fbpx

As manufacturing returns to the U.S., new supply chain relationships are established. Continued change in the economy after COVID also means growth for manufacturers, families, and communities. Adjusting to these changing circumstances will require developing new plans, taking further actions, and modifying behaviors. The organizations that flex to adapt more quickly will capture more market share and enhance their reputations.

Manufacturers that examined their strengths and weaknesses also identified new opportunities and threats. Many businesses see these opportunities as a means to diversify their portfolio of customers as they also desire increased stability. If you have recently entertained the idea of government contracts as a source of diversification and strength, then you have likely heard about the newest requirements called the Cybersecurity Maturity Model Certification, or CMMC for short. CMMC is a set of requirements to reduce risk against specific cyber threats that all future Department of Defense (DoD) contractors and subcontractors will need to hold and obtain future DoD contracts.

What is CMMC?

Ongoing challenges involving the protection of unclassified, sensitive contract information on contractor and subcontractor networks and systems was the catalyst for CMMC. In response to the cyber threats, Ellen Lord, Under Secretary of Defense for Acquisition & Sustainment, announced the release of Cybersecurity Maturity Model Certification (version 1.0), commonly known as CMMC, a unified cybersecurity standard for DoD acquisitions.

Ellen Lord stated, “Cybersecurity risks threaten the Defense industry and the national security of both the U.S. government and our allies and partners,” she emphasized. “CMMC is a critical element of DOD’s overall cybersecurity implementation.”

CMMC is a future requirement for all contractors and subcontractors that work or intend to work alongside the DoD. Starting with specific DoD government contracts in September 2020, CMMC aims to become a verification mechanism for protecting Controlled Unclassified Information (CUI) and establishing cybersecurity controls on Defense Industrial Base (DIB).

Along with adhering to the requirements defined by Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012), CMMC will also incorporate standards found in FAR, NIST SP 800-171, NIST SP 800-53, CIS Controls, and other sources. CMMC will have five certification levels, each with its requirements and standards that any business or manufacturer will need to implement and verify to compete for government contracts. We will discuss the five levels of CMMC certification and how the certificate will work later in this article. Now that we have explained what CMMC, let’s discuss DFARS.

What is DFARS?

The Defense Federal Acquisition Regulation Supplement Clause, also known as DFARS, is a set of requirements that businesses are required to implement and follow to protect any controlled unclassified information that is used, stored, or provided by the DoD. The conditions found within the DFARS clause 252.204-7012 outlines the criteria defined in the National Institute of Standards and Technology (NIST) SP 800-171 documentation. For subcontractors that interoperate with the DOD, their systems and network must all meet the standards defined by DFARS to protect further and CUI that is stored, transmitted, or received from the DOD.

The DoD does not intend to modify any existing contracts to include the CMMC requirements. Projections are that CMMC will be fully implemented in about five to six years as existing contracts end and replaced by newly completed contracts containing CMMC requirements.

Who needs to follow CMMC?

Currently, CMMC is focused towards businesses that wish to fulfill contracts as contractors or subcontractors that conduct business with the United States DoD. Cybersecurity will no longer be viewed as an element of contract performance. Once CMMC is fully implemented, third-party certified and mature cybersecurity practices and processes will be foundational in contracting with the DoD. Now that we understand who needs to become CMMC compliant let’s review the different CMMC certification levels that will be available.

Data network visualized.The CMMC model is essential to companies looking to land government contracts.

CMMC Model Framework Levels 1 through 5: How Are They Organized?

When a business is preparing to adopt CMMC, they have to consider the level of certification required for the contracts desired. DoD intends to implement CMMC in a “crawl, walk, run” sequence. They plan to issue a new DFARS clause and include the CMMC requirements in approximately 10 RFPs this fall. The goal for CMMC is to become a cost-effective guideline for smaller businesses that wish to engage in contracting and subcontracting opportunities with the DoD. There are five levels of CMMC certification, ranging from level 1 to level 5. These levels are used to filter businesses, manufacturers, and subcontractors to contracts that are either the same CMMC certification level or lower.

Level 1 certification focuses on “basic cyber hygiene” and outlines the requirements specified in Federal Acquisition Regulation 48 CFR 52.204-21 Basic safeguarding of Covered Contractor Information Systems. Level 1 is the lowest available level required to be considered CMMC compliant but does not guarantee the awarding of contracts above level 1.

Level 2 certification focuses on what is called “intermediate cyber hygiene,” where the business has greater understanding and ability to protect and maintain the security of their assets. CMMC Level 2 certifications also introduce the expectation for all policies, standard operating procedures, and strategic plans are established and documented.

For Level 3 certification, the business or manufacturer will have to demonstrate good cyber hygiene and having adequate controls implemented following the National Institute of Standards and Technologies SP 800-171 revision 1. Along with meeting the technical practice mentioned, the business is also expected to ensure that adherence to policies is to review and have adequate resourcing for their activities. At this level, companies and manufacturers that reach CMMC Level 3 are trusted with Controlled Unclassified Information or CUI. Any organization that works with CUI is also subject to DFARS clause 252.204 -7012 and will have to meet additional requirements, including incident reporting.

Businesses that are CMMC Level 4 demonstrate a proactive cybersecurity program, meaning that the company can change their protection and sustainment activities to address the everchanging tactics, techniques, and procedures from advanced persistent threats. Companies that are at a Level 4 maturity review activity effectiveness and inform upper management of any issues.

Finally, CMMC Level 5 certified businesses and manufacturers show advanced or progressive cybersecurity programs that also display the ability to optimize their cybersecurity capabilities to mitigate and prevent attacks from advanced persistent attacks effectively. Level 5 CMMC businesses have standardized process implementation throughout the organization.

One thing that leadership teams should keep in mind as they consider higher-level certification, each business must meet all of the standards and expectations of the desired level, which includes the requirements from all lower levels of CMMC practice progression. For example, if a business meets the expectations for CMMC Level 4 but does not meet one of the requirements for Level 3, the current CMMC level for that business is Level 2. CMMC certification should be treated as an accumulative progressive certification and requires both the technical practices and process maturity requirements met for each level.

What are the capabilities expected with CMMC attainment?

The controls and processes build across the five maturity levels that range from basic cyber hygiene to advanced. For each CMMC level, specific controls and processes are expected. A brief outline of the five levels is listed below.

  • Level 1: Performed Basic Cyber Hygiene
    • Basic Safeguarding of FCI
    • 17 Practices
    • Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
  • Level 2: Documented Intermediate Cyber Hygiene
    • Transition Step to Protect CUI
    • 72 Practices
    • Comply with FAR
    • Include a select subset of 48 practices from NIST SP 800-171 R1
    • Includes an additional 7 practices to support intermediate cyber hygiene
  • Level 3: Managed Good Cyber Hygiene
    • Increasing Protection of CUI
    • Comply with FAR
    • Encompasses all practices from NIST SP 800-171 R1
    • Includes an additional 20 practices to support good cyber hygiene
  • Level 4: Reviewed Proactive Cybersecurity
    • Increasing Protection of CUI
    • Reducing Risk of Advanced Persistent Threats (APTs)
    • Comply with FAR
    • Encompasses all practices from NIST SP 800-171 R1
    • Includes a select subset of 11 practices from Draft NIST SP 800-171B
    • Includes an additional 15 practices to demonstrate a proactive cybersecurity program
  • Level 5: Optimizing Advanced Cybersecurity
    • Reducing Risk of Advanced Persistent Threats (APTs)
    • Comply with FAR
    • Encompasses all practices from NIST SP 800-171 R1
    • Includes a select subset of 4 practices from Draft NIST SP 800-171B
    • Includes an additional 11 practices to demonstrate an advanced cybersecurity program

DFARS Compliance

When a business seeks a new contract with the Department of Defense, they must be able to effectively implement the cybersecurity requirements addressed in both the DFARS clause 252.204-7012 and NIST Special Publication 800-171. After the business implements the outlined requirements, the Defense Contract Management Agency (DCMA) will validate the cybersecurity compliance of the company.  Additionally, the DCMA will leverage its review of a potential contractor’s purchasing system are meeting the standard of DFARS 252.244-7011 to:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

Do I have to be DFARS compliant if I am progressing with CMMC?

While CMMC progression does include individual sections and requirements of DFARS clauses and NIST SP 800-171 revision 1, manufacturers are required to be DFARS compliant. They should implement the necessary sections of NIST SP 800-171 Revision 1.

Currently, any manufacturer that holds a contract must remain DFARS compliant, and any business found to not to be DFARS compliantn either have the contract suspended, terminated, or even have the business suspended or debarred from accepting or competing for future United States government contracts. These events can ultimately affect the business’s potential for future lines of work, and also affect the reputation of the business. If your business follows CMMC guidelines and plan to reach level 3, you will have completed most if not all of the NIST SP 800-171 revision 1 and DFARS requirements.

Regulation paperwork and stampsEven after a CMMC framework is adopted, manufacturers must keep track of regulatory updates to remain flexible.

Is CMMC reporting similar to DFARS?

DFARS allows each business to self-attest to your contract requirements after you have already won the contract. CMMC requirements are progressive and not designed to be all or nothing. DoD Request for Proposals (RFPs) will reflect the level needed by DoD for each contract. Cybersecurity will now be an allowable cost on the new DoD contracts.

CMMC makes you prove it before you can win the contract. Getting Security right for the defense industrial base is critical for all parties involved. CMMC will not replace DFARS requirements, it simply provides a unified standard and maturity model for enforcing DFARS. Once CMMC is recognized and is enforced, those manufacturers that wish to be CMMC recognized must have an assessment done by a certified CMMC auditor. During the time of writing this article, the requirements for becoming a licensed auditor, also known as a C3PAO, have not been published. However, only licensed C3POA’s are authorized to perform the final audit, which will be used to determine the CMMC rating that a business or manufacturer will receive.

5 steps to prepare for CMMC

While the full requirements for how to become CMMC certified have not become official yet, manufacturers can better prepare themselves by following these 5 steps:

  • First, manufacturers and businesses interested in becoming CMMC certified should review the CMMC framework and implement a compliance program. Reviewing the CMMC framework can help the leadership team of your business understand the changes that need to be made. Once the framework has been reviewed and understood, any identified changes that need to be made should be included in a compliance program. These changes should become the responsibility of the businesses Data Protection officer, who will be responsible for reviewing and coordinating the progress of the certification activities.
  • After developing an understanding of what is needed to become CMMC certified, the business should then identify what maturity level is desired and identify what controls are needed for that level. During this time, business leader members should keep in mind that CMMC certification is done on a level system, and to be qualified for that level, you must fulfill all of the requirements for that level and lower. Even if a business meets the requirement for CMMC maturity level 3, if they do not meet all of the requirements for maturity level 2, they will be given a level 1 maturity level rating.
  • The third step that manufacturers will take when preparing their business for CMMC compliance is to perform internal audits. If a manufacturer has the resources such as an internal IT team, they should perform an internal audit based on the requirements defined by NIST SP 800-171 Revision 1 for maturity levels 1 through 3. If you are unsure of what the specific requirements are for NIST SP 800-171 or how to do a self-assessment, click here.
  • The next step that manufacturers should take to prepare for CMMC certification is to perform a CMMC Readiness Assessment. Having a readiness assessment completed will help you identify the current level that your business would meet, and identify the applicable controls and gaps that your business currently has that are preventing your business from reaching the desired level. After the assessment, the leadership team should use the results to identify to create a CMMC roadmap for reaching the desired maturity level.
  • Once the leadership team has completed and validated all the requirements that were previously missed, the fifth and final step that you should take for becoming CMMC certified is to have an independent firm perform an audit. These audits help finalize the expected maturity level that your business will receive, and again identify any gaps that will prevent you from reaching the desired maturity level. Currently, there are no accredited third-party assessors that can perform the certifying assessment. We anticipate the training of the C3PAOs will be completed in the coming months.

Certitude Security™ is an Ohio based cybersecurity services company that focuses on protecting U.S. manufacturers from injustice, which includes cybercriminals and self-harm. If you are interested in learning more about our assessment services or talking about how your leadership team desires assistance to comply with CMMC requirements, please visit our website to speak to one of our representatives.