In 2007, Chinese hackers successfully targeted a Department of Defense (DoD) subcontractor leading to the creation of a powerful fighter jet. During this cyberattack, the Chinese stole enough data to make their J-20 stealth fighter jet a real threat to the USA.
It's been more than a decade later, and attacks on defense contractors have continued to be a critical liability to the DoD, who estimate about $600 billion in losses annually because of the exfiltration of data.
When the DoD decided to tighten up cybersecurity regulations to minimize these risks, many organizations took advantage of the fact that they could self-attest to being compliant without reparations. This oversight eventually led to the Pentagon introducing more strict requirements for all defense industrial base (DIB) contractors.
If you're planning on doing any type of work with the DoD from here on out, this is something you want to pay close attention to. The introduction of the Cybersecurity Maturity Model Certification (CMMC) is changing the game for contractors in the DIB, especially those dealing with Controlled Unclassified Information (CUI).
Today, we're going to cover everything you need to know about the cybersecurity maturity model certification (CMMC) including who needs it, the classifications, and why it's important to get the right one.
Who needs CMMC certification?
There are over 300,000 businesses in the DIB sector. According to the Defense Acquisition Regulations System, it's estimated that 129,810 businesses will likely pursue CMMC certification in the first 5 years.
Alaska, who has played a large part in national defense over the past century with its role in World War 2 and the Cold War, holds a notable portion of defense contractors who will need to pursue CMMC certification. This could be you.
Alaska also receives $3.5 billion federally for defense spending, which is fifth in the country when broken down by percentage of state GDP according to the Office of Economic Adjustment(for the 2019 fiscal year).
If you're a government contractor, either prime or a sub, who does business with the DoD, then you need CMMC certification. The only exception is if you solely deal with purchases below the micropurchase threshold ($10,000 as of August 31, 2020). The next question is, which level do you need to achieve?
The 5 CMMC classification levels
The CMMC introduces 5 levels of compliance certification, each with differing levels of sophistication and complexity.
If you're a company that deals with Controlled Unclassified Information (CUI), then it'll be mandatory for you to achieve level 3.
Even if you don't deal with CUI, you'll still need to achieve CMMC Level 1 for basic cyber hygiene. At the February 2021 CMMC town hall meeting , it was said that over 60% of contracts will only require level 1.
Depending on the quality and quantity of CUI that you deal with, it'll be required to achieve level 4 or 5, but according to Katie Arrington, the DoD Acquisition Office's Chief Information Security Officer (CISO), this would be rare and only apply to a very small percentage of businesses.
You can expect to see CMMC requirements in future federal agency RFIs and RFPs address what level your company needs to be at. This means you won't be able to secure contracts to conduct business with the DoD unless you are officially certified by a third-party auditor. Contract awarders will be able to access proof of certification electronically.
CMMC level 3 certification and DFARS interim rule
Contractors and subcontractors who serve the DoD and handle CUI have already long been subject to a strenuous set of cybersecurity controls and practices (for techies interested: DFARS clause 252.204 7012, which made them agree to be compliant with the 110 controls of NIST SP 800-171). As previously stated, these companies had the option to self-attest that they were compliant. Basically, the government trusted them to be honest and to take this clause seriously since it was in their contract.
However, when audited by their federal contracting partners, some organizations were found to be in violation and were subject to penalties.
This means that if you're one of these companies that deals with CUI, you technically should already be able to easily transition to CMMC level 3, since it's basically the NIST SP 800-171 plus a few more controls. However, if you don't feel fully confident that you've been compliant with all 110 controls, the DoD has been gracious. Last September, they announced the DFARS interim rule, which will help organizations smoothly transition to CMMC level 3.
A key point about the interim rule is that it lets you score below a perfect score as long as you have a plan of action milestones (POAM), but with CMMC, a POAM won't be enough to make you compliant.
CMMC level 3 requirements FAQ
- What level of CMMC do I need?
It's key to understand if your contract contains CUI. Though every organization should clearly know if they're dealing with CUI, many don't.
If you only handle Federal Contract Information (FCI) and not Controlled Unclassified Information (CUI), then you won't be expected to reach level 3 compliance. Keep in mind that in some cases, CMMC level 3 can still be advantageous as a way to get ahead of the curve even if you don't plan to bid on RFIs that require level 3 anytime soon.
- Is there an easy way to know if I need to go beyond level 3?
Right now, no. But according to the DoD, it will be rare for companies to need to go beyond level 3.
- What if the prime is CMMC certified, but a subcontractor is not?
If you're a prime, you are ultimately responsible for making sure your subcontractors are certified at the correct level at the time you're awarded the contract unless otherwise stated. You'll have to pay attention to the flow of data to determine which subcontractors have to be level 1, level 2, or level 3 certified.
- How long will it take me to become fully compliant with level 3?
Many organizations are seeing between 12 and 18 months of continual effort to fully complete their compliance projects. Don't be fooled by organizations promising CMMC readiness in hours. It takes a lot of time to get ready. By leaving this for the last second, you risk losing out on future contracts as there's a good chance you'll be placed in a long queue to get audited by a third party.
Remember, it'll still be a requirement to be certified at the time you're awarded a contract.
- Will the new business and value I derive from providing service to the federal government cover my costs of compliance?
Building out a fully compliant cybersecurity program can be very costly to an organization.
Even more sophisticated medium-sized businesses may need to hire additional cybersecurity and compliance experts to champion the program.
It was initially stated that CMMC costs would be considered allowable costs and directly reimbursed, but it's no longer the case for the majority of level 1-3. This is because contractors should have already been implementing the 110 controls of NIST 171 which makes up most of levels 1-3. It could, however, still be considered a G&A or overhead costs so consider carefully how you structure your federal contracts and proposals to make sure you cover all your costs appropriately.
- Am I expected to sustain this effort?
Achieving level 3 has a large element of security maturity in it, meaning it requires a managed need for continuous improvement even after you pass. Cybersecurity is not a static field, the threat landscape is continually changing. You'll find that cybersecurity standards continue to evolve and your technology systems will require upkeep to stay effective.
While it may be tempting, resist the urge to consider cybersecurity compliance a "one and done" problem. You need to operationalize these practices into your organization for the long term in order to be successful and safeguard the data of your federal clients.
The benefits of the Cybersecurity Maturity Model Certification
Though a large role of the CMMC is to protect defense, it's also a way for your businesses to be protected. Remember, it's more about security than compliance.
The CMMC ensures that a company follows basic cyber hygiene which minimizes the possibility of a large percentage of cyberattacks. Even if CMMC wasn't mandatory, following the guidelines and investing in cybersecurity shows potential partners and DoD businesses that you are serious about respecting their sensitive data. Especially in an age where so much information is exchanged through email.
The introduction of the CMMC also promotes greater accuracy, fairness and accountability for contractors in the procurement process. Honest contractors who made the financial effort to be compliant were losing out on contracts to competition who quoted cheaper costs while also saying they were compliant but really weren't. Now your hard work to improve your organization's security posture to better handle sensitive information is verifiable, which can help you stand out from other companies.
Katie Arrington gives the analogy that the CMMC is your "cyber driver's license" to participate in the DoD supply chain. In the same way that a driver's license proves you're capable of handling a car, the CMMC is proof you're capable of dealing with sensitive data.
The CMMC is here to bring a baseline security framework to protect the federal government. It'll make you equipped and capable to securely deliver value to the DoD.
Everything else you need to know about the CMMC
- When will the CMMC be required?
The rollout of the CMMC will be phased through September 30, 2025. After this, all DoD RFIs and RFPs will require you to be at least CMMC level 1 certified to be eligible to win a contract. However, don't wait until the last second as more and more contracts will start having CMMC requirements.
- Why is NIST 800-171 still around if we have CMMC now?
Because CMMC will be a phased rollout over five years, NIST 800-171 is likely to stay until then.
- Will the CMMC make it harder for small businesses to work with the government?
It was something the DoD kept in mind to make level 1 affordable. All but about one control requires no cost (e.g., changing passwords frequently and enabling 2-factor authentication). The cost of the certification and the cost of implementing changes for levels 1-3 can also be considered a G&A or overhead cost and reflected in your rates
It's estimated that a company should expect to pay between $3,000 – $5,000 for CMMC level one certification.
- How long will the certification last?
3 years when certified by a certified 3rd party assessor organization (C3PAO).
- Who can certify the CMMC?
Currently, you are not able to actually receive a CMMC certification, as the CMMC Accreditation Body (CMMC-AB) has not yet certified 3rd party assessor organizations. It is expected that formal and commercially available certifications will begin in the latter half of 2021, which will involve a full third party assessment of your information security controls.
In the meantime, the CMMC-AB has started the process of qualifying Registered Provider Organizations (RPO) who have background and expertise in helping organizations build their security programs toward a goal of CMMC compliance.
What to do now
Understanding the controls required for CMMC and how to implement them can be confusing.
Organizations who seek compliance need to understand this isn't like many tests where an 80% score is passing. There's no partial credit, it's either yes or no. Once CMMC is here for good, POAMs won't be enough to be considered compliant.
If you have more questions about how CMMC applies to your business, Ampersand is a full-scale technology service provider with locations in Anchorage and Fairbanks, that's been helping clients with both NIST SP 800-171 and CMMC compliance solutions for years.
Contact us if you'd like to start working towards a formal certification or even just a baseline health check of your existing information security practices.