The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification off the starting blocks.
Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations.
Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature.
Arrington, speaking at the Washington Technology CMMC event in McLean, Virginia on March 13, said once the MOU is signed, the six-month push to begin putting CMMC standards in procurements officially will begin.
“The accreditation board, the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University and DoD are going through simulations of training, working through the kinks,” she said. “The first session of classes will actually be a lot of the proof in the pudding, and DoD will be there to help through this. This is new so we want to make sure we get it right.”
Alan Chvotkin, the executive vice president and senior counsel at the Professional Services Council, said until contractors know what assessors are looking for, they can only do so much to prepare for CMMC.
The good news, Chvotkin said, is many companies who do work for DoD already have to go through some sort of certification process whether it’s ISO or CMMI or others.
“Under the CMMC, it’s binary or pass/fail. You either meet all of the controls for a given level or you don’t. That’s a significant difference that companies have to think about, too,” he said. “It will require a lot of investment in addition to the preparation so you are ready when the assessors come in.”
Preparing for CMMC with other certifications
Citizant is one of those companies.
Alba Aleman, CEO and founder of Citizant, an IT services firm, said the biggest challenge is what is the evidence the assessors are looking for in their audits.
“When you do the interviews, when you try to get that evidence, it requires all of your people to speak the same language. It’s different than it happening behind the scenes and IT is handling it. That requires a lot of internal training and communications to get everyone up to the same page. That’s more resource intensive than just self-assessments.”
Pam Schoppert, the director of quality programs at Citizant, added it’s a people, process and tools challenge.
“The pragmatic application of selecting from those three areas to bring to bear the evidence is a different mindedness than saying, ‘we do it, it’s behind the walls and our people know it,’” she said. “This is a people issue, not just an IT issue. It’s getting the culture to understand this is the way we do business.”
Schoppert said Citizant just went through its sixth capability maturity model integration (CMMI) assessment and are ISO 9001 and 27001 certified so it’s used to preparing for the audits.
But Aleman said that doesn’t mean her company is ready for CMMC.
“We are in the process of doing our gap analysis now so the three areas they are looking at is documentation changes, infrastructure changes with our managed services provider and what tool investments,” she said. “We will be looking at our costs this year to get to assessment. But the ongoing costs of continuous monitoring, we don’t know what that looks like.”
Chvotkin said the biggest costs for companies who go through the CMMC assessment will be in the up-front preparation.
“Costs will come in a couple of areas. The first is your systems preparation to be ready. The second is the cost of the assessment itself. And the third is the ongoing application of those standards for individual programs and contracts,” he said. “The biggest issue on cost is what level a company seeks certification at—1, 2, 3, 4 or 5. The higher the level of certification, the more significant the cost because the number of controls and processes that have to be complied with.”
In the meantime until the accreditation body gets the assessors trained, DoD is warning vendors against any one claiming they can get you certified.
Lord issued a statement on March 13 warning against any third-party assertions about CMMC.
“At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program,” she wrote.
Chvotkin said the other major piece of the CMMC roll out is the release of the Defense Federal Acquisition Regulation (DFARs) rule for CMMC.
He said that also will help vendors understand what falls under the “allowable cost” for cybersecurity that DoD is now permitting.
“For companies working on a fixed price basis, allowable costs don’t mean anything. For companies working on a cost reimbursable basis, it could. There are a lot of rules about allowability and reasonableness that have to be assessed,” Chvotkin said. “How the department finally permits and addresses the allowable cost nature of CMMC will be important and whether there will be other resources available either directly or indirectly.
While vendors are waiting on the accreditation body, DoD is testing out the CMMC standards with the Missile Defense Agency vendors.
Arrington said MDA has been running a series of pathfinder programs using supply chain risk management standards. DoD is taking the data from those pilots and working with the vendors to see how the CMMC requirements would’ve fit into the effort.
“Those pathfinders has been very cooperative and collaborative with the primes in terms of how we do the flow down of information. It only made sense to use those as the jumping off point because we all had such a collaborative nature on those pathfinders. We just mapped the CMMC to what those look like so we can validate with the primes and subs and say is this the way you would’ve read this? Is this [the] CMMC level you think this would’ve been at? So we actually have an understanding of what it looks like,” she said. “This will help us validate the way we structured the model and the contracting so as we go through these RFIs, we have the right structure in the acquisition. We used heavily the Defense Industrial Base cybersecurity assessment capability (DIBCAC), [from the Defense Contract Management Agency], we used that pretty extensively on how they actually did an assessment on the NIST standards, their methodology and what they were doing. We are using what already has been laid out and using the best practices to get the most bang for the buck.”
DCMA did audits of its contractors using the NIST SP 800-171, which is the cybersecurity compliance standards for contractors.