Cybercrime costs the U.S. economy between $57 billion and $109 billion every year and is not showing any signs of slowing down. When it comes to the Department of Defense (DoD) contracts, the need for comprehensive cybersecurity measures to be operating effectively, from procurement through job completion, is an issue of national security. Although there have been guidelines for meeting cybersecurity benchmarks in the past, as of January 31, 2020, all DoD contractors are subject to Cybersecurity Maturity Model Certification (CMMC). Read on to find out what the CMMC requirements entail, who’s affected, how to prepare and what’s next for DoD contractors.
Background of CMMC
Anyone who has worked with the DoD before knows that maintaining data security, privacy, and confidentiality, is a hallmark of the job requirement. Whether the shared information is classified or unclassified, there is a level of security expected to protect government information and communications. As the DoD continues to leverage civilian contractors on projects, more business is conducted online, and sensitive data is shared virtually, the information security risks DoD contractors face will only continue to increase. A risk the DoD must address.
In the past, guidelines for protecting information systems and the data within have been covered in various cybersecurity control standards, such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and NIST SP 800-53 to name a few. DFARS, or the Defense Acquisition Federal Regulation Supplement, mandates compliance with NIST SP 800-171, the cybersecurity controls that govern how contractors are supposed to protect sensitive information and report data breaches.
Before CMMC, the government’s first attempt to address cybersecurity came in 2012. Basic contractor systems were to be safeguarded in the Federal Acquisition Regulations (FAR) through self-reported “protective measures.” The proposed regulation was not enacted, and in 2016 the government amended FAR to include basic cybersecurity protections for contractor information systems that store or host controlled unclassified information (CUI). There were 15 minimum security controls, such as limiting information system access to authorized users, verifying and controlling or limiting connections to and use of external information systems, and authenticating user identities, processes, or devices. The FAR rule was known as being vague and broad, while small contractors found that the cost of implementing even these basic controls was prohibitive.
DFARS requirements went a step further and imposed stricter requirements on defense contractors. Under the DFARS rule, compliance with protecting and reporting cyber incidents was required. Over the next few years, DoD contracts attempted to incentivize DFARS compliance by granting a competitive advantage to companies that self-reported adequate controls, many contractors and subcontractors have put off compliance due to resource and financial constraints or self-reported false claims.
Therefore, the question of how to enforce a uniform, comprehensive controls to protect against data breaches required a single set of enforceable standards that all DoD contractors, regardless of size, must adhere to. Regulations protecting information systems have now shifted to every DoD contractor having their computer systems certified, whether they handle CUI or not.
CMMC Levels
CMMC has five different levels of certification according to specific contract requirements and the contractor’s access to classified or unclassified information. The CMMC framework is modeled after cybersecurity best practices, called domains. There are 18 domains, and each of the five levels of CMMC certification is based on companies’ ability to enforce certain cybersecurity controls and processes. The more robust and proactive cybersecurity programs the contractor has in place, the higher the level of certification. Not all contracts will require meeting a Level 4 or 5 certification, however.
| Practices | Processes | |
|---|---|---|
| Level 1: Basic Cyber Hygiene Foundation for all other cybersecurity models. Information shared as part of the contract is not intended for public release but is not considered controlled unclassified information (CUI). | Demonstrates basic cybersecurity practices as determined by FAR. Represents an attainable level for small companies. Limited ability to resist external cyber threats or malicious activity. | Limited or inconsistent processes; any cybersecurity practices are performed as needed. |
| Level 2: Intermediate Cyber Hygiene Companies at this level should be able to establish and document standard cybersecurity operating procedures, policies, and strategic plans. | Cybersecurity processes represent basic best practices and protect the company from unskilled bad actors. Minimal protection against external cyber threats or malicious activity. | Cybersecurity practices are documented. |
| Level 3: Good Cyber Hygiene Compliance at this level means a company can protect and maintain a comprehensive cybersecurity program. | Represents compliance with NIST SP 800-171 Rev 1 security requirements. Companies at this level are well-protected against moderately skilled bad actors with a cybersecurity program that can moderately secure data against external threats or malicious activity. Cybersecurity practices go beyond the scope of safeguarding CUI. | Cybersecurity processes are maintained and followed |
| Level 4: Substantial Cyber Hygiene Contractors will be able to identify, adapt, and implement cybersecurity controls as threats change. | Advanced cybersecurity practices protect the company against advanced threat actors. Fast, responsive cyber controls can secure data AND detect instances of data breach. | Cybersecurity processes are reviewed and improved throughout the company and have adequate resources. |
| Level 5: Proactive Cyber Hygiene Proactive cybersecurity management includes optimized controls, documented practices, and regular communication with management. | Defensive cyber controls represent the most advanced practices in critical systems. Controls protect against most advanced threat actors and can detect and protect against data breaches. Company knowledge of cyber controls is autonomous. | In addition to Level 4 best practices, cybersecurity processes undergo continuous improvement throughout the company. |
To comply with CMMC regulations, contractors can expect to have the following cybersecurity practices in place at each level. Note that this is not an exhaustive list.
Level 1:
- Anti-virus software is installed and updated
- Meets FAR requirements
Level 2:
- Risk management processes are in place
- Staff is adequately trained on cybersecurity issues
- Data is regularly backed up
Level 3:
- Meets all NIST SP 800-171 Rev 1 requirements
- Multi-factor authentication is present
Level 4:
- Mobile devices are included in the cybersecurity program
- Data Loss Prevention technologies are in use
- Cybersecurity program actively searches for threats
- Networks are segmented
Level 5:
- Cyber assets are tracked in real-time and SOC controls are in operation 24/7
- Cybersecurity protections are customized
- Initial threat response actions are automatic
According to the DoD, CMMC levels 4 and 5 are targeted toward a small number of contractors who support DoD critical programs and technologies.
Who Is Affected?
All new contracts signed in 2020 or old contracts up for renewal in 2020 and beyond will be required to comply with CMMC. By the numbers, that is an estimated 300,000 or more companies that will fall under CMMC audit requirements, either in 2020 or as defense contracts are renewed. As of present, CMMC only applies to DoD contracts, but it is unclear if other federal contractors will be affected at a later date.
Important Considerations for CMMC Compliance
- Self-reporting is no longer allowed
- Contractors must be certified by an accredited DoD third party auditor
- Contractors may not apply for DoD contracts if their CMMC level does not meet the requirements
- CMMC compliance costs are allowable and billable to the government
Contractors, especially small to mid-size companies, might look at CMMC requirements and become overwhelmed or disinterred. Self-assessment and self-reporting have worked well for most middle-market contractors. Up until now, there hasn’t been much incentive to take the extra compliance steps, especially if the bidding process wasn’t successful. However, CMMC is unlike existing standards. Every company bidding on a new DoD contract must meet some level of certification to even be considered. For contracts that require CMMC, the contract will state the level of compliance that must be adhered to in order to bid on the contract. A contractor will be disqualified from the request for proposal (RFP) process if the contractor is not certified by an independent third party for the CMMC level required by the RFP.
Beginning in 2020, self-assessment and self-reporting are no longer allowed. Independent third-party accreditation organizations, like PBMares, must perform CMMC assessments. It is expected that there will only be a select number of accredited third parties, which means that waiting until the last minute for an assessment might pose significant risks to the contractor’s ability to respond to RFPs.
The positive side to CMMC implementation is that implementing cybersecurity controls to meet CMMC requirements is considered an allowable cost. One of the biggest challenges for middle-market DoD contractors to remain compliant with changing standards has been resource constraints. Updating software, undergoing third party compliance reviews, and upgrading security processes all cost money and manpower. The DoD recognized this challenge, saying “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
Timeline of CMMC Implementation
December 2019: Final public comment period
January 2020: Final CMMC regulations released
February/March 2020: Third-party assessors can apply for accreditation
June 2020: CMMC requirements part of RFIs
Late 2020: CMMC compliance required to bid on RFPs
As of January 31, 2020, final CMMC regulations were issued for all contractors that currently work with the DoD or plan to in the future. Third-party assessors can begin to apply for accreditation as early as February or March and will be ready to assess CMMC readiness in late spring or early summer 2020 when the first audits will likely start happening. Beginning in June 2020, the DoD is expected to include CMMC requirements in RFIs, and in late 2020 DoD contractors need to be certified to bid on RFPs.
How DoD Contractors Can Prepare for CMMC Requirements
The best starting point to prepare for CMMC compliance is to read the guidance, understand what’s required, and determine where gaps in security protocols need to be addressed. Then, assess which level(s) will be appropriate, depenure. Each contract’s required CMMC level will be determined by the government and will be in L and M sections of the RFP, making cybersecurity an allowable cost in DoD contracts.
If contractors do not pass the CMMC audit, they will be disqualified from bidding; therefore, timely assessment and implementation is key.
Next Steps
Early in the year is an ideal time to look at strategic plans and future financial planning to plan for CMMC compliance in 2020 for both yourself and your subcontractors. Working with an advisor who is familiar with how the previous standards interact with CMMC and how to apply the appropriate cybersecurity controls will be easier and less time consuming than contractors and subcontractors trying to do it themselves. DoD contractors, especially middle-market companies, should be using the time between now and fall of 2020 to be proactive and identify gaps in data security and cybersecurity processes. Getting an independent audit may take time, especially if it identifies areas for improvement.
Some areas of CMMC compliance remain unknown. For example, it is unclear how often contractors will need to be certified or how much certification will cost. CMMC is an evolving process and as final versions are released, PBMares will continue to update clients and DoD stakeholders on the new requirements.
