practices through an institutionalized management plan. This would include all NIST 800-171 r2 security requirements and additional standards.
- Level 4 – This level builds on the previous three and adds requirements for implementing processes to review and measure the effectiveness of cybersecurity practices. It also requires establishing enhanced practices to detect and handle Advanced Persistent Threats (APTs). APTs are cyber adversaries that are highly sophisticated and have the resources to employ varying tactics and techniques.
- Level 5 – The highest CMMC certification level incorporates the requirements of all of the preceding levels and further requires enhanced practices to detect and respond to APTs.
Government contractors and vendors must apply the relevant certification level’s practices and processes across 17 capability domains. The capability domains are the following:
- Access Control (AC)
- Incident Response (IR)
- Risk Management (RM)
- Asset Management (AM)
- Maintenance (MA)
- Security Assessment (CA)
- Awareness and Training (AT)
- Media Protection (MP)
- Situational Awareness (SA)
- Audit and Accountability (AU)
- Personnel Security (PS)
- System and Communications Protection (SC)
- Configuration Management (CM)
- Physical Protection (PE)
- System and Information Integrity (SI)
- Identification and Authentication (IA)
- Recovery (RE)
Who does CMMC directly affect?
CMMC certification is required of any contractor or vendor that does business with the Department of Defense or plans to do business with the department. This includes all suppliers and commercial item contractors at every level of the supply chain. Any Defends Industrial Base (DIB) vendor, contractor or subcontractor must also demonstrate CMMC compliance. Only companies that produce off the shelf products are exempt from CMMC certification.
The CMMC Accreditation Body (CMMC-AB) coordinates with the DoD and is responsible for handling the CMMC certification process. The two entities have created accreditation procedures for independent CMMC Third Party Assessment Organizations (CP3AOs) to assess and certify CMMC levels.
What Steps Should Businesses Who Work with the DoD take to become CMMC Compliant?
If a business wants to do business with the DoD they are going to have to be CMMC certified. The application and certification process can be lengthy, at least six months in some cases, so businesses that are trying to get government contracts need to start getting compliant as soon as possible.
The process should start with an assessment of the business, what security measures are already in place and identify what CUI would need to be safeguarded. It is best to start this process with a third-party assessing organization (C3PAO) since CMMC requires a third party audit for certification. They should then document all practices and procedures that are already compliant. From there, the business can then determine what needs to be implemented to achieve the desired CMMC maturity level.
CMMC Interim Rule
The Department of Defense made CMMC effective, November 30, 2020. The DoD did, however, anticipate that the certification process would take some time, which is why they introduced the interim rule. The rule impacts all prime and subcontractors already subject to DFARS 252.204-7012, which makes any contractor that handles CUI subject to NIST SP 800-171 cybersecurity controls. On top of this, the interim rule adds clauses 7019, 7020 and 7021 to DFARS 252.204. Those clauses are explained more below.
Assessment and Reporting Requirements
Clause 7019 requires that contractors bidding on new DoD must conduct assessments based on NIST 800-171 controls and report results of the assessment to the Supplier Performance Risk System (SPRS). Reporting will cover the following:
- Adherence to NIST 800-171 Assessment Methodology for all contractors who handle CUI
- Assessments are scored out of a maximum of 110. Scoring is based on which NIST SP 800-171 controls are implemented, with a deduction for each control not yet implemented. Some requirements are worth multiple points.
- Negative scores are possible
- Assessment score must be filed with the DoD’s SPRS by the time a contract is awarded and there must be a maintenance of controls for the duration of the contract.
- If a score falls below 110, a Plan of Action and Milestones (POA&M) must be created to address how and by when the issue will be remediated to maintain a score of 110.
Again, these are the steps that need to be taken in the interim as a business starts to become CMMC compliant.
Responsibilities for Prime and Subcontractors
It is important to note that prime contractors must pass down assessment requirements to any subcontractors that handle CUI. In fact, NIST 800-171 assessment requirements must be included in contracts with subcontractors. Subcontractors then must filed the result of their assessment in SPRS and prime contractors must confirm that their subcontractors met requirements before the subcontract is awarded.
DFARS clause 7021 further clarifies that all contractors, primes and subcontractors, must reach the specified level of CMMC certification at the time a contract is awarded and must be maintained for the duration of the contract.
SPRS scores under the interim rule should also be viewed as a competitive measure between businesses bidding for DoD contracts. The DoD makes risk assessments as part of its determination in awarding contracts. The lower the score, the more the DoD will consider the company a security risk and when comparing competing bids, that can definitely play a role in who gets the job.
It is also worth noting again that a score under 110 may disqualify a business under CMMC and that if a contract requires CMMC Level 3 that there are 20 additional requirements that are added on.
Get CMMC Certified
Getting CMMC certified can be a long, resource intensive process and not every company can get there on their own. That’s why Managed Security Service Provider (MSSP) certification standards were established so that businesses would have a reliable way to evaluate if a third party has the expertise to implement cybersecurity standards.
Alliant Cybersecurity is a certified MSSP that specializes in CMMC certification. We have helped contractors reach every level of CMMC certification and put you in position to be awarded lucrative government contracts. Reach out today to get started on your cyber vulnerability assessment.