The intention of CMMC is to raise the cyber defense posture of DoD contractors and suppliers while recognizing the varying cyber risks and capabilities (especially for smaller DoD suppliers) by stratifying compliance requirements into five levels. The goal is to protect Federal Contract Information (FCI) at level 1 and Controlled Unclassified Information (CUI) plus FCI at level 2 and above.
Let’s examine what CMMC means for the hundreds of thousands of small-medium subcontractors at the entry levels of CMMC — levels 1, 2, and 3.
As a background, it is important to remember the history of DoD compliance, starting with the protection of classified information (under NISPOM), then extending to federal information systems (through NIST 800-53), and then the NIST 800-171 framework introduced in 2017 for CUI in non-federal systems. In CMMC, the lower levels (1,2,3) leverage the NIST 800-171 content, whereas levels 4 and 5 borrow requirements from NIST 800-53 and other areas.
Here are some of the differences between CMMC and NIST 800-171:
Three new domains (Asset Management, Risk Management, and Situational Awareness) were not in 171.
Third-party assessments (rather than self-assessments) are required in CMMC.
CMMC certification will be required to be eligible to win DoD contracts. DFARS 7012 is being upgraded to articulate this requirement.
Process maturity is being introduced.
CMMC Level 1 – FCI Focus
This level is meant to be a light touch for small DoD subcontractors who do not work with sensitive information. The practice objective is basic cyber hygiene:
Basic protection focuses on FCI, based on 48 CFR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). CUI protection is not a focus of CMMC level 1.
Practices are organized into six domains, which were previously used in 171.
Number of practices: 17.
Process maturity is simply performed; no documentation is needed.
CMMC Level 2
The practice objective is intermediate cyber hygiene:
Some practices are now related to the protection of CUI.
Practices are organized into six domains.
There is a new domain – Recovery – that was not in 171. This domain has practices that cover the regular testing of data back-ups and the confidential backup of CUI at storage locations.
Number of practices: 72.
Process maturity now requires processes and policies to be documented.
CMMC Level 3
The practice objective is good cyber hygiene (per NIST SP 800-171 Rev 1).
Practices are organized into 17 domains.
There are two new domains (beyond 171): Asset Management and Situational Awareness.
The Asset Management practice covers the definition of procedures for the handling of CUI data.
The Situational Awareness practice covers receiving and responding to cyber threat intelligence from information sharing forums and sources and communicating to stakeholders.
Number of practices: 130.
DFARS clause 252.204-7102 (Safeguarding of Covered Defense Information and Cyber Incident Reporting) specifies additional requirements beyond NIST 800-171.
Process maturity is now managed, which means:
Document policies and processes.
Establish, maintain, and resource a plan for practice implementation (mission, goals, project plans, resourcing, required training, stakeholder involvement).
Questions abound regarding prime and contractor collaboration with subs regarding CMMC.
Although DoD primes and contractors will certainly need to work toward their CMMC compliance, they may also need CMMC certification of subcontractors. While actual certification may not be required before contract award, the pursuit of a major opportunity will frequently require that teams be formed and teaming agreements executed months and sometimes years in advance. At least for a while, that means teams must be formed without assurances (and possibly without confidence) that team members will be able to achieve the necessary certification.
To what degree will primes encourage, prod, or mandate – and help – their subs to be ready? Will subs be open to such help, and willing to share information about their status? What contingency plans will primes have if some of their subs are not CMMC certified by the award deadline? Will DoD prescribe a “flow down” clause that may require primes to take on monitoring of or responsibility for their subcontractor certification under CMMC?
The CMMC Academy offers insights into CMMC readiness for both primes and their subs.
A recent virtual summit hosted by the CMMC Academy brought together key leaders to provide insights into CMMC readiness for both prime contractors and their subcontractors. Katie Arrington, the CISO for the DoD’s Acquisitions Office, participated in the summit, along with a representative from the CMMC Accreditation Body and executives from industry ISACs, including National Defense ISAC and Aviation ISAC. A legal panel, featuring the General Counsel, Defense for Aerojet Rocketdyne, explored the legal consequences of CMMC, and Commander s.g. Jesper Rasmussen of the Royal Danish Embassy in the United States provided an international perspective on the cybersecurity program.
Those interested in watching the videos from the virtual summit can register to view them – at no cost – at https://CMMC.Academy.
Author Background: Tommy McDowell has experience as a compliance planner and auditor with classified systems and NIST 800-53. His work in cyberthreat intelligence includes positions at Mandiant and FireEye as well as Retail ISAC. He is currently the General Manager of Celerium, a cyber threat intelligence and sharing company.
CMMC Academy Background. Tommy also leads the CMMC Academy, a Celerium initiative that provides free CMMC videos, webinars, reference guides, and self-assessment information to defense contractors and subcontractors. Members of the CMMC Academy International Alliance include the American Danish Business Council and Aviation ISAC. The Academy’s sponsors include Bank of America and Citi Private Bank.