Cybersecurity Maturity Model Certification (CMMC)
Attention all CMMC clients:
The Cybersecurity Maturity Model Certification (CMMC) requirements are introduced into the federal regulatory framework with the addition of DFARS 7021; this clause will support the Department of Defense’s (DoD) phased rollout of CMMC stating that all contracts, task orders, solicitations, etc. will have CMMC requirements included by October 1, 2025. Until this phased rollout has been completed, inclusion of a CMMC requirements in a solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
Clause 7019 includes requirements for contractors to maintain their assessments and report them properly as well as for contracting authorities to award or withhold award based upon properly-reported assessment results. 7020 outlines the requirements of NIST 800-171 DoD Assessment, and will appear in all DoD solicitations and contracts, task orders, or delivery orders. Finally, DFARS 7021 introduces the Cybersecurity Maturity Model Certification (CMMC) requirements into the federal regulatory framework. With the support of 7021, the Department of Defense’s phased rollout of CMMC to ensure that all contracts, task orders, solicitations, etc. will include CMMC requirements by October 1st, 2025.
For more information, click here, or contact PJR to learn more about CMMC.
NIST SP 800-171 DoD Self Assessments
In a proposal published in the Federal Register, the DoD has outlined a new set of rules it wants to add as clauses to the DoD Federal Acquisition Regulation Supplement (DFARS, the DoD contracting rules):
- 252.204-7019: Notice of NIST SP 800-171 DOD Assessment Requirements
- 252.204-7020: NIST SP 800-171 DOD assessment requirements
These new rules, which went into effect 30 November 2020, will supplement DFARS 7012 and can be added as clauses in contracts between the DoD and its supply chain vendors.
The DFARS Interim Rule makes having a self-assessment in SPRS a requirement to win a new (or re-competing) contract after November 30th.
Together, these rules require members of the DoD supply chain that potentially process Controlled Unclassified Information (CUI) to do two things to be considered for contract award (or to be part of the subcontractor team to execute the contract):
- Perform a “Basic” cybersecurity self-assessment according to the DoD 800-171 Assessment Methodology
- Submit the following information through the Supplier Performance Risk System (SPRS) or via email to email@example.com:
- System security plan name
- CAGE codes supported by this plan
- Brief description of the plan architecture
- Date of assessment
- Total score
- Date score of 110 will be achieved
After 30 November you may see the clauses in Requests for Proposals (RFP) or contracts, or you may have your Prime contractor ask your organization to execute these tasks even sooner.
It’s important to note: these requirements will only pertain to those RFP/contracts with the clause embedded in them and that also have clause 252.204-7012 or some other indication that CUI is or will be processed as part of the contract. So, if you only handle Federal Contract Information (FCI) and/or are only targeting CMMC Level 1, you won’t need to perform the Basic self-assessment and report your score.
Hopefully you are well on your way to submitting these assessments as November 30th, 2020 is the implementation begin by date you must meet.
This very popular article from cmmcaudit.org has step by step advice for submitting your assessment. www.cmmcaudit.org/how-to-submit-a-nist-sp-800-171-self-assessment-to-sprs
What is it?
THE PROGRAM – OVERVIEW – The Cybersecurity Maturity Model Certification (CMMC) is the latest verification method put in place by the Department of Defense (DoD). This certification is the Department’s first attempt to set clear requirements for contractors when it comes to cybersecurity. The ultimate goal of the CMMC is to implement an appropriate level of cybersecurity across the supply chain of the defense industrial base (DIB). The DIB supply chain includes more than 300,000 companies, all of which are responsible for protecting unclassified information (CUI) under the CMMC.
The US DoD recognizes that information security is a foundational requirement for the Defense Industrial Base (DIB) supply chain. As such, the US DoD is committed to developing and requiring a consolidated Cybersecurity standard to identify required security practices and controls through the DoD Acquisition process beginning in late 2020.
CMMC will define 5 levels of cybersecurity readiness, which all US DoD contracts will invoke on the DIB supply chain. It is estimated that over 300,000 DIB contractors will be affected throughout the 3 to 5 year roll-out, with most requiring a Level 1 through Level 3 certification.
Get Ready for Your Certification
The Cybersecurity Maturity Model Certification (CMMC), introduced by the Department of Defense (DOD) in 2019, requires suppliers and contractors to pass a third-party audit of their cybersecurity readiness or risk losing their ability to compete for and deliver on DOD contracts starting in late 2020. Dun & Bradstreet has partnered with QOMPLX to create a Pre-Assessment tool that will walk you through the steps needed to prepare your firm for a CMMC audit.
What is CMMC?
CMMC is the U.S. Department of Defense’s new Cybersecurity Maturity Model Certification. It is a requirement that all contractors and suppliers, primes and subs, establish protocols to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector. Previously, companies could self-certify compliance with the appropriate Defense Federal Acquisition Regulations (DFARs). Now companies must pass an audit conducted by a certified third-party assessment organization (C3PAO).
What are the different CMMC levels?
There are five levels of CMMC certification, corresponding to different cyber security processes and practices. The five levels are:
- Level 1: Basic Cyber Hygiene – corresponds with the 17 basic cyber security processes that must be performed to protect FCI in NIST SP 800-171 Rev 2 and 48 CFR 52.24-21.
- Level 2: Intermediate Cyber Hygiene – corresponds to 72 cyber security requirements including all 17 Level 1 practices. Focus is on establishing and documenting practices and policies for compliance.
- Level 3: Good Cyber Hygiene – corresponds to 130 cyber security processes including all Level 1 and 2 requirements. The organization must demonstrate the ability to implement 800-171 requirements and manage ongoing policies and processes.
- Level 4: Proactive – corresponds to 156 cyber security practices including all Level 1, 2 and 3 requirements, which must be reviewed and measured for effectiveness. Adds ability to defend CUI from APT-style attacks. Adds controls from NIST SP 800-171B.
- Level 5: Advanced/Progressive – corresponds to 171 cyber security processes, including all Level 1, 2, 3 and 4 requirements. Focus is on the protection of CUI from APTs and the increased depth and sophistication of cyber security capabilities.
What can we do?
While available information is limited regarding what CMMC certification will involve, there is an early version 1.0 model released containing practices required for each level. With this resource, we are able to provide a pre-assessment determining an organization’s readiness level to achieve CMMC certification depending upon target level and strategic direction. Upon completion of a pre-assessment, clients will have a clearer understanding of any gaps in their systems and what steps will need to be undertaken to close them before a full CMMC audit.
To learn more about CMMC or how PJR pre-assessment may help you prepare, contact us at (248) 358-3388.