As manufacturing returns to the U.S., new supply chain relationships are established. Continued economic change after COVID also means growth for manufacturers, families, and communities. Adjusting to these changing circumstances will require developing new plans, taking further actions, and modifying behaviors. The organizations that flex to adapt more quickly will capture more market share and enhance their reputations.
Manufacturers that examined their strengths and weaknesses also identified new opportunities and threats. Many businesses see these opportunities to diversify their portfolio of customers as they also desire increased stability. If you have recently entertained the idea of government contracts as a source of diversification and strength, then you have likely heard about the newest requirements called the Cybersecurity Maturity Model Certification, or CMMC for short. CMMC is a set of requirements to reduce risk against specific cyber threats that all future Department of Defense (DoD) contractors and subcontractors will need to hold and obtain future DoD contracts.
What is CMMC?
Ongoing challenges involve protecting unclassified, sensitive contract information on contractor and subcontractor networks and systems were the catalyst for CMMC. In response to the cyber threats, Ellen Lord, Under Secretary of Defense for Acquisition & Sustainment, announced the release of Cybersecurity Maturity Model Certification (version 1.0), commonly known as CMMC, a unified cybersecurity standard for DoD acquisitions.
Ellen Lord stated, “Cybersecurity risks threaten the Defense industry and the national security of both the U.S. government and our allies and partners,” she emphasized. “CMMC is a critical element of DOD’s overall cybersecurity implementation.”
CMMC is a future requirement for all contractors and subcontractors that work or intend to work alongside the DoD. Starting with specific DoD government contracts in September 2020, CMMC aims to become a verification mechanism for protecting Controlled Unclassified Information (CUI) and establishing cybersecurity controls on Defense Industrial Base (DIB).
Along with adhering to the requirements defined by Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012), CMMC will also incorporate standards found in FAR, NIST SP 800-171, NIST SP 800-53, CIS Controls, and other sources. CMMC will have five certification levels, each with its requirements and standards that any business or manufacturer will need to implement and verify to compete for government contracts. We will discuss the five CMMC certification levels and how the certificate will work later in this article. Now that we have explained CMMC, let’s discuss DFARS.
What is DFARS?
The Defense Federal Acquisition Regulation Supplement Clause, also known as DFARS, is a set of requirements that businesses must implement and follow to protect any controlled unclassified information used, stored, or provided by the DoD. The conditions found within the DFARS clause 252.204-7012 outlines the criteria defined in the National Institute of Standards and Technology (NIST) SP 800-171 documentation. For subcontractors that interoperate with the DOD, their systems and network must all meet the standards defined by DFARS to protect further and CUI that is stored, transmitted, or received from the DOD.
The DoD does not intend to modify existing contracts to include the CMMC requirements. Projections are that CMMC will be fully implemented in about five to six years as current contracts end and replaced by newly completed contracts containing CMMC requirements.
Who needs to follow CMMC?
Currently, CMMC focuses on businesses that wish to fulfill contracts as contractors or subcontractors that conduct business with the United States DoD. Cybersecurity will no longer be viewed as an element of contract performance. Once fully implemented and third-party certified, mature cybersecurity practices and processes will be foundational in contracting with the DoD. Now that we understand who needs to become CMMC compliant, let’s review the different CMMC certification levels available.
CMMC Model Framework Levels 1 through 5: How Are They Organized?
When a business is preparing to adopt CMMC, leadership will consider the certification level required for the contracts desired. DoD intends to implement CMMC in a “crawl, walk, run” sequence. They plan to issue a new DFARS clause this fall and include the CMMC requirements in approximately 10 RFPs. The goal for CMMC is to become a cost-effective guideline for smaller businesses that wish to engage in contracting and subcontracting opportunities with the DoD. There are five levels of CMMC certification, ranging from level 1 to level 5. These levels filter businesses, manufacturers, and subcontractors to contracts with the same CMMC certification level or lower.
Level 1 certification focuses on “basic cyber hygiene” and outlines the requirements specified in Federal Acquisition Regulation 48 CFR 52.204-21 Basic safeguarding of Covered Contractor Information Systems. Level 1 is the lowest available level required to be considered CMMC compliant but does not guarantee contracts above level 1.
Level 2 certification focuses on “intermediate cyber hygiene,” where the business has a greater understanding and ability to protect and maintain the security of their assets. CMMC Level 2 certifications also introduce the expectation that all policies, standard operating procedures, and strategic plans are established and documented.
For Level 3 certification, the business or manufacturer will have to demonstrate good cyber hygiene and implement adequate controls following the National Institute of Standards and Technologies SP 800-171 revision 1. Along with meeting the technical practice mentioned, the business is expected to ensure that adherence to policies is reviewed and has adequate resourcing for their activities. At this level, companies and manufacturers that reach CMMC Level 3 are to be trusted with Controlled Unclassified Information or CUI. Any organization that works with CUI is subject to DFARS clause 252.204 -7012 and must meet additional requirements, including incident reporting.
CMMC Level 4 demonstrate a proactive cybersecurity program, meaning that the company can change their protection and sustainment activities to address the everchanging tactics, techniques, and procedures from advanced persistent threats. Companies at a Level 4 maturity review activity effectiveness and inform upper management of any issues.
Finally, CMMC Level 5 certified businesses and manufacturers show advanced or progressive cybersecurity programs that can optimize their cybersecurity capabilities to mitigate and prevent attacks from advanced persistent attacks effectively. Level 5 CMMC businesses have standardized process implementation throughout the organization.
Leadership teams should keep in mind as they consider higher-level certification. Each business must meet the desired level standards and expectations, including the requirements from all lower levels of CMMC practice progression. For example, if a company meets the expectations for CMMC Level 4 but does not meet one of the requirements for Level 3, the current CMMC level for that business is Level 2. CMMC certification should be treated as an accumulative progressive certification and requires both the technical practices and process maturity requirements met for each level.
What are the capabilities expected with CMMC attainment?
The controls and processes build across the five maturity levels that range from basic cyber hygiene to advanced. For each CMMC level, specific controls and processes are expected. A brief outline of the five levels is listed below.
- Level 1: Performed Basic Cyber Hygiene
- Basic Safeguarding of FCI
- 17 Practices
- Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
- Level 2: Documented Intermediate Cyber Hygiene
- Transition Step to Protect CUI
- 72 Practices
- Comply with FAR
- Include a select subset of 48 practices from NIST SP 800-171 R1
- Includes an additional 7 practices to support intermediate cyber hygiene
- Level 3: Managed Good Cyber Hygiene
- Increasing Protection of CUI
- Comply with FAR
- Encompasses all practices from NIST SP 800-171 R1
- Includes an additional 20 practices to support good cyber hygiene
- Level 4: Reviewed Proactive Cybersecurity
- Increasing Protection of CUI
- Reducing Risk of Advanced Persistent Threats (APTs)
- Comply with FAR
- Encompasses all practices from NIST SP 800-171 R1
- Includes a select subset of 11 practices from Draft NIST SP 800-171B
- Includes an additional 15 practices to demonstrate a proactive cybersecurity program
- Level 5: Optimizing Advanced Cybersecurity
- Reducing Risk of Advanced Persistent Threats (APTs)
- Comply with FAR
- Encompasses all practices from NIST SP 800-171 R1
- Includes a select subset of 4 practices from Draft NIST SP 800-171B
- Includes an additional 11 practices to demonstrate an advanced cybersecurity program
DFARS Compliance
When a business seeks a new contract with the Department of Defense, it must effectively implement the cybersecurity requirements addressed in the DFARS clause 252.204-7012 and NIST Special Publication 800-171. After the business implements the outlined requirements, the Defense Contract Management Agency (DCMA) will validate the company’s cybersecurity compliance. Additionally, the DCMA will leverage its review of a potential contractor’s purchasing system are meeting the standard of DFARS 252.244-7011 to:
- Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
- Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.
Do I have to be DFARS compliant if I am progressing with CMMC?
While CMMC progression includes individual sections and DFARS clauses requirements and NIST SP 800-171 revision 1, manufacturers must be DFARS compliant. They should implement the necessary sections of NIST SP 800-171 Revision 1.
Currently, any manufacturer that holds a contract must remain DFARS compliant. Any business found not to be DFARS compliant either has the contract suspended, terminated, or even has the company suspended or debarred from accepting or competing for future United States government contracts.
These events can ultimately affect the business’s potential for future lines of work and impact the business’s reputation. If your business follows CMMC guidelines and plans to reach level 3, you will have completed most if not all of the NIST SP 800-171 revision 1 and DFARS requirements.
Is CMMC reporting similar to DFARS?
DFARS allows each business to self-attest to your contract requirements after you have already won the contract. CMMC requirements are progressive and not designed to be all or nothing. DoD Request for Proposals (RFPs) will reflect the level needed by DoD for each contract. Cybersecurity will now be an allowable cost on the new DoD contracts.
CMMC makes you prove it before you can win the contract. Getting security right for the defense industrial base is critical for all parties involved. CMMC will not replace DFARS requirements; it simply provides a unified standard and maturity model for enforcing DFARS. Once CMMC is recognized and enforced, those manufacturers that wish to be CMMC recognized must be assessed by a certified CMMC auditor. When writing this article, the requirements for becoming a licensed auditor, also known as a C3PAO, have not been published. However, only licensed C3POA’s are authorized to perform the final audit, determining the CMMC rating that a business or manufacturer will receive.
5 steps to prepare for CMMC
While the full requirements for how to become CMMC certified have not become official yet, manufacturers can better prepare themselves by following these 5 steps:
- First, manufacturers and businesses interested in becoming CMMC certified should review the CMMC framework and implement a compliance program. Reviewing the CMMC framework can help your business’s leadership team understand the changes required. When the framework is understood, include any identified changes in a compliance program. These changes become the responsibility of the business’s Data Protection Officer, who will be responsible for reviewing and coordinating the progress of the certification activities.
- After understanding what is needed to become CMMC certified, the business should identify what maturity level is desired and the controls required for that level. During this time, business leader members should keep in mind that CMMC certification is done on a level system, and to be qualified for that level, you must fulfill all of the requirements for that level and lower. Even if a business meets the requirement for CMMC maturity level 3, if they do not meet all of the maturity level 2, they will be given a level 1 maturity level rating.
- The third step that manufacturers will take when preparing their business for CMMC compliance is to perform internal audits. Suppose a manufacturer has the resources such as an internal IT team. In that case, they should conduct an internal audit based on the requirements defined by NIST SP 800-171 Revision 1 for maturity levels 1 through 3. If you are unsure of the specific requirements for NIST SP 800-171 or how to do a self-assessment, click here.
- The next step that manufacturers should take to prepare for CMMC certification is to perform a CMMC Readiness Assessment. Having a readiness assessment completed will help you identify the current level that your business would meet and determine the appropriate controls and gaps that your company currently has that prevent your business from reaching the desired level. After the assessment, the leadership team should use the results to create a CMMC roadmap for achieving the desired maturity level.
- Once the leadership team has completed and validated all the previously missed requirements, the fifth and final step you should take for becoming CMMC certified is to have an independent firm perform an audit. These audits help finalize the expected maturity level that your business will receive and identify gaps preventing you from reaching the desired maturity level. Currently, no accredited third-party assessors can perform the certifying assessment. We anticipate the completion of C3PAOs training in the coming months.
As a proud supporter of American companies, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for manufacturers and supply chains throughout the United States.
Problem discussions can be a defining moment in your career. If you are interested in value creation, learn about SPOT-Beam™ by Certitude Security®. We look forward to helping you and your business succeed!