Cybersecurity Maturity Model Certification Compliance – Hurry Up and Wait!
Three months following the initial release of Cybersecurity Maturity Model Certification (CMMC) Version 1.0 from the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), guidance continues to be issued in fragments, creating ambiguity for the Defense Industrial Base as to implementation. Giving flashbacks to many in the DIB community, the message seems to be “Hurry up and Wait!”
CMMC Version 0.7 was replaced earlier this year with the primary intent to eradicate the previous policy that allowed self-certification and self-accreditation for cybersecurity. Now, the CMMC mandates and requires third-party audits to prove DIB contractors have adequate cybersecurity capabilities to protect “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI) against “Advanced Persistent Threats” (APTS) across 17 different domains (areas of secured information).
Since the January 31, 2020 roll-out of CMMC Version 1.0, the OUSD website released several documents designed to guide contractors on compliance for “future DoD Acquisitions.” On March 18, 2020, OUSD provided a 338-page Appendix Version 1.02 on “Practice and Procedure Descriptions” that details expectations at each Level of security with citations to specific provisions in the Federal Acquisition Regulations and NIST Special Publication 800 series. Despite its incredible length, Appendix Version 1.02 appears well-organized.
Prior to the Coronavirus pandemic, it was expected that RFPs and RFIs incorporating the CMMC changes would be released in the late spring and fall. Still, internal CMMC assessments should begin now, despite formal certifications not yet available from DoD. Contractors can visit OUSD’s Frequently Asked Questions page to get an initial view of the certification process.
Unfortunately, contractors will bear the cost of the certification process, which will vary according to its certification Level and network complexity. The CMMC recognizes five different certification levels, beginning with Level 1, that increase based upon the reliability, maturity, and cybersecurity capabilities of a company’s network. Each level has increased technical, institutional, and process elements, described as follows:
Level 1: "Basic cyber hygiene" practices required (i.e. antivirus software, password requirements) to protect FCI, which is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." It does not include public information or certain transactional information.
Level 2: "Intermediate cyber hygiene" practices to begin to protect CUI. Requires the company to establish and document practices and policies showing cyber hygiene efforts, as well show that their personnel follow these practices and policies consistently. This is an intermediate stage, in which company should follow NIST SP 800-171(4).
Level 3: A company must have institutionalized and implemented all NIST SP 800-171(4) security requirements as well as additional standards to protect CUI, as well as implemented additional standards and resources to mitigate vulnerabilities (See DFARS clause 252.204-7012 for additional measures and incident response techniques).
Level 4: Company must show implemented processes and organizational review techniques to consistently measure and monitor effectiveness of security, response, and detection. Must also show ability to take corrective action and inform higher-level management on a recurring basis. Focus is protecting CUI from APTs and encompass a subset of the enhanced security requirements from draft NIST SP 800-171-B (6).
Level 5: A company must have standardized and optimized processes in place across the organization and additional in-depth and sophisticated cybersecurity capabilities to combat APTs and protect CUI.
The CMMC will conduct an initial assessment of the “implementation” and “institutionalization” of each company’s cybersecurity practices and processes, respectively, and then an assessor, which will either be an individual or a CMMC Third Party Assessment Organization (C3PAO) will perform the assessment for the formal CMMC accreditation.
The individual assessors and C3PAOs are accredited by the CMMC Accreditation Body (AB), a non-profit, independent organization. Per the CMMC AB website, “[t]he requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized,” so “there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.”
Accordingly, “only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program” despite public representations made to the contrary by other contractors claiming to provide CMMC certifications. Once the CMMC AB approves a list of assessors and C3PAOs, it will publish a list of approved certification providers on a CMMC marketplace for DIB companies to select from specific to its Level. Training for assessors is not yet finalized but still expected in 2020.
In short, certifications for CMMC levels are not ready (because no one is certified to conduct the assessments) and unless and until they are, DIBs should not expect to see CMMC requirements mandated in RFPs or RFIs. Still, companies can prepare themselves by conducting internal evaluations using Appendix Version 1.02 and determine its desired Level based upon the category of secured information with which it most commonly works.