On Jan. 31, 2020, the Department of Defense (DoD) released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, marking the latest step to standardize cybersecurity requirements for future DoD acquisitions. The CMMC Accreditation Body (CMMC A.B.) officially was formed in January and currently is tasked with development of assessment and training standards. Priorities for the newly formed body include the launch of a pathfinder training effort for assessors and the development of a standardized assessment methodology.
Katie Arrington, DoD’s Chief Information Security Officer for Acquisition and Sustainment, outlined additional details of the CMMC implementation timeline at an event on Jan. 28, 2020, hosted by Holland & Knight and co-sponsored by DHG. Arrington clarified that the CMMC requirement will be applicable to contractors and their subcontractors (subs) on future contracts at the time of award. The number of contractors who are subject to CMMC requirements is projected to increase from 1,500 during fiscal 2021 to 48,000 by fiscal 2025.
As previously suggested, most contractors will be required to adhere to the most basic security maturity level of CMMC, Level 1, which is centered on safeguarding Federal Contract Information (FCI). At the aforementioned event, Arrington expressed doubt that Level 2 of the CMMC would appear in many requests for information (RFIs), as it would primarily serve as a bridge between Level 1 for “basic” cyber hygiene and Level 3 for “good” cyber hygiene. Companies that receive or access Controlled Unclassified Information (CUI) will be required to achieve compliance with Level 3 of the model, and distinct maturity level requirements for subs will be identified within upcoming requests for proposals (RFPs).
Key Elements of the New CMMC Version 1.0
The release of CMMC Version 1.0 is the cumulation of three prior revisions and significant amounts of feedback from stakeholders in the public and private sectors. The most recent iteration of the maturity model outlines 17 capability domains derived from the Federal Information Processing Standards (FIPS) 200 security-related areas and the NIST Special Publication 800-171 control families. The model also includes Asset Management, Recovery and Situational Awareness domains.
Each domain consists of a set of capabilities and standardized sets of cumulative practices to achieve each certification level. The final component of the model will assess process maturity to evaluate the institutionalization of practices within an organization. Requisite process maturity escalates from certification Levels 2-5 to mandate that processes are documented, managed, reviewed and optimized.
It is anticipated that select RFIs will contain a CMMC requirement beginning in June 2020, and RFPs containing the requirement are expected in the fall of 2020. In order to be considered for contract award, contractors and their subs will need to obtain an independent assessment and receive certification that they meet the maturity level specified within RFPs at the time of award.
Steps to Prepare for CMMC
- Identify if your organization receives or generates DoD CUI or FCI.
- Determine the current CMMC maturity level based on the type of information obtained or generated as part of DoD contracts.
- Perform a gap analysis against the defined practices and processes within CMMC Version 1.0 for the desired certification level.
- Implement controls or third-party solutions to remediate gaps and document remediated practices.
- Communicate CMMC readiness goals with subs and suppliers to provide them ample opportunity to prepare their organization to meet your needs.
About IT Advisory
DHG IT Advisory works with companies on their practices to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your specific IT advisory needs. To learn more about DHG’s IT Advisory services, visit dhg.com/itadvisory.
About DHG Government Contracting
DHG Government Contracting provides assurance, tax and advisory services to government contractors working with every area of civilian agencies, Department of Defense and intelligence agencies. We help strengthen compliance with applicable FAR and CAS requirements and enable companies to meet the expectations of oversight agencies such as SBA, DCMA and DCAA. To learn more about DHG’s Government Contracting Practice, visit dhg.com/government-contracting.