Previously we reported on the Department of Defense (‘DoD”) efforts to develop a Cybersecurity Maturity Model Certification (“CMMC”) program to verify the status of contractor cybersecurity and compliance. The CMMC program contemplates that third party auditors will be qualified and retained to review and certify contractors and suppliers at all tiers on their levels of compliance with the CMMC. It is anticipated that, as part of the CMMC roll out, cybersecurity requirements and evaluation criteria will be included in future procurements starting in the Fall of 2020. These CMMC certifications will be used to establish whether an entity meets the foundational level of cybersecurity required for a particular DoD procurement.
DoD still plans to issue the CMMC in final form by January 2020 and to identify third party certifiers to conduct the CMMC certifications for planned roll out of CMMC provisions in Fall 2020. DoD scheduled a CMMC Accreditation Body Kickoff meeting for interested organizations and/or individuals for November 19, following its issuance of an RFI for information on “how to define the long-term implementation, execution, sustainment and growth of the CMMC Accreditation Body.”
More than 2000 comments were submitted in response to the publication of the initial draft CMMC, Version 0.4. In lightning speed, the DoD has turned around the draft and issued the next version of the draft CMMC. Version 0.6 of the CMMC was issued on November 7, 2019. That new version of the draft CMMC covers 17 domains (Access Control, Asset Management, Audit and Accountability, Awareness and Training, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, recovery, Risk Management, Security Assessment, Situational Awareness, System and Communications Protections System and Information Integrity) and addresses the processes and practices required for levels 1 through 3. DoD advises that it is still working through the comments relating to the higher level certification processes and practices for levels 4 and 5 and that it will issue a follow-on draft addressing those additional levels in the near future.
The latest revisions to the draft CMMC, Version 0.6, make clear that each security level builds on and includes the requirements contained in the lower security level. Thus, Level 1 includes an initial set of practices and processes and Level 2 includes these Level 1 processes and procedures as well as others. Level 2 is classified as a level to assist the contractor in preparing for its transition and compliance with Level 3 requirements, the level that contains the full set of security controls, practices and processes required by NIST SP 800-171, which has been the base standard for cyber security at DoD under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
The draft also references prior statements that levels 4 and 5 will contain additional security controls in order to promote increased protection for critical DoD programs.
The draft CMMC does not, however, answer a number of key questions, including:
- Will there be programs and contracts that will be subject to the limited level 1 standard? Or will this level be reserved for potential subcontractors that won’t develop or be required to have access to controlled unclassified information (CUI)?
- Will level 2 be used for the issuance of prime contracts?
- Will DoD require contractor certification as a foundational precondition to competing in a procurement, or will it allow a contractor to compete subject to successful certification by the start of performance?
- Must a subcontractor be certified at the same level as that required of the prime contractor for a particular program? When does the subcontractor need to be certified?
- Will DFARS 252.204-7008, 252.204-7009 and 252.204-7012 be modified or phased out when CMMC goes live?
- Will there be a pilot period under which the DoD will ramp up its requirements and contractor CMMC certification?
- How long will the process of obtaining a CMMC certification be?
There are many other questions that will need to be answered before CMMC is implemented. DoD has committed to engaging in formal rulemaking for the CMMC program. However, it has also said that it intends to move forward with an interim rule pending that process.
Given the direction and speed with which CMMC is heading our way, contractors should be looking at whether these draft CMMC processes and practices can be accomplished. Potential opportunities to comment on the draft and during the rulemaking should be considered. In addition, contractors should be taking steps now to prepare for CMMC, including examining what it will take for them to be certified and the level of readiness of their supply chains. Since the current rule indicates that NIST SP 800-171 will apply to levels 3, 4 and 5, and parts of it will apply to the lower levels, contractors might look at how they marry up with those requirements and what would be needed for them to address likely gaps in compliance. Contractors also should be thinking about what they will need from their suppliers and lower level subcontractors, and how they may be able to obtain the information needed to determine whether these supply chains will be able to meet these requirements.
Sound cybersecurity throughout the supply chain is the DoD’s goal. Stay tuned for the next round of CMMC and future rulemaking.