A look at CMMC

The Defense Department has issued the long-awaited cybersecurity standards contractors must meet.

On Jan 31, the Pentagon released the official version 1.0 Cybersecurity Maturity Model Certification, which requires any company that does business with the Department of Defense. Primes as well as subcontractors must have "at least a basic level of cybersecurity standards" when they respond to requests for proposals.

CMMC is informed by the National Institute of Standards and Technology's guidance on protecting controlled unclassified information (CUI) in non-federal systems and on security and privacy controls for federal systems. It outlines five levels of certification addressing both cybersecurity practices and processes.

Level 1 covers basic cyber hygiene, Level 2 would involve certifying cybersecurity processes as well, to ensure a Defense contractor is "effectively documenting, managing, reviewing and optimizing its practices across its entire enterprise," Katie Arrington, DOD's chief information security officer for acquisition, said in the Jan. 31 press briefing. Level 5 requires a vendor to standardize cybersecurity practices across the organization and focuses on the protection of CUI from advanced persistent threats.

DOD plans to release 10 requests for information and 10 RFPs this year that will require CMMC certification when the contract is awarded, Arrington said. By fiscal year 2026, all new DOD contracts will contain CMMC requirements, according to Under Secretary of Defense for Acquisition and Sustainment Ellen Lord. The CMMC will be a "complicated rollout," she said, and the five-year timeline was "realistic" before making it mandatory in all contracts.

Arrington presented during a Jan. 28 event hosted by NeoSystems and law firm Holland and Knight that DOD expects to have at least 15 contracts to have the CMMC requirements and 1,500 certified contractors by fiscal 2021. More than half of those would be at level 1, according to presentation documents. That total number is expected to balloon to almost 48,000 by fiscal 2025.

The number of contracts with CMMC requirements will, theoretically, explode as well with 75 contracts including it by fiscal 2022, 250 contracts by 2023 and 479 contracts in 2024, according to the DOD presentation documents.

But the scheduling is only part of CMMC's rollout complications as critics worry whether smaller companies will be able to meet the standards without undue burden. DOD has repeatedly stressed that small and medium-sized businesses were a priority in rolling out CMMC.

"One of our challenges is how to bring companies that aren't familiar with defense work in," Lord said Jan. 31 when asked about how companies unfamiliar with defense contracts would be able to prepare for the shift. "We just created early this year, what we call a placemat, with step-by-step, how you work with industry."

Kevin Fahey, DOD's deputy acquisition chief, told reporters during the briefing that prime contractors could have subcontractors work within their infrastructure to ensure cybersecurity.

Other concerns revolve around the third-party auditors conducting assessments. While the initiative's success relies heavily on the CMMC accrediting body and how it shapes training for the assessors, those assessors have not been selected and no one has yet been "designated as qualified," Lord said. Officially dubbed CMMC third-party assessment organizations (C3PAOs), the assessors will be charged with certifying contracting companies, and are trained by the newly stood up CMMC Accrediting Body.

The CMMC Accrediting Body, an independent, not-for-profit group responsible for developing assessment standards and training, is slated to deliver a draft of "CMMC 101" training in February, according to presentation documents.

Ty Schieber, the CMMC Accrediting Body chair, told Defense Systems following the Jan. 28 event that "solidification of schedule will occur once we get the relationship codified" via memorandum of understanding and "mutually agree upon what we can do and what that means in terms of hitting those guidelines." That memo is also slated for February and will address conflicts of interest such as ensuring auditors won't be able to review their own company, Lord said Jan. 31.

Once up and running, companies will be able to apply for certification through a marketplace portal run by the accrediting body, Arrington said. The CMMC certification will be good for three years and with it, companies will be able to bid on contracts across DOD and the military services.

The DOD acquisition officials said they would share the guidance as it is being developed.

This article is a combination of two articles first posted to FCW, a sibling site to Defense Systems.


About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.