The U.S. Department of Defense (DoD) supply chain is an interconnected ecosystem of agencies, partners, contractors and subcontractors. This increased collaboration obligesgovernment entities to operate beyond their protected IT environments. Working in cyber infrastructures of unknown security and maturity amplifies risks to the department’s Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Any documents or data related to an entity’s federal contract is FCI – contract documents, RFP responses and other information entailed in winning or serving the contract. Not all organizations under federal contracts possess CUI, which is any information created or managed by the government that is not classified under other regulations. Some examples include technical drawings, intellectual data and personally identifiable information (PII).
To mitigate these sprawling security dangers and to protect FCI and CUI within the DoD’s supply chain, the department developed a standardized verification mechanism – the Cybersecurity Maturity Model Certification (CMMC). Through CMMC, the DoD can ensure that sufficient cybersecurity practices and processes are in place to protect FCI and CUI that lives on industry partners’ networks.
In the end, CMMC is all about ensuring that the DoD’s critical supply chain is protected from cybersecurity threats.
CMMC Levels
The DoD will gradually migrate to CMMC from the current cybersecurity controls defined by the National Institute of Standards and Technology (NIST) in their special publication SP 800-171. The CMMC framework includes NIST parameters, plus additional security controls, that are broken down into five successive maturity levels that the DoD will require for contract approvals:
- Level 1: Basic Cyber Hygiene – DoD partners who want to be awarded a contract must implement 17 of the NIST (SP) 800-171 rev1 controls.
- Level 2: Intermediate Cyber Hygiene – Contractors must implement Level 1, another 48 NIST rev1 controls, plus an additional 7.
- Level 3: Good Cyber Hygiene – This level requires controls from the previous two, the final 45 NIST rev1 controls and another 13.
- Level 4: Proactive Cyber Hygiene – Levels 1-3 are mandatory, 11 controls from NIST (SP) 800-171 rev2 and 15 additional controls.
- Level 5: Advanced/Progressive Cyber Hygiene – For this highest level of security, the DoD requires the previous four levels, the final four NIST rev2 controls and 11 additional.
Contractors must meet each level’s practice and process requirements with the following 17 capability domains, which is where the MSP is often needed to help prepare for certification and maintain compliance afterwards:
| Access Control | Incident Response | Risk Management | | Asset Management | Maintenance | Security Assessment | | Awareness & Training | Media Protection | Situational Awareness | | Audit & Accountability | Personnel Security | System & Communications Protection | | Configuration Management | Physical Protection | System & Information Integrity | | Identification & Authentication | Recovery | |
Who Must Comply With CMMC?
Any contractor or organization doing business with the DoD – spanning the entire supply chain of prime contractors and their subcontractors – must meet CMMC requirements and achieve certification. The only exemptions are businesses that produce only commercial-off-the-shelf (COTS) products. Although CMMC compliance officially began in 2020, the DoD still requires compliance with NIST 800-171. The department will slowly add CMMC standards into new contracts until all entities are covered by the year 2025.
Getting CMMC Certified
The CMMC Accreditation Body (CMMC-AB) manages the certification process. The DoD will determine what maturity level the supplier must meet to respond to a proposal. To be certified at that level, the contractor must have an independent assessment performed by an authorized Third-Party Assessment Organization (3PAO). To that end, the MSP should conduct an internal assessment of its clients first to ensure certification by the 3PAO.
The DoD has established an Interim Rule with a starting date of November 30, 2020, after which all contractors must perform a self-assessment of their compliance with NIST 800-171. Additionally, contractors must score their assessment using a specific scoresheet provided by the DoD, and the scores must be uploaded to a government website along with a System Security Plan.
Clients who are already working on DoD contracts may need help to meet these new assessment and reporting requirements. MSPs that lack the expertise themselves can partner with a third-party CMMC consultant that offers government contracting expertise.
Where to Start?
Compliance Manager for CMMC allows users to select their target CMMC level for compliance management and guides you through the certification-readiness process. Once certified, it helps you document your client’s ongoing compliance to the standard. It also includes tools to perform and score the NIST 800-171 self-assessment and automatically generates the required System Security Plan.
MSPs that begin early will stand a good chance of moving ahead of the competition by taking advantage of this business expansion opportunity. Click here to learn more.
