Last month we reported on the Department of Defense’s (DoD’s) issuance of Version 0.6 of its draft Cybersecurity Maturity Model Certification (CMMC) standard. That draft included DoD updates and revisions to CMMC’s domains, capabilities and practices for Levels 1 through 3. It deferred revisions to those parts of CMMC covering Levels 4 and 5. On December 6, 2019, DoD issued Version 0.7 of the draft CMMC standard, covering all domains, capabilities and practices for Levels 1 through 5. With this version of the draft CMMC, we are approaching what is expected to be the issuance of the final CMMC Version 1.0 in January 2020.
The revised CMMC Version 0.7 modifies some of the processes and practices in Levels 1 through 3, and includes a reduced number of requirements under Levels 4 and 5. Level 1 still addresses basic cyber hygiene, and it addresses Federal Contract Information (FCI) handling, applying the designation of the data to be protected and the rules in Federal Acquisition Regulation (FAR) 52.204-21 that are to apply. This rule applies to all contractors at all levels, and draft Version 0.7 identifies it as a “foundation for the higher levels of the model and [something that] must be completed by all certified organizations.” It is a performance requirement. Other levels starting with Level 2 address process maturity. While Level 2 still addresses data that is FCI, it, like Level 1, will be a foundation for achieving Level 3. Level 3 addresses compliance with NIST SP 800-171 and DFARS 252.204-7012 requirements. This level includes “the basic ability to protect and sustain an organization’s assets and CUI [Controlled Unclassified Information]”. Levels 4 and 5 will apply to more sensitive data and require the contractor to be able to demonstrate compliance with requirements for a substantial and proactive cybersecurity program.
Notably, Levels 4 and 5 presently do not require compliance with all 33 additional controls that were proposed in the draft NIST SP 800-171B. 15 of these controls are identified as excluded.
DoD continues to indicate that it expects to issue CMMC in final version in January 2020, and that it is working on establishment of the third party certifier organization and certifiers to certify contractors compliance with the CMMC levels. DoD FAQs now state that, once released, the CMMC Version 1.0 will be used for training the certifiers and that CMMC requirements will be included in Requests for Information starting in June 2020. Our understanding is that CMMC requirements are still expected to begin roll out in Requests for Proposals in the Fall. Recent clarification to the release indicates that “Contractors will be required to meet the certification level at time of award. The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors. Unless a higher level is specified, all contractors and sub-contractors must meet at a minimum CMMC Level 1.”
For contractors and subcontractors at all tiers – the above puts you on notice that you need to be working on your compliance now. Given the foibles of procurements, as well as the timing and limited number of certifiers that will likely be in place in the first year, you should be working your way through the steps to being compliant so that there will be time to go through the third party certification process before award. Even though CMMC has not been finalized, there can be little doubt that the requirements of FAR 52.204-21 are a minimum for any procurement – they continue to be referenced in all versions of the CMMC, and DFARS 252.204-7012 will be a required set of standards even if the standards change at the higher levels – they too continue to be referenced in the CMMC. Having a system that addresses the requirements will take time to put in place.