This content is provided by Celerium.
The intention of CMMC is to raise the cyber defense posture of DoD contractors and suppliers while recognizing the varying cyber risks and capabilities (especially for smaller DoD suppliers) by stratifying compliance requirements into five levels. The goal is to protect Federal Contract Information (FCI) at level 1 and Controlled Unclassified Information (CUI) plus FCI at level 2 and above.
Let’s examine what CMMC means for the hundreds of thousands of small-medium subcontractors at the entry levels of CMMC — levels 1, 2, and 3.
As a background, it is important to remember the history of DoD compliance, starting with the protection of classified information (under NISPOM), then extending to federal information systems (through NIST 800-53), and then the NIST 800-171 framework introduced in 2017 for CUI in non-federal systems. In CMMC, the lower levels (1,2,3) leverage the NIST 800-171 content, whereas levels 4 and 5 borrow requirements from NIST 800-53 and other areas.
Here are some of the differences between CMMC and NIST 800-171:
CMMC Level 1 – FCI Focus
This level is meant to be a light touch for small DoD subcontractors who do not work with sensitive information. The practice objective is basic cyber hygiene:
Process maturity is simply performed; no documentation is needed.
CMMC Level 2
The practice objective is intermediate cyber hygiene:
Process maturity now requires processes and policies to be documented.
CMMC Level 3
The practice objective is good cyber hygiene (per NIST SP 800-171 Rev 1).
Process maturity is now managed, which means:
Questions abound regarding prime and contractor collaboration with subs regarding CMMC.
Although DoD primes and contractors will certainly need to work toward their CMMC compliance, they may also need CMMC certification of subcontractors. While actual certification may not be required before contract award, the pursuit of a major opportunity will frequently require that teams be formed and teaming agreements executed months and sometimes years in advance. At least for a while, that means teams must be formed without assurances (and possibly without confidence) that team members will be able to achieve the necessary certification.
To what degree will primes encourage, prod, or mandate – and help – their subs to be ready? Will subs be open to such help, and willing to share information about their status? What contingency plans will primes have if some of their subs are not CMMC certified by the award deadline? Will DoD prescribe a “flow down” clause that may require primes to take on monitoring of or responsibility for their subcontractor certification under CMMC?
The CMMC Academy offers insights into CMMC readiness for both primes and their subs.
A recent virtual summit hosted by the CMMC Academy brought together key leaders to provide insights into CMMC readiness for both prime contractors and their subcontractors. Katie Arrington, the CISO for the DoD’s Acquisitions Office, participated in the summit, along with a representative from the CMMC Accreditation Body and executives from industry ISACs, including National Defense ISAC and Aviation ISAC. A legal panel, featuring the General Counsel, Defense for Aerojet Rocketdyne, explored the legal consequences of CMMC, and Commander s.g. Jesper Rasmussen of the Royal Danish Embassy in the United States provided an international perspective on the cybersecurity program.
Those interested in watching the videos from the virtual summit can register to view them – at no cost – at https://CMMC.Academy.
Author Background: Tommy McDowell has experience as a compliance planner and auditor with classified systems and NIST 800-53. His work in cyberthreat intelligence includes positions at Mandiant and FireEye as well as Retail ISAC. He is currently the General Manager of Celerium, a cyber threat intelligence and sharing company.
CMMC Academy Background. Tommy also leads the CMMC Academy, a Celerium initiative that provides free CMMC videos, webinars, reference guides, and self-assessment information to defense contractors and subcontractors. Members of the CMMC Academy International Alliance include the American Danish Business Council and Aviation ISAC. The Academy’s sponsors include Bank of America and Citi Private Bank.