The Cybersecurity Maturity Model Certification, or CMMC, has been a topic of conversation for a few years within the Defense Industrial Base (DIB). CMMC is a unified standard for implementing cybersecurity across the DIB, which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0•• on January 31, 2020. Since then, CMMC has undergone much scrutiny and discussion. Here is a timeline of CMMC:
September 2020: The CMMC program published by the DoD (now known as CMMC 1.0). This framework assesses a Defense Industrial Base (DIB) contractor’s compliance with a set of cybersecurity standards.
November 2020: A Presidential interim rule became effective, establishing a five-year phase-in period and requiring compliance with NIST 800-71 rules.
March 2021: The DoD announced an internal review of CMMC’s implementation.
November 2021: The DoD announced CMMC 2.0, and updated program and requirements designed to meet certain goals, including:
- Protecting sensitive information to enable and protect the warfighter.
- Dynamically enhance DIB cybersecurity to meet evolving threats.
- Ensuring accountability while minimizing barriers to compliance with DoD requirements.
- Contributing to a collaborative culture of cybersecurity and cyber resilience.
- Maintaining public trust through high professional and ethical standards.
The Cybersecurity Maturity Model Certification, or CMMC, has been a topic of conversation for a few years within the Defense Industrial Base (DIB). CMMC is a unified standard for implementing cybersecurity across the DIB, which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. Since then, CMMC has undergone much scrutiny and discussion. Here is a timeline of CMMC :
September 2020: The CMMC program published by the DoD (now known as CMMC 1.0). This framework assesses a Defense Industrial Base (DIB) contractor’s compliance with a set of cybersecurity standards.
November 2020: A Presidential interim rule became effective, establishing a five-year phase-in period and requiring compliance with NIST 800-71 rules.
March 2021: The DoD announced an internal review of CMMC’s implementation.
November 2021: The DoD announced CMMC 2.0, and updated program and requirements designed to meet certain goals, including:
- Protecting sensitive information to enable and protect the warfighter.
- Dynamically enhance DIB cybersecurity to meet evolving threats.
- Ensuring accountability while minimizing barriers to compliance with DoD requirements.
- Contributing to a collaborative culture of cybersecurity and cyber resilience.
- Maintaining public trust through high professional and ethical standards.
Currently, CMMC is not enforced and is in the rule making process, with the most ambitious timeline anticipating rules to be announced in late 2023 or 2024, expected to go into effect in 2025. The final CMMC rule (3.0 or other updated name to be determined) is expected to be based on CMMC 1.0 and 2.0.
SOME COMPANIES ARE MAKING THE MISTAKE THAT THIS MEANS THERE IS AMPLE TIME TO BECOME COMPLIANT WITH CMMC!! That is incorrect. CMMC rules are based on the National Institute of Science and Technology((NIST) Standard 800-171. That standard is already in place and enforceable.
In response to incidents such as the Colonial Pipeline and Solar Winds attacks, on May 12, 2021, President Biden signed Executive Order 14028 on Improving the Nation’s Cybersecurity. This includes a Notice of NIST 800-171 DoD Assessment Requirements. Contractors must register by CAGE code in the Supplier Performance Risk System (SPRS) and upload a self-assessment based on their 800-171 controls implementation (not “graded”, but the DFARS rule does articulate the risk of False Claims Act (FCA) litigation if not done in earnest).
So, any company doing business with the Department of defense (DoD) should already be compliant with NIST 800 -171. Since 01 Dec 2020, DoD contracting officers are required to verify that the summary level score of a current NIST SP 800-171 Assessment for each covered contractor information system that is relevant to an offer, contract, task order or delivery order is posted in SPRS prior to:
- Awarding a contract, task order, or delivery order to an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at DFARS 252.204-7012
or
- Exercising an option period or extending the period of performance on a contract, task order, or delivery order with a contractor that is required to implement the NIST SP 800-171 in accordance with the clause at DFARS 252.204-7012.
The good news is, getting compliant with NIST 800-171 and the Executive Order, positions your company well for the final rule on CMMC.
Read More: Key Considerations and Lessons Learned when becoming NIST 800-171 Compliant
What this Means for DoD Contractors
- DIB companies with CUI underlying requirements have not changed.
- Reading between the lines of NIST 800-171, there is not much difference from CMMC Level 3 except the elimination of the additional 20 controls.
- Further details will be showcased from interim rules.
- The rule making process will be 9-24 months before new rules are announced.
- Rules go into effect 60 days after announced.
- POAMs are allowed; however, only on select requirements.
- Don’t expect to get a pass on requirements, POAMs won’t be allowed on high weighted requirements.
- Timeline on POAMs will be set (6 months).
- DoD will establish a minimum score with POAMs for certification.
- At the end of the day…
- Don’t assume that this reduces your compliance burden.
- For those that will be able to self-attest – cost is reduced.
- For those that will require 3rd party assessment – nothing is changed except for some of the CMMC-independent controls being eliminated.
Braxton-Grant’s 3-Step Cyber Assessment
Braxton-Grant is a cybersecurity consulting organization with NIST SP 800-171 Subject Matter Experts ready to assist with pre-assessments for organizations with DoD contracts.
We have developed a low-cost solution to help companies get compliant quickly and stay compliant without disrupting your budget.