The DoD has been working to improve cybersecurity over the last several years as news of nation-state sponsored theft of defense secrets makes the news on a regular basis. The biggest source of leaks of sensitive intellectual property is the hundreds of thousands of contractors that have access to sensitive but unclassified information called CONTROLLED UNCLASSIFIED INFORMATION or CUI.
In 2013 the DoD created a security requirement in the Defense Federal Acquisition Regulations called DFARS 252.204-7012 and then a few years later, NIST released a security requirement named SP 800-171. While both of these were a start to improving security for the defense industrial base, they didn't solve the problem.
Controlled Unclassified Information or CUI was created after 9/11 via a presidential memorandum signed by President Bush. It was updated in 2011 by President Obama under Executive Order 13556. The Pentagon and other parts of the government are still working on implementing this 20 years later.
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract. It is information that we do not want to fall into our adversary’s hands. An example of this is the design of the F-35 fighter, which China stole and then built their own.
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters.
The problem was that people were claiming that they were compliant with these regulations but they were not compliant and no one was checking to verify it.
In early 2019 DoD upped the ante by releasing the Cybersecurity Maturity Model Certification (CMMC). This was the first time DoD required contractors, sub-contractors and suppliers to be CERTIFIED to participate in the DoD supply chain.
The DoD released version 1 of CMMC as an emergency requirement and while that allowed them to deploy it quickly, it didn’t mean that it was going to be painless. In fact, especially for small businesses, the CMMC 1.0 was quite painful and expensive to implement.
As part of the emergency rule-making process, DoD was required to conduct a review and make changes if needed. That review was supposed to be complete in April of 2021. It was released this last November.
In November DoD released CMMC 2.0. This version is not yet approved under the governments rule-making processes. Here are some of the basics that we expect to see:
1. The five levels of CMMC are now three. Since the DoD never planned to certify anyone at levels 2 or 4, this is no loss and doesn’t really change much.
2. Contractors that have to comply with Level 1 can self-certify. These companies only need to have very basic security so self-certifying is a pretty low risk. Note that you cannot have access to CUI at level 1.
3. CMMC 1.0 Level 3, now called Level 2, may be split into two sublevels with the lower sublevel able to self-certify. The DoD has not explained how they are going to decide who can have access to CUI and self-certify and who has to have a third-party certify them. For those lucky ones who can self-certify, they have just reduced their compliance cost by tens of thousands of dollars. The higher level 2 companies will still need to get a third-party certification, just like the old level 3. It is anticipated that only 10-15% of folks at Level 2 will be able to self-certify.
4. Level 3 is going to require both a Level 2 third-party certification and also an extra certification done by DoD. They have not figured out how Level 3 is going to work, but that should not affect most contractors. It will probably be mostly those working for the intelligence community.
5. The 20 extra controls that were in CMMC 1.0 are gone, but only for now. The DoD has said that they are going to ask NIST to add them to the next version of 800-171, so this is only a short-lived reprieve.
6. The Process Maturity Levels from CMMC 1.0 are gone. These are probably gone forever, but you really should be doing these anyway. You just won’t be tested on them.
7. The Department of Justice says publicly that they are going to file lawsuits against companies that have lied about their 800-171 compliance. We have seen two settlements thus far, but expect more. This is a big stick because if the DoJ wins, a company could be disqualified from receiving any DoD contracts and can be fined millions of dollars.
8. The CMMC-AB (now referred to as the Cyber AB), in our opinion, is going to be in a holding pattern for the next year or two. With no published regulation, it is going to be hard to move forward. They are encouraging folks to voluntarily get certified. We assume most won't do this, but for those who do, there could be more government business.
9. The DoD says that they want to create some sort of incentive for companies to get certified before the regulation is approved. They have not said how that is going to work. Or, even if they have the authority to do that.
Here is the CMMC-AB AKA Cyber-AB organizational structure:
10. Certifications will expire. For self-certifications, an executive of the company will need to sign that they understand what they are signing and that everything that they have attested to (as in that they are fully compliant with 800-171) is true. You will have to do this every year. This is an easy place for the DoJ to come after you for fraud, disqualify you for future contracts or place onerous requirements on you.
At the higher levels, certifications will last three years – or at least we think that is true.
It is also possible (or even likely) that the Pentagon may require that classified network owners be certified as well, although they have not said this publicly. Yet.
NOTE: We will update this web page as more information is released by the Department of Defense.
For more info, please see our FAQ page HERE.
The CMMC will encompass three maturity levels that range from "Foundational" to "Expert". The intent is to identify the required CMMC level in RFP sections L and M and use it as a "go / no go decision."
In its final form, the CMMC intended to combine various cybersecurity control standards such as NIST SP 800-171 (Rev 1 and Rev 2) (Rev. 1 & Rev. 2), NIST SP 800-53, and AIA NAS9933s into one unified standard for cybersecurity. After a lot of pushback from the contractor community, they limited CMMC to just controls in 800-171.
They say they plan to enhance NIST SP 800-171 to bring back some of the controls that were in CMMC 1.0 and are not currently in CMMC 2.0. They are doing this by creating a version 3 of 800-171, which will likely be released in 2023.
To be clear, the DoD does not control what is in 800-171. That is the responsibility of the Department of Commerce. If you don’t like what is in 800-171, talk to Commerce; DoD can’t change it.
CMMC is a program to make sure that contractors who say they are complying with 800-171 really are complying. That is ALL CMMC is. CMMC does not have any of its own requirements any longer.
The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a "verification component" with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance and (with continued pressure) to ensure 100% adoption of cybersecurity controls--as the DoD is updating its policies. This is a "trust but verify" process.
The DoD is putting a lot of pressure on the big primes to get their subs in line. Of course, the primes don’t have their own houses in order yet. The prime contractors are required to flow down the appropriate CMMC requirement to sub-contractors and the subs must flow down these requirements to their subs.
If you have a vendor that has access to your systems such as an IT services provider or you have a vendor that you give either system access or data, any of those third parties may need to be certified at the same level as you are or above. The current DFARS -7012 and -7019 are MANDATORY flow down clauses with no changes other than you can insert your company’s name. Since almost all companies use vendors or service providers, this is going to be a big one. When CMMC is fully rolled out, any subs or vendors used on the contract will need to be certified at the appropriate level before the contract can be awarded.
The DoD still plans on maintaining a database that contracting officers will review prior to awarding contracts. What this looks like is still undefined. It will probably look something like SPRS plus other systems.
Ultimately, DoD contractors will not be allowed to bid on RFPs unless they are certified at the required level. This is different than what has been the norm historically. Historically, contractors get certified after the fact. The plan has changed. Now you will have to be certified in advance.
The current plan is that the new regulations will be released around March of 2023. *IF* the rulemaking authority allows the DoD to create what is called an interim final rule, DoD could start putting certification requirements in SOME RFPs 60 days later. If they are not allowed to create an interim final rule, then we won’t see this in RFPs until May 2024. We anticipate they will allow it.
BUT, and this is a big one, DoD will roll this out slowly because they know that if that roll it out too fast, no one will be able to bid on contracts. If it costs too much then people will opt out of bidding.DoD Contractors will need either to self-certify or coordinate directly with an accredited, independent, commercial certification organization to request and schedule a CMMC assessment. If they need to get to CMMC 2.0 Level 3, they will also need to coordinate with the DoD after they have their third-party certification
DoD contractors or suppliers who have the skill, resources and IT staff available, can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the "Self Assessment Handbook - NIST Handbook 16" provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 (A good starting point for certifications up to CMMC Level 2) and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. 2. However, a copy of the Rev. 2 itself can be found HERE. Note that this will not get you certified. If you are required to get certified. then you will need to engage an approved third party (like us) and if that process is successful, you will be awarded a certification at the appropriate level.
For many DoD contractors, the most effective way to meet the CMMC cybersecurity requirements is to outsource the task to a consulting partner that has the appropriate expertise and can work with you to become compliant. Remember that DoD contractors remain ultimately responsible for ensuring that their company meets the appropriate cybersecurity requirements, so it is essential to choose a provider that is reputable. Again, you will have to engage a third party for the actual certification process.
CyberCecurity, LLC and Turnkey Cybersecurity and Privacy Solutions, LLC are two such cybersecurity consulting companies.
The first step towards compliance is to determine what CUI information you have, how it is used and who needs access to it. Then you should conduct a gap assessment to determine how close the contractor is to compliance. This process is called the risk assessment or gap analysis. Gap analyses are designed to discover areas where the company is not fully compliant with the regulations.
The results of the gap analysis may reveal issues related to:
Without a gap analysis, it's impossible to know what changes an organization needs to make before it meets the required CMMC Level. The gap analysis provides a roadmap to becoming compliant.
Certification is a point-in-time event. Even if it covers some historical period like an AICPA SOC Type 1 audits do, it doesn't mean that you will be compliant in the future.
The DFARS also require almost instant notification (within 72 hours) of a security event to your prime contractor or to the government. Part of being compliant is being able to respond to these incidents in a time frame and with the required data to the appropriate party.
For many companies, DoD contracts make up a substantial percentage of their revenue and because NIST SP 800-171 is a requirement in many cases for bidding on contracts (check with your contracting officer), it's extremely important that contractors are complying with 800-171. If a contractor lies about being 800-171 compliant, they can be fined and debarred.
CyberCecurity, LLC and Turnkey Cybersecurity and Privacy Solutions, LLC are full-service cybersecurity companies that offers a wide range of cybersecurity and privacy services, including various certification services. More information about our certification services, please give us a call (info below).
We currently offer:
Accomplishing the above items will facilitate becoming compliant with the CURRENT, EXISTING, ONGOING DFARS.
Have more questions?
Please call me for more information: Mitch Tanenbaum, CISO, CyberCecurity, LLC