The Cybersecurity Maturity Model Certification (CMMC) Initiative FAQ

Why is the CMMC needed?

The Department of Defense has reviewed progress and audit results of DoD Contractors' NIST SP 800-171 compliance. The results were disappointing. So much so, that a different approach has been proposed that will substantially impact all Federal Contrators. In summary, the DFARS 252.204-7012 contract clause allowed Contractors to self-attest their own compliance to the NIST standard, along with allowing the Contractors to determine future compliance deadlines. The DoD has determined that the result of these two self-directed metrics has failed in sufficiently strengthening the Department of Defense supply chain's cybersecurity posture, defense, and successful continous monitoring and reporting of attacks. It was decided that a change is required. A change that is being discussed and rolled out rapidly over the next few years, currently under the direction of Ms. Katie Arrington. Ms. Katie Arrington is the Special Assistant to Kevin Fahey, the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment. In Pentagon hierarchy, Fahey is three levels below the acting secretary of defense and was appointed to the position by President Donald Trump. 

Ms. Arrington has been presenting the overall goals and design of this new program since May, 2019. Click here to download the slide deck presentation that Ms. Arrington has been providing at various industry days and conferences this year.

Summary of the CMMC:

  • The CMMC will provide a single unified standard under control by a neutral third party that all DoD Contractors will be required to meet in order to submit proposals for future new business.
  • All DoD Contractors will be required to pass an assessment/audit to officially obtain their required CMMC Level acknowledgement. NO SELF-ASSESSMENTS ALLOWED.
  • The CMMC will have maturity levels, currently proposed as 1 - 5, with CMMC Level 1 being the easiest to obtain. It is expected that the Tier 1 "top Primes", such as Lockheed Martin, will have to be accredited at Levels 4 & 5.
  • The CMMC program will define how companies will be REIMBURSED by the Federal Government for some of the costs fincurred from meeting the required CMMC Level Compliances.
  • A cyber assessment tool is expected to be a major part of the CMMC program
  • The CMMC schedule roll-out is aggressive. Arrington is moving quickly to complete the CMMC by January 2020, and contractors may start seeing the certification REQUIREMENT in contract RFIs by June 2020.

CMMC timeline

What is the Cybersecurity Maturity Model Certification (CMMC)?

The CMMC is a new standard and is expected to have a five-level tier. This new standard will combine guidance currently in place from the National Institute of Standards and Technology with new input from the private sector and academia. The standard, known as Cybersecurity Maturity Model Certification, will be researched and developed in partnership with the Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. Once in place, third-party private sector companies will audit contractors to ensure compliance. The program also will include an education and training center for cybersecurity.The level of cybersecurity required by the standards will be indicated on all contract solicitations once implemented.

The DoD has already completed the first step, by establishing a cybersecurity controls framework. The DoD can and should approve organizations to perform assessments of the DIB networks. It is expected they will rely on established programs for expediancy of roll-out, such as HITRUST or FedRAMP 3PAO accreditor programs.. FedRAMP has over 40 currently accredited assessors. HITRUST has approved 80 organizations to conduct assessments in accordance with their risk management framework. Much like the DoD publishes a list of approved baseline cybersecurity certifications for the DoD cybersecurity workforce, the DoD could similarly vet and publish a list of organizations approved to conduct DoD DFARS assessments. 

The DoD is not taking aim at just the 20,000 prime contractors, but the approximately 300,000 vendors that make up its entire supply chain. Essentially, the CMMC is a supply chain risk management approach for DoD and its industrial base.

 Highlights of the CMMC

  • A single standard used across all DoD contracts starting in 2020-2021
  • Considered a “go/no-go” requirement
  • Based on the NIST 800-171 controls, the FAR 32 CFR Part 2002, CMMI, and ISO9001
  • Identifies five levels of data security so that contractors can implement reasonable security for the data they deal with. Encourages government contract officers to pick an appropriate tier (not everything requires level 5)
  • Provide automated tool which automatically gathers data to simplify reporting efforts
  • Required CMMC level will be contained in RFP sections L & M
  • Authorizes a non-profit organization to oversee the program and accredit private-sector auditors
  • Makes cybersecurity an “allowable cost” in DoD contracts

Why Reinbursing Cybersecurity Costs Matters 

Contractors have dragged their feet toward meeting compliance, often due to costs. The Department of Defense appears to have heard this loud and clear. Unlike previous requests, the CMMC program will also define reimburseable costs that the DoD will pay. Many industry pundits have felt that without recognizing the need to offset costs through Federal dollars and providing incentives to improve cybersecurity maturity levels that no real progress would be obtained. It appears the DoD has recognized this issue.

As reported by this Federal News Network article by Jason Miller, Ms. Arrington was quoted as saying:

“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment]: 'security is an allowable cost. Amen. Right?” Arrington said during an acquisition conference sponsored by the Professional Services Council in Arlington, Virginia.