Called the Cybersecurity Maturity Model Certification (CMMC version 1.02), the new supplier cybersecurity compliance program is in effect and takes cyber hygiene and confidential information protections to new levels. Beginning in 2020, selected DoD Requests for Information (RFIs) will refer to CMMC requirements. Additionally, selected Requests for Proposals (RFPs) will begin to include CMMC requirements. Suppliers will need to competitively position and convey they can meet the CMMC requirements by the time of the contract award. The current CMMC implementation timeline calls for contractors to be certified by late 2020 to bid on contracts.
Keys to CMMC vs. NIST 800-171
There are several important differences between CMMC version 1.02 and the previous National Institute of Standards and Technology (NIST) 800-171 security control regulation that has been in use. Key changes contractors must now grapple with include:
- CMMC requires that suppliers be certified by assessors; previously DoD contractors self-certified regulatory compliance;
- Plan of Actions and Milestones (POA&Ms), which let contractors continue as suppliers without full NIST 800-171 compliance, are no longer allowed; suppliers must address and remediate weaknesses to convey full CMMC compliance and certification;
- CMMC’s risk-based framework provides a more focused approach to DoD cyber defense requirements based on the amount of Controlled Unclassified Information (CUI) being handled or processed.
Shifts from NIST 800-171 Audit to CMMC
CMMC retains an emphasis on access control, configuration management, asset management, media protection, physical security, etc. Yet, given the department’s growing concern on the nature and speed of cyber threats, CMMC adds practices focused on situational awareness, cyber threat alerts, and cyber threat intelligence. CMMC also increases the number of domains from NIST 800-171’s 14 to a total of 17 through the addition of Data Recovery, Asset Management, and Situational Awareness domains.
CMMC Audit and Certification Levels
Additionally, with CMMC’s risk-based, maturity model approach, suppliers should understand all five levels, which increase in complexity and maturity as the levels increase. Contractors should carefully pursue the CMMC level appropriate to their business. At minimum, all defense contractors must achieve Level One certification. Contractors failing to meet any item required for a given level certification will accredited at a lower level.
CMMC was also developed to serve a larger spectrum of contractors. For smaller defense suppliers, CMMC scales down NIST 800-171 requirements. CMMC Levels 1 and 2 are designed for smaller suppliers which represent the bulk of DoD supply chain. CMMC requirements for the highest Level 5 organizations include 171 different controls or practices, while Level 1 suppliers need only to comply with 17 controls.
Larger suppliers, or those that handle greater levels of confidential information, will most likely be required achieve compliance with CMMC Level 3, or higher. Level 3 suppliers basically need to achieve certification with NIST 800-171 level of practices. For Levels 4 and 5, additional domains, practices, and processes must be met including controls from other frameworks outside of NIST 800-171.
The subcontractor community will most certainly be required to obtain CMMC certification at some level to participate in contracts.
Time to Level Up—To CMMC
To achieve CMMC compliance in a timely fashion, contractors need to determine where they stand regarding NIST 800-171 controls, then focus resources on achieving the necessary CMMC certification for their prospective DoD business. An effective, efficient path to CMMC compliance entails access to security control expertise and easy-to-use compliance tools to organize and track progress. DoD contractors without in-house NIST-compliance talent, or assessors/experts versed in CMMC Levels and compliance efforts, can turn to a growing community of experienced, objective resources.
With experts on board and focused on the goal, those seeking future DoD contracts can gain time, and save money—accelerating the plan to know what CMMC level is best, to successfully get there, and gain business.