Per DFARS 252.204-7012, Contractors were to implement NIST SP 800-171 by 12/31/2017 “Safeguarding Cover Defense Information and Incident Reporting”. However, Contractors self-certification has not gone as well as the Department of Defense (DoD) had hoped. They have even included it as part of 2019 Contractor Purchasing System Reviews (CPSR) for the Defense Contract Management Agency (DCMA) to evaluate Contractors monitoring of subcontractor’s self-certification. In the meantime, DoD has shifted gears and is developing the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the DoD supply chain's cybersecurity at all levels of the supply chain, from the prime Contractor on down to the lowest subcontractor.
Where DoD Focus Lies
The DoD is not taking aim at just the 20,000 prime contractors, but the approximately 300,000 vendors that make up its entire supply chain. The CMMC is being fast tracked to implementation – from the finalization of the CMMC testing requirements in January 2020 to the requirement of Contractors to be certified by a 3rd party between June and September 2020. The Government is planning to require specified certification level requirements in Request for Proposals (RFP) issued in the fall 2020 or early 2021.
What is the CMMC?
- DoD is working with Johns Hopkins University Applied Sciences Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards—including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933—into a single unified standard for cybersecurity.
- Does not replace DFARS 252.204-7012 and NIST 800-171 – it adds more requirements.
- Self-assessments will NO LONGER be allowed.
- All DoD Contractors will be required to pass a 3rd party assessment/audit to officially obtain their CMMC Level.
- The CMMC maturity levels currently proposed are 1 - 5, with Level 1 being the easiest and lowest level to obtain.
- The CMMC schedule roll-out is aggressive and is moving quickly to complete the CMMC by January 2020, and contractors may start seeing the certification REQUIREMENT in contract RFIs by June 2020.
- Authorizes a non-profit organization to oversee the program and accredit private-sector (3rd party) auditors (planning to train approximately 250 certifiers per month in the initial roll-out).
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- Makes cybersecurity an “allowable cost” in DoD contracts.
- The required CMMC level (1-5) for a specific contract will be contained in the RFP sections L&M and be a “go/no-go decision”. (*Note: If Contractors do not have the required level they cannot submit a proposal – Government will not wait for Contractors to obtain the required level and Tier 1 subcontractors may be required to have the same level.)
Below is the current projected model for Level certification. Be aware, this model is still being revised and is subject to change upon final requirements of the CMMC.
DISTRIBUTION A. Approved for public release
CMMC will likely change the landscape of companies eligible to bid and perform on DoD contracts. Although this is still in the development phase, certifying companies will have to be trained, reviewed/audited, and granted authority to be able to perform CMMC assessments/audits. Contractors need to start preparing (if you aren’t already) and ensure your critical suppliers are also doing the same.
In addition, keep up with the CMMC process at the DoD CMMC website. The Government has not indicated they plan to “slow roll” or delay this; instead, they are pushing ahead and are expecting Contractors to “get on board” immediately. Redstone GCI consultants have the experience to assist contractors with preparation for CMMC certification. With a variety of training and consulting options available, reach out to us for resources to prepare your team for CMMC certification!