Comments Due September 25, 2019
Earlier this year, Assistant Secretary of Defense for Acquisition & Logistics Kevin Fahey announced that the Department of Defense (“DoD”) was working with Carnegie Mellon University and Johns Hopkins Applied Physics Laboratory to develop a new cybersecurity standard and certification framework for defense contractors, the Cybersecurity Maturity Model Certification (“CMMC”). The CMMC is designed for use in validating government contractors’ compliance with cybersecurity controls and requirements under DFARS 252.204-7012 (the “cyber clause”).
As previously reported, the cyber clause called for contractor systems that would use, develop, store or transit in Covered Defense Information (“CDI”) to comply with the 110 security controls set out in National Institute of Standards Special Publication 800-171 (“NIST SP 800-171”). The DoD has now rolled out a request for comment on its initial draft version of CMMC. The request for comment package includes the draft CMMC Rev 0.4 Release, a formal request for comment, and a matrix to be used by commenters for submission of their public comments.
The CMMC vision is to build upon the 110NIST SP 800-171 security controls and other security controls to develop a “unified standard” for cybersecurity in DoD acquisitions. The CMMC includes 18 different domains, each containing 9 standards based on cybersecurity best practices: Access Control, Identification and Authentication, Recovery, Asset Management, Incident Response, Risk Assessment, Awareness and Training, Maintenance, Security Assessment, Audit and Accountability, Media Protection, Situational Awareness, Configuration Management, Personnel Security, System and Communications Protection, Cybersecurity Governance, Physical Protection and System and Information Integrity.
The CMMC provides for the establishment of five levels of cybersecurity maturity, to be determined based on the system requirements, practices and processes. The five levels range from the lowest level, Level 1, which provides for a “basic” level of cyber hygiene, through to Level 5, which provides for an advanced/progressive level of cyber hygiene. Level 3, which is identified as “good cyber hygiene,” identifies the full panoply of controls in NIST SP 800-171, plus additional controls. It is anticipated that a limited number of contractors would be required to hold a certification at the Level 4 or 5.
As articulated in listening sessions, the DoD intends to have third party auditors conduct the CMMC certification audits of government contractors and inform the DoD of risks. These third party auditors are to be free from bias and not engaged in the performance of activities to assist contractors in the development of their cyber compliance.
DoD has established a schedule for comment and roll out of the final version of CMMC:
- Comments on CMMC Rev 0.4 by September 25, 2019
- Issuance of CMMC Rev 1.0 in January 2020
- Issuance of CMMC requirements in Requests for Information starting in June 2020
- Issuance of CMMC requirements in Requests for Proposals starting in Fall 2020
Once in place, the DoD intends to use the CMMC to establish required levels of cybersecurity maturity as foundational “go-no go” basis for determining eligibility to compete and be awarded contracts.
The DoD is seeking input on the technical requirements set out in the draft CMMC and asking for answers to certain specific questions:
- What do you recommend removing or de-prioritizing to simplify the model and why?
- Which elements provide high value to your organization?
- Which practices would you move or cross-reference between levels or domains?
- In preparation for the pending easy-to-use assessment guidance, what recommendations might you have to clarify practices and processes?
The current draft CMMC contains many technical requirements, including some that have not previously been included in the cyber rule. It also does not address how these requirements will be implemented. Because of the key role that CMMC will play in future procurements, government contractors at all tiers should review the draft CMMC and assess whether and to what extent it poses challenges in implementation or use.