In order to better manage the Defense Industrial Base's compliance with cybersecurity obligations under the Defense Federal Acquisition Regulation Supplement ("DFARS"), the Department of Defense ("DoD") is instituting a new program that requires defense contractors and subcontractors to obtain a certification of compliance with cybersecurity requirements to be eligible for bidding on and receiving government contracts.

The new certification program is called the Cybersecurity Maturity Model Certification ("CMMC"), which will encompass multiple cybersecurity maturity levels. DoD's intent is to incorporate CMMC into DFARS and use it as a requirement for contract awards. Importantly, CMMC does not replace older defense contractor cybersecurity requirements from DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," and National Institute of Standards and Technology Special Publication 800-171 ("NIST SP 800-171") but creates a framework for certification rather than the self-reporting model currently used.

On October 21, 2016, DoD published a final rule requiring government contractors to implement cybersecurity controls compliant with NIST SP 800-171. Since that time, the defense industry has scrambled to implement the cybersecurity measures required under the rule, which became effective as of December 31, 2017.

Even with a hard deadline for compliance, many contractors and subcontractors did not become fully compliant and instead maintained a plan of action, which merely demonstrates the actions they need to accomplish to become compliant with the NIST SP 800-171 implementation requirements. To remedy this and comprehensively audit and confirm compliance with government cybersecurity requirements, DoD established a cybersecurity certification program, which led to creation of the CMMC framework.

DoD released CMMC Model 1 on January 30, 2020 along with an explanatory briefing.1 The CMMC contains five maturity levels and contemplates that different contracts will eventually require compliance with different maturity levels (the actual level a company must meet will depend on the terms of their contract).

CMMC encompasses 43 "capabilities" across 17 different "capability domains," and the CMMC framework organizes 171 cybersecurity best practices into these capability domains, which include Access Control, Incident Response, Awareness & Training, Recovery, and 13 others.

The CMMC framework also encompasses five processes of increasing maturity; each level requires a different number of best practice procedures to be enacted. "Process maturity" characterizes the extent to which an activity is embedded in an organization's operations.

The five processes are as follows:

  1. Each cybersecurity practice is documented.

  2. A policy exists that covers all activities.

  3. A plan exists that includes all activities.

  4. Activities are reviewed and measured for effectiveness.

  5. There is a standardized, documented approach across all applicable organizational units.

For example, CMMC Level 1 represents "Basic Cybersecurity Hygiene" and requires compliance with 17 enumerated practices. There are no maturity processes assessed at Level 1 (where an organization performs basic practices but has not developed requirements for the institutionalization of the five processes). Meeting Level 1 requirements is a prerequisite to obtaining any type of CMMC certification. The table below provides an overview of the various levels and requirements:

Level

Level Description

Process Maturity Description

Required Processes

No. of Practices (Total)

1

Basic Cyber Hygiene

"Performed"

0

17

2

Intermediate Cyber Hygiene

"Documented"

1 & 2

72

3

Good Cyber Hygiene

"Managed"

1-3

130

4

Proactive

"Reviewed"

1-4

156

5

Advanced/Progressive

"Optimizing"

1-5

171

CMMC Level 3 ("Good Cyber Hygiene") encompasses compliance with all practices from NIST SP 800-171 Rev. 1 as well as an additional 20 practices to promote good cyber hygiene. Level 3 companies must also demonstrate the documentation of all 130 practices required at this level, as well as the existence of both a plan and policy that covers all practices. The CMMC framework describes this implementation of the first three processes as "Managed" Process Maturity. Similarly, Level 5 Maturity represents "Advanced/Progressive" cybersecurity and requires compliance with 171 practices and implementation of all maturity processes.

DoD's implementation of the CMMC program requires training and accreditation of third-party auditors, called CMMC Third Party Assessment Organizations ("C3PAOs"). The independent, non-profit CMMC Accreditation Body, Inc. ("CMMC-AB") will train and accredit C3PAOs and individual assessors, and has established a website with application and accreditation information.

DoD and the CMMC-AB executed a Memorandum of Understanding on March 23, 2020, providing additional details about CMMC implementation and each party's responsibilities.2 DoD has separately stated that the costs of a CMMC assessment will vary depending on the maturity level being assessed, the complexity of the contractor's network, and other market forces and factors. A CMMC certificate will generally be valid for three years.

DoD plans to implement the CMMC program on a rolling basis through 2025, but the COVID-19 pandemic has already impacted DoD's timelines. DoD previously stated that it planned to roll-out the first round of Requests for Proposals ("RFPs") with CMMC requirements by the end of September 2020. However, Katie Arrington, Chief Information Security Officer in the Office of the Under Secretary of Defense for Acquisition and Sustainment, stated in a May webinar that the first RFPs with CMMC language are now expected in November 2020.

The new CMMC framework does not constitute a drastic shift in DoD's expectations of defense contractors, but it creates a mechanism to certify compliance with cybersecurity obligations. The full implementation of the CMMC model will take several years, and the process of training and certifying CMMC auditors is just beginning. But contractors and defense contractors in the Defense Industrial Base should prepare now to meet the upcoming certification requirements. If you have any questions about the CMMC model or any other matters discussed in the article, please do not hesitate to contact a Torres Law attorney.

Footnotes

1 Cybersecurity Maturity Model Certification (CMMC): Version 1.0, Office of the Under Secretary of Defense, Acquisition and Sustainment (January 30, 2020), available athttps://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf.

2 Memorandum of Understanding between the Department of Defense, Office of the Under Secretary of Defense for Acquisition and Sustainment and Cybersecurity Maturity Model Certification Accreditation Body, Inc. (Mar. 23, 2020), available athttps://assets.documentcloud.org/documents/6935675/CMO001673-20-CMMC-AB-MOU-Fully-Executed-20200323.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.