If your organization is in a position to bid on DoD contracts, take note: the Cybersecurity Maturity Model Certification (CMMC) is on the horizon.
DoD contract bidders are already familiar with requirements such as documenting a System Security Plan (SSP) and Plan of Action and Milestones (POA&M). Prescribed by NIST SP 800-171, the SSP provides a detailed account of an organization’s information system and security requirements, as well as the controls that have been implemented to meet those requirements. The POA&M, meanwhile, serves as a “to do” list of remediation items that address gaps between the SSP and the NIST SP 800-171 standard. In other words, the POA&M highlights an organization’s opportunities for improvement.
Taken together, these requirements have long been part of the cost of doing business as a DoD contractor. But in this era of increasingly advanced cyber threats, organizations need to up their security postures to keep pace, particularly when dealing with controlled DoD information. Solving this problem is the goal of the CMMC. Once the mandate takes effect, a bid can only be considered if the submitting organization is certified at or above the respective CMMC maturity “level.” Allow me to elaborate.
The CMMC represents a departure from the traditional compliance checklist. Gone are the days of ticking a few boxes and then tallying the results as proof of being “secure.” Instead, the CMMC gauges a bidder’s holistic adoption of a true information security program by measuring it against a standard reference—NIST SP 800-171. The CMMC is organized into five levels, each of which corresponds to a subset of NIST SP 800-171 controls:
*The controls associated with the Proactive and Advanced levels will be part of the yet-to-be-finalized NIST SP 800-171B standard.
The idea is that the more NIST SP 800-171 controls with which an organization complies, the higher level of CMMC it can attain. For example, if your organization complies with all of the Level 1 and 2 (Basic and Intermediate) requirements, it could be certified at Level 2. At that point, your organization would be eligible to bid on contracts that require CMMC Levels 1 or 2 but would not be eligible to bid on contracts that require Levels 3, 4, or 5. As you can see, the CMMC provides the DoD with the ability to categorize its prospective bidders by security maturity, which should help to streamline the bid selection process and ensure that contracts are awarded to organizations with the commensurate levels of maturity.
Now, ramping up your organization’s security maturity might be a costly undertaking, so it’s important to note that the process for complying with these new standards will be an “allowable” cost. This means that costs incurred as part of meeting CMMC requirements can be billed back to the government. Without this provision, the CMMC would effectively exclude a large number of prospective bidders, which would certainly be problematic for the DoD. Helping to fund the strengthening of so many organizations’ security postures creates a win-win for all parties involved.
So, when does the CMMC take effect? The DoD hopes to begin certifying assessment firms in early 2020, and then in June 2020 allowing said firms to begin to assess prospective bidders. The scopes of the audits and the specific reporting requirements have not yet been finalized, nor has the degree to which the requirements “flow down” to subcontractors. Further, CMMC Levels 4 and 5 will require adherence to NIST SP 800-171B, which is still in draft form. Though there are still numerous factors in flux, organizations would do well to start or continue their preparations, as change is coming.
Tips to help prepare for the CMMC include:
- Configure your environment to enforce the controls specified in NIST SP 800-171.
- If your organization uses Microsoft Office 365, apply for and implement Office 365 GCC High.
- In light of the cost and effort associated with new security controls, consider outsourcing security, compliance, and information system management to a Managed Security Services Provider such as Corsica Technologies.