The recent release of the Interim DFARS rule has raised a lot of concern and questions among U.S. Department of Defense (DoD) contractors.
The Interim Rule updates how the DoD expects these contractors, collectively known as the Defense Industrial Base, or DIB, to protect Controlled Unclassified Information (CUI) by formally outlining the transition plan to the Cybersecurity Maturity Model Certification (CMMC) and updating the current NIST SP 800-171 compliance requirements.
Regarding the end-of-November rule change for DFARS Clause 252.204-7012, the updated rule outlines how the CMMC framework will be implemented and why. It also gives the NIST SP 800-171 compliance “Interim Rule” requirement teeth, and companies are concerned about making sure they are compliant.
CMMC is a standard set by the U.S. Department of Defense that was first announced in January 2020 in order to respond to significant compromises of defense-related information housed on its contractors’ IT systems. It’s implemented across the Defense Industrial Base (DIB) sector, with more than 300,000 companies in the DoD’s supply chain, and the goal is to eradicate compromises of information storied within contractors’ information systems.
A-LIGN has continued to work with clients since the certification was announced to answer questions that help individuals and organizations understand and prepare for CMMC. It’s important for us to be at the forefront of CMMC to help demystify its implications for our clients. We are also in constant contact with experienced partners to discuss the pros and cons of CMMC, the challenges and benefits, and the newest developments of this rapidly evolving framework.
Some of the most frequently asked questions about CMMC are where to begin, what to do, how much it costs and how long it takes. A-LIGN recently hosted a panel of industry experts to discuss CMMC, and there was unanimous agreement that organizations should get started now with Level 1 processes and build their program from there. CMMC Survival Guide is the webcast that A-LIGN hosted with Kris Martel, CISO, Emagine IT; Alex Hall, VP of government programs, Alluvionic; and Bernhard Bock, CISO/CIO SysArc. While we covered a lot of ground in the discussion, highlights included scope, process maturity and technical considerations. Another resource, our introductory overview of the CMMC framework, is detailed in CMMC Explained: Practices, Process, Domains and Levels, created by A-LIGN.
CMMC will be implementation using a five-year phased rollout strategy. Starting October 1, 2020 only certain contracts will require CMMC certification, so it’s important to be ready and get the process started now. If your organization is handling Controlled Unclassified Information (CUI), you will need to prepare for Level 3. By October 1, 2025 all contracts and orders, excluding commercial off–the–shelf (COTS) products or under the federal micro-purchase threshold, will include a CMMC-level requirement for companies to meet. This means to participate on a DoD contract a “Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract,” according to proposed DFARS clause 252.204-7021 wording.
Cost of CMMC certification and scope
One of the most common questions about CMMC is “how much is this going to cost me?” And since cost is directly related to scope, no one will really know until the Department of Defense begins releasing RFIs and RFPs that include CMMC. DoD has assumed for the phased rollout of CMMC that roughly 30% of DIB contractors will require CMMC Level 3, which is the equivalent of NIST SP 800-171, plus an additional 20 practices (controls) with about 74% of those DoD contractors considered small business.
Practically speaking, the scope of CMMC will focus on where data is stored, processed and transmitted, employees (and contractors) coming into contact with CUI, and systems (such as email and accounting) with access to CUI. Smaller companies may find it easier to just consider everyone and everything in their organization in scope, but larger organizations will face more complexity during their scoping process. Starting at level 1, which includes 17 security controls that are widely considered industry best practices—you most likely have many of them already implemented – will lay the groundwork for your effort and give you a place to start. That way an organization can start with the basics and work up from there.
CMMC certification levels and technical considerations
CMMC specifies five certification levels, which reflect the maturity level and reliability of a company’s cybersecurity infrastructure, as well as how much DoD information they have access to or store. The levels are tiered and each build upon the previous level’s technical requirements. Higher levels require a contractor to comply with the requirements of lower levels fully and institutionalize the processes needed for specific cybersecurity practices.
Level 1, Level 3 and Level 5 are the most relevant. Level 1 is based on FAR 48 CFR 52.204-21, Level 3 is based on NIST SP 800-171, and Level 5 is based on Draft NIST SP 800-172. Since CMMC is based on existing security frameworks, most organizations won’t have to start from scratch, but they will need to take stock of their existing controls to determine what is missing.
The most obvious controls, which many organizations already have implemented, include endpoint protection, encryption, multi-factor authentication, permissions, audits and logging. The next level of controls includes ingesting threat intelligence and configuration management. It is important to realize there is no silver bullet solution to achieve CMMC compliance; it takes defense in depth. And it is equally important to focus on mindset: doing the right things, the right way.
CMMC requires organizational change
Speaking of doing the right thing, process maturity is often overlooked as part of this certification process, in favor of technical controls. Companies must keep in mind that in order to achieve a specific CMMC level, a company must demonstrate both process maturity and the implementation of practices, or technical controls, commensurate with that level.
It is naïve to think that CMMC is just an IT problem; it is also a people problem—and it takes training and organizational changes to achieve. Processes should not overlook the human element.
A Managed Security Service Provider (MSSP) is one logical choice to help achieve CMMC compliance, since they enable an organization to leverage economies of scale, from basic to advanced tools. But, just as there is no silver bullet solution for technical considerations, it is important for organizations to be wary of any MSSP that claims to have a ready-made CMMC solution. That is because every organization is different, so it is critical that an MSSP understands your business and can map to CMMC.
The takeaway message is don’t wait. Get started today on your path to CMMC certification. Take the time to conduct due diligence for solution and service providers to make sure they can adequately address your needs. And keep your eyes open for the upcoming launch of the CMMC Marketplace, which will list vendors and service providers that have received official CMMC training from the CMMC Accreditation Body as either a consultant/service provider or as a certified assessor.