Planning for the uncertain: What to watch and how to prepare for CMMC
Cyber espionage of sensitive data has occurred over the past 20 years with increasing frequency. Threat actors, particularly those that are state-sponsored, lau...
Cyber espionage of sensitive data has occurred over the past 20 years with increasing frequency. Threat actors, particularly those that are state-sponsored, launch persistent cyberattacks that target sensitive national security data. The Defense Department (DoD) identified contractors comprising the Defense Industrial Base (DIB) as a sector that has experienced frequent data breaches divulging such critical data. As a result, DoD is placing heightened focus on securing contractors’ systems and holding contractors accountable for maintaining that security. These security requirements are imposed through contract terms that build upon established security standards.
One of the continually evolving, albeit currently unsettled, security standards is the Cybersecurity Maturity Model Certification (CMMC), a DoD certification program designed to measure a federal government contractor’s cybersecurity maturity. The latest rulemaking for CMMC is anticipated this May. While it remains to be seen whether the latest iteration of CMMC will be released as a proposed rule versus an interim final rule, CMMC already has the attention of companies doing business with the government. Herein we address some of the quandaries surrounding CMMC — namely the differences between CMMC and its predecessor the DFARS Safeguarding Clause, and how companies may prepare for an evolving, unsettled cyber standard such as CMMC.
The difference between the DFARS safeguarding clause and CMMC
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (Safeguarding Clause), is mandatory in all defense contracts and solicitations, with one exception: The clause is not required in contracts or solicitations for exclusively commercially available off-the-shelf (COTS) items. Although it appears in most DoD contracts, the clause generally applies only when the performance of the contract implicates sensitive data known as DoD controlled unclassified information (CUI) or covered defense information (CDI). The clause requires government contractors to adequately protect CDI handled in performance of a contract and includes three basic requirements: 1) adequate security; 2) cyber incident reporting; and 3) subcontractor flow downs. For purposes of comparing to CMMC, we will focus primarily on the adequate security requirements.
A contractor must implement “adequate security” to protect CDI on its information systems if the contractor processes, stores or transmits CDI on those systems. Generally, a contractor achieves “adequate security” by implementing the National Institute of Standards and Technology’s cybersecurity standard SP 800-171, including a system security plan (SSP), describing how it has implemented the NIST controls, and a plan of action and milestones (POAM) outlining how it will implement controls in the future that are not yet met.
If a contractor intends to use a third-party cloud service provider (CSP) to process, store or transmit CDI (e.g., as part of excess data storage or SaaS applications), the contractor must ensure that the CSP meets security requirements equivalent to those established for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. FedRAMP is a federal government program that provides a standardized approach to security assessment, authorization and continuous monitoring for commercial cloud products and services sold to the government.
While NIST SP 800-171 and DFARS 252.204-7012 were created to safeguard sensitive data, the DoD determined that the Safeguarding Clause was ineffective on its own. The DoD inspector general found that DoD contractors did not consistently implement mandatory security for safeguarding CDI. Particularly, the Safeguarding Clause does not require the DoD to verify contractors’ implementation of NIST SP 800-171 prior to contract award. These and similar findings led the DoD to explore a new cybersecurity assessment regime.
In January 2020, DoD introduced the now defunct CMMC Version 1.0, which included five levels of CMMC certification based on maturity processes and cybersecurity controls (referred to as “practices” under CMMC). To achieve certification, a contractor would have been required to demonstrate implementation of both the maturity processes and security practices identified at the requisite level. Certification would have been available at one of five levels, based on the sensitivity of the information expected to be handled under contract performance. Each CMMC level was cumulative, meaning that the higher levels included all practices and processes from the levels below. CMMC 1.0 categorized the practices into 17 domains, which were largely based off of NIST SP 800-171, NIST SP 800-172, and CMMC-specific practices. Importantly, certification to these levels would have been conducted by a CMMC third party assessment organization (C3PAO), rather than through a contractor self-assessment or the DoD.
In November 2021, DoD announced CMMC Version 2.0, incorporating findings from its internal review and feedback from industry. DoD has explained CMMC 2.0 compliance (and thus the implicating clause DFARS 252.204-7021 requirements) will not be required until DoD completes this new round of rulemaking. DoD originally expected rulemaking to conclude in November 2023 and currently is sticking by that timeline in spite of recent delays to the rulemaking process.
CMMC 2.0 generally includes three CMMC levels of certification as follows.
CMMC Level 1, Foundational – Contractors must implement the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submit an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).
CMMC Level 2, Advanced – Contractors must implement the 110 controls in NIST SP 800-171 and submit an annual self-assessment or, if required to handle as yet undefined “critical national security information,” a triennial independent assessment performed by a private entity certified by the DoD as a third-party assessor (a C3PAO).
CMMC Level 3, Expert – Contractors must implement the 110 controls in NIST SP 800-171 and a yet to be determined subset of controls from NIST SP 800-172 before undergoing a triennial government-led assessment.
Under the current Version 2.0, compliance will continue to be required prior to award through solicitation and contract terms. DoD is currently working to finalize the scope and applicable controls for these levels. Importantly, the controls applicable at each level may change when NIST finalizes its pending revisions to SP 800-171, which are expected as soon as Spring 2023.
How to prepare for CMMC
Despite the current uncertainty surrounding CMMC rulemaking there are steps companies may consider taking now to position themselves in a better compliance posture. While not exhaustive, to follow are several practical exercises a company may take at the enterprise level to prepare for CMMC.
Know your data and your network
In order to adequately plan and prepare for CMMC, it is vital to understand what categories of regulated data are handled and need to be protected, as this determination informs CMMC levels and compliance requirements. For example, does the company possess federal contract information in one segmented network and process, store or transmit CUI in another? If so, there may be separate CMMC requirements for each environment. Until a company understands what data is handled and the associated regulatory and cybersecurity requirements, it is unclear what CMMC implementation and preparedness looks like for each company.
Refine or create corporate policies
How a company manages administrative controls are integral in meeting many of the CMMC requirements. A company’s corporate policies can serve as one out of two required artifacts that is currently required to demonstrate proof that individual CMMC practices are met. It is clear that a company would not want to create these policies in the middle of a CMMC assessment. Hence, now is the time to refine corporate policies such as CUI marking and handling and incident response plans. Then, the task is to train on and test these policies and plans, including for example through penetration tests and tabletop exercises, to help ensure their effectiveness. These activities, under the direction of counsel, can help provide evidence of a company’s diligent approach to cybersecurity and CMMC implementation in an environment of confidentiality and privilege as discussed below.
Devise an SSP and conduct privileged compliance assessments
One of the most important steps of CMMC preparedness is drafting the documentation such as an SSP that a company will provide to a CMMC assessor to demonstrate its compliance. Once a company completes its documentation, it should pressure test its ability to effectively meet the applicable requirements as many CMMC practices and NIST security controls are often misinterpreted or incorrectly scoped. This validation is often most effective when conducted by an external third-party and under attorney client privilege. Using counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies if needed to demonstrate to customers and the government that an independent assessment was conducted and also to mitigate the risk of having to disclose assessment findings in litigation or during an investigation.
Although there remains uncertainty regarding CMMC’s compliance requirements and what effect the upcoming rulemaking will have, there is still much work companies can do now to enhance their cybersecurity readiness. The steps outlined above are actions each company may consider performing as they move closer towards CMMC compliance.
Michael G. Gruden, a counsel at Crowell & Moring LLP’s Washington, D.C., office, is a registered practitioner under the Cybersecurity Maturity Model Certification framework, a former Pentagon information technology acquisition branch chief and a former contracting officer at the Defense Department and the Department of Homeland Security.
Planning for the uncertain: What to watch and how to prepare for CMMC
Cyber espionage of sensitive data has occurred over the past 20 years with increasing frequency. Threat actors, particularly those that are state-sponsored, lau...
Cyber espionage of sensitive data has occurred over the past 20 years with increasing frequency. Threat actors, particularly those that are state-sponsored, launch persistent cyberattacks that target sensitive national security data. The Defense Department (DoD) identified contractors comprising the Defense Industrial Base (DIB) as a sector that has experienced frequent data breaches divulging such critical data. As a result, DoD is placing heightened focus on securing contractors’ systems and holding contractors accountable for maintaining that security. These security requirements are imposed through contract terms that build upon established security standards.
One of the continually evolving, albeit currently unsettled, security standards is the Cybersecurity Maturity Model Certification (CMMC), a DoD certification program designed to measure a federal government contractor’s cybersecurity maturity. The latest rulemaking for CMMC is anticipated this May. While it remains to be seen whether the latest iteration of CMMC will be released as a proposed rule versus an interim final rule, CMMC already has the attention of companies doing business with the government. Herein we address some of the quandaries surrounding CMMC — namely the differences between CMMC and its predecessor the DFARS Safeguarding Clause, and how companies may prepare for an evolving, unsettled cyber standard such as CMMC.
The difference between the DFARS safeguarding clause and CMMC
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (Safeguarding Clause), is mandatory in all defense contracts and solicitations, with one exception: The clause is not required in contracts or solicitations for exclusively commercially available off-the-shelf (COTS) items. Although it appears in most DoD contracts, the clause generally applies only when the performance of the contract implicates sensitive data known as DoD controlled unclassified information (CUI) or covered defense information (CDI). The clause requires government contractors to adequately protect CDI handled in performance of a contract and includes three basic requirements: 1) adequate security; 2) cyber incident reporting; and 3) subcontractor flow downs. For purposes of comparing to CMMC, we will focus primarily on the adequate security requirements.
A contractor must implement “adequate security” to protect CDI on its information systems if the contractor processes, stores or transmits CDI on those systems. Generally, a contractor achieves “adequate security” by implementing the National Institute of Standards and Technology’s cybersecurity standard SP 800-171, including a system security plan (SSP), describing how it has implemented the NIST controls, and a plan of action and milestones (POAM) outlining how it will implement controls in the future that are not yet met.
Learn how federal agencies are preparing to help agencies gear up for AI in our latest Executive Briefing, sponsored by ThunderCat Technology.
If a contractor intends to use a third-party cloud service provider (CSP) to process, store or transmit CDI (e.g., as part of excess data storage or SaaS applications), the contractor must ensure that the CSP meets security requirements equivalent to those established for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. FedRAMP is a federal government program that provides a standardized approach to security assessment, authorization and continuous monitoring for commercial cloud products and services sold to the government.
While NIST SP 800-171 and DFARS 252.204-7012 were created to safeguard sensitive data, the DoD determined that the Safeguarding Clause was ineffective on its own. The DoD inspector general found that DoD contractors did not consistently implement mandatory security for safeguarding CDI. Particularly, the Safeguarding Clause does not require the DoD to verify contractors’ implementation of NIST SP 800-171 prior to contract award. These and similar findings led the DoD to explore a new cybersecurity assessment regime.
In January 2020, DoD introduced the now defunct CMMC Version 1.0, which included five levels of CMMC certification based on maturity processes and cybersecurity controls (referred to as “practices” under CMMC). To achieve certification, a contractor would have been required to demonstrate implementation of both the maturity processes and security practices identified at the requisite level. Certification would have been available at one of five levels, based on the sensitivity of the information expected to be handled under contract performance. Each CMMC level was cumulative, meaning that the higher levels included all practices and processes from the levels below. CMMC 1.0 categorized the practices into 17 domains, which were largely based off of NIST SP 800-171, NIST SP 800-172, and CMMC-specific practices. Importantly, certification to these levels would have been conducted by a CMMC third party assessment organization (C3PAO), rather than through a contractor self-assessment or the DoD.
In November 2021, DoD announced CMMC Version 2.0, incorporating findings from its internal review and feedback from industry. DoD has explained CMMC 2.0 compliance (and thus the implicating clause DFARS 252.204-7021 requirements) will not be required until DoD completes this new round of rulemaking. DoD originally expected rulemaking to conclude in November 2023 and currently is sticking by that timeline in spite of recent delays to the rulemaking process.
CMMC 2.0 generally includes three CMMC levels of certification as follows.
CMMC Level 1, Foundational – Contractors must implement the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submit an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).
CMMC Level 2, Advanced – Contractors must implement the 110 controls in NIST SP 800-171 and submit an annual self-assessment or, if required to handle as yet undefined “critical national security information,” a triennial independent assessment performed by a private entity certified by the DoD as a third-party assessor (a C3PAO).
CMMC Level 3, Expert – Contractors must implement the 110 controls in NIST SP 800-171 and a yet to be determined subset of controls from NIST SP 800-172 before undergoing a triennial government-led assessment.
Read more: Commentary
Under the current Version 2.0, compliance will continue to be required prior to award through solicitation and contract terms. DoD is currently working to finalize the scope and applicable controls for these levels. Importantly, the controls applicable at each level may change when NIST finalizes its pending revisions to SP 800-171, which are expected as soon as Spring 2023.
How to prepare for CMMC
Despite the current uncertainty surrounding CMMC rulemaking there are steps companies may consider taking now to position themselves in a better compliance posture. While not exhaustive, to follow are several practical exercises a company may take at the enterprise level to prepare for CMMC.
In order to adequately plan and prepare for CMMC, it is vital to understand what categories of regulated data are handled and need to be protected, as this determination informs CMMC levels and compliance requirements. For example, does the company possess federal contract information in one segmented network and process, store or transmit CUI in another? If so, there may be separate CMMC requirements for each environment. Until a company understands what data is handled and the associated regulatory and cybersecurity requirements, it is unclear what CMMC implementation and preparedness looks like for each company.
How a company manages administrative controls are integral in meeting many of the CMMC requirements. A company’s corporate policies can serve as one out of two required artifacts that is currently required to demonstrate proof that individual CMMC practices are met. It is clear that a company would not want to create these policies in the middle of a CMMC assessment. Hence, now is the time to refine corporate policies such as CUI marking and handling and incident response plans. Then, the task is to train on and test these policies and plans, including for example through penetration tests and tabletop exercises, to help ensure their effectiveness. These activities, under the direction of counsel, can help provide evidence of a company’s diligent approach to cybersecurity and CMMC implementation in an environment of confidentiality and privilege as discussed below.
One of the most important steps of CMMC preparedness is drafting the documentation such as an SSP that a company will provide to a CMMC assessor to demonstrate its compliance. Once a company completes its documentation, it should pressure test its ability to effectively meet the applicable requirements as many CMMC practices and NIST security controls are often misinterpreted or incorrectly scoped. This validation is often most effective when conducted by an external third-party and under attorney client privilege. Using counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies if needed to demonstrate to customers and the government that an independent assessment was conducted and also to mitigate the risk of having to disclose assessment findings in litigation or during an investigation.
Sign up for our daily newsletter so you never miss a beat on all things federal
Conclusion
Although there remains uncertainty regarding CMMC’s compliance requirements and what effect the upcoming rulemaking will have, there is still much work companies can do now to enhance their cybersecurity readiness. The steps outlined above are actions each company may consider performing as they move closer towards CMMC compliance.
Michael G. Gruden, a counsel at Crowell & Moring LLP’s Washington, D.C., office, is a registered practitioner under the Cybersecurity Maturity Model Certification framework, a former Pentagon information technology acquisition branch chief and a former contracting officer at the Defense Department and the Department of Homeland Security.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
CMMC spurs cybersecurity awareness, but don’t sleep on everything else
Cyber accreditation body says key CMMC document to face changes
The early bird gets the bid: How staying ahead of CMMC 2.0 helps contractors succeed