With a hefty budget, the Defense Department works with a broad range of contractors that perform many different roles. The contracting community represents a critical supply chain that supports our nation’s armed forces, provides numerous services to the federal government, and develops systems embedded with software, code and digital information that are all vulnerable to security compromise.
Such risk is the impetus behind the Cybersecurity Maturity Model Certification (CMMC) framework. Launched in 2020, and based upon the National Institute of Standards and Technology with considerations derived from the Cyberspace Solarium Commission, it is a newer requirement for all government contractors who do business with the DoD (essentially the Defense Industrial Base) to be compliant with a pre-determined set of cybersecurity standards. CMMC applies to both prime and subcontractors, and what’s more, a whopping 300,000 or more contractors will need to be certified.
It’s important to review some drivers of this certification and the purpose behind the model. In 2020, the Inspector General of the Department of Defense set forth “Top DoD Management Challenges.” High on the list, at number six, was “enhancing DoD cyberspace operations and capabilities.” The report highlighted the grave dangers of cyberattacks, making it clear that our adversaries are on the offensive, not only to gather intelligence, but to infiltrate and purposefully expand their reach into our digital infrastructure.
According to the report, the DoD Information Network (DODIN), an intricate weave of data, processes and capabilities, serves the DoD through such interconnection. Data is processed, stored, disseminated, and managed for a host of users, including warfighters as well as key policy makers. As the IG explained, “the DODIN is vast and dispersed, composed of approximately 10,000 operational systems, thousands of data centers, tens of thousands of servers, and millions of computers and information technology devices that are mostly antiquated, which reduces the DoD’s ability to secure them from cybersecurity threats.”
Much of DODIN is supported with government contractors, hence the foundation of the CMMC. The model and certification process were born from a conjoined effort of many DoD stakeholders. Like other frameworks, CMMC seeks to invoke best practices of cybersecurity within tiers one and two, and further down the chain, suppliers. Specifically, this model calls for a level of cyber hygiene that will cultivate best practices to curtail risk raised by cyber threats anywhere across the vast DODIN landscape. Because contractors of all types are privy to sensitive data and information, the healthy cyber practices seek to protect “Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.”
CMMC is built on top of prevailing Defense Federal Acquisition Standards (252.204-7012) that govern cyber standards that defense contractors must already comply with. A certification places a higher standard of compliance, subjecting firms to audit and check to ensure that they follow policies and practices established by the CMMC.
CMMC in a nutshell
Levels of certification: CMMC has five levels of certification that ascend from the treatment and handling of least sensitive to most sensitive data. Level one addresses federal contract information, with two transitioning to CUI maturity, and three through five specifically address the handling of CUI. Levels four and five, specifically, are more austere focusing on highly classified data and center on the protection and risk reduction of advanced persistent threats (APTs).
Authorized CMMC Third Party Assessor Organizations (C3PAOs) to assess for CMMC compliance: Third party auditor organizations (currently in the provisional stance), who will be licensed and designated on the CMMC-AB Marketplace website, may conduct CMMC assessments. Such C3PAOs have specific authorized and certified CMMC assessors to carry out assessments.
Many nuances to CMMC: There are many nuances to the framework (probably way too many to list). For example, the CMMC will apply to contracts above the subject agency’s micro-purchase threshold (generally $10,000); vendors solely providing commercial-off-the shelf (COTS) products are to be exempted from the requirement. What’s more, according to the DoD, they are not anticipating waivers will be provided to companies unable to meet the requirement.
Gradual rollout: CMMC will be implemented through a phased rollout. By fiscal year 2026, every contractor seeking to do business with the Department of Defense (DoD) will be required to have at least a Level 1 Cybersecurity Maturity Model Certification (CMMC).
CMMC: Where to begin?
The requirements of CMMC certification appear overwhelming, with concerns over cost and time constraints. However, as a starting point, it’s important to understand what categories businesses fall in, some of the definitions, and the steps required to become certified can be found here.
When seeking a trusted advisor, consider approaching an organization that not only understands the many complexities of government contracting, but also has extensive insight into IT infrastructure and requirements with a critical understanding of what auditors will be assessing. This will help discern where and what areas of a security plan (either existing or under development) must be addressed, and how they will be prepared for audit readiness.
Although the CMMC certification is new for everyone, the requirement is already in effect, and has been since September 2020. In order to become compliant at the proper level and meet all the requirements applicable to your business, evaluate the work needed and whether it can be done in-house. Working with a partner that can provide necessary resources and expertise to incrementally make adjustments and/or changes for audit readiness is advisable for a swift and successful process.
Elizabeth Jimenez is executive director, Strategic Development for NeoSystems, a full-service IT integrator, managed services and cloud provider.