The United States Department of Defense (DoD) will soon require all organizations conducting business with the DoD (i.e., defense contractors) to achieve a Cybersecurity Maturity Model Certification (CMMC) involving verification from independent auditors, which is expected to have an impact across the Defense Industrial Base (DIB). What can contractors do now to prepare their organizations to meet these new requirements?
The DoD is developing the CMMC framework in collaboration with Carnegie Mellon University’s Software Engineering Institute and Johns Hopkins University’s Applied Physics Laboratory, and released CMMC Model Revision 0.4 (DRAFT) earlier this month for public comment. The DoD is targeting final release of the CMMC framework, Revision 1.0, by January 2020.
The CMMC framework is considered to be a major development in the cybersecurity regulatory landscape, and will have significant impacts on defense contractors of all sizes. Following release of this framework, all defense contractors will eventually be required to achieve a CMMC – involving an audit to be conducted by an independent and qualified third-party organization – in order to conduct business with the DoD.
Not only will the DoD require defense contractors to comply with these new requirements, but it will also require contractors to flow these requirements down across their supply chains, adding additional subcontract oversight and risk burdens to higher-tier contractors.
The DoD intends to use the CMMC framework as a mechanism for managing cybersecurity risk across the DIB – specifically with respect to protecting Controlled Unclassified Information (CUI) – through independent audits to verify defense contractors’ cybersecurity posture. Results of these audits will become discriminators within the DoD’s solicitation and award processes.
In addition, the DoD aims for the CMMC framework to expand and improve upon existing guidance for adequate cybersecurity controls, aligning cybersecurity safeguarding requirements with contractors’ risk exposure when handling CUI in performance of DoD contracts.
The CMMC framework does not replace current regulations and standards, such as DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” and NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Rather it will build upon existing guidance by introducing additional standards that transition away from the current self-reporting regime, to a new regime involving an independent verification process relative to defined risk considerations based on scope and requirements of respective DoD contracts.
While development efforts are still very much in progress, based on information provided by the DoD as of this alert date (see DoD CMMC website here: CMMC), the CMMC framework will include but not be limited to the following key elements:
The CMMC framework is still under active development, and the DoD doesn’t expect to provide the full details of the complete framework to the public until January 2020 at its earliest. Defense contractors should, however, begin preparations towards achieving a CMMC now, or as soon as possible.
Given that the DoD is building the CMMC framework mostly upon existing guidance and standards, we recommended that – at minimum – defense contractors begin conducting self assessments of their cybersecurity capabilities against NIST SP 800-171 security requirements. Consider engaging third party organizations that specialize in facilitating such assessments.
In addition, defense contractors should assess their supply chain management (SCM) capabilities to identify where they need to strengthen processes and controls around flowing down, monitoring, and managing cybersecurity safeguarding requirements relative to DFARS 252.204-7012, NIST SP 800-171, and DCMA’s Contractor Procurement System Review (CPSR) Guidebook.
By conducting such assessments, defense contractors can identify proactively any deficiencies and begin corrective actions to position themselves for CMMC. Early action in this regard will reduce the risk of being precluded from DoD business opportunities while preparing to become certified. Depending upon the CMMC maturity level required, implementation of cybersecurity controls may be time consuming, requiring a commitment of resources both in terms of people and funding. This heightens the urgency for acting now rather than waiting for release of the CMMC framework.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.
Source – Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification (CMMC) Website: https://acq.osd.mil/cmmc/