The Cybersecurity Maturity Model Certification is a new standard for implementing security across the Department of Defense’s (DoD) supply chain. All the Defence Industrial Base (DIB) companies will now require a CMMC certification to work with the DoD on Controlled Unclassified Information (CUI) projects.
Previously, companies were responsible for their information systems’ security and any DoD information stored or sent through them. The CMMC will now require third-party assessment and certification of businesses. This ensures better protection of the systems and faster adaptation to cybersecurity threats that are evolving by the day.
Here’s a timeline of the CMMC’s activities to date.
January 2020: DoD releases Cybersecurity standards
The Cybersecurity Maturity Model Certification (CMMC) framework was released to boost the protection of Controlled Unclassified Information (CUI) within the department’s supply chain. The CMMC Accreditation Board (CMMC-AB) will coordinate with the DoD to develop procedures to implement the certification standard.
All DoD contractors, and not just IT-related businesses, must henceforth be certified by the CMMC accreditation board. There’s only one exception to the rule, that is, for companies supplying commercial off-the-shelf software. All contractors need to have the certification before they can bid for and get contracts for DoD projects, not after getting the contract. The certification will also be required for subcontractors, though the certification level may differ.
There are five levels of CMMC certification. Level one is for ‘basic cyber hygiene’ practices like using antivirus software and password protection. The levels rise depending on the sensitivity of the information and the level of security required.
Independent assessors will visit the contractors’ premises to evaluate the business and to issue the certification.
Why did the DoD introduce the change?
Many contractors did not adhere to the Security and Self Assessment model checklist. US adversaries have exploited the weakness: defense contractors with weak security infrastructure have leaked national security secrets.
The CMMC was introduced to deter and stop the contractors’ and the DoD’s systems’ penetration by adversaries. A non-profit board manages the CMMC’s implementation made up of both industry and academic partners (CMMC-AB).
What will the cost of the certification be?
The contractors will have to fund their certifications. The cost will depend on the certification level, the business network’s complexity, and other market forces. The certification will be valid for three years, after which the contractor will have to apply again. In case they get the contract, the contractors can expense the certification cost to the allowable reimbursable cost.
What level of certification is required for subcontractors?
The certification level depends on the type and nature of the information sent in by the prime contractor. If the contractor is level 3, for example, the subcontractor may be level 1, 2, or 3, depending on what information they handle.
How does maintaining compliance lead to better security?
Many standards do not do an adequate job since they are often done to the lowest attainable mark. The CMMC will be different, however. The certification has different levels for different security needs and can provide more stringent and mature protection.
November 2020: CMMC Implementation
The CMMC accreditation board (CMMC-AB) is currently the only authorized body that can train and license CMMC accepted auditors for the DoD. The CMMC-AB will roll out the certification in a phased 5-year process to integrate CMMC into all DoD contracts. The certification will not affect any current contracts and will only be for new contracts or Requests for Information (RFIs).
The Defense Federal Acquisition Regulation Supplement (DFARS) interim rule (clause 252.204-7021) for CMMC came into effect in November 2020 and will be active until 2026.
CMMC-AB training and certification program
The accreditation body will do the training in two phases. The first step, the initial phase, will be a short-term, controlled implementation with a limited scope. The phase is set to last between 3-6 months and is rushed to meet the DoD’s aggressive deadline. The CMMC-AB will use feedback from this stage to better the formal program and its assessment methodology.
The phase will train its participants to certify only up to level 3. A select group of 60 highly experienced candidates from different sized organizations and independents will participate in the training after being assessed. The entire training will take place online.
The second phase will be a long-term formal program. The formal program is currently under development and will roll out immediately after the provisional phase is attained. The CMMC-AB will work in conjunction with multiple training partners to offer the best quality training in different formats. The CMMC will have a centralized body of information to promote standardization and quality of the entire process.
CMMC Training and Credentialing Progress
As of January 2021, there are:
- 1060 Registered Practitioners (RPs)
- 339 Registered Provider Organizations (RPOs)
- 53 CMMC Third-Party Assessor Organizations (C3PAOs)
- 16 Licensed Partner Publishers (LPPs)
- 12 Licensed Training Providers (LTPs)
- 100 Program Assessors approved by the CMMC-AB.
Scantron is currently developing certification exams for the CMMC. The exams are for Certified Professional(CP), Certified Assessor level 1(CA1), and Certified Assessor level 3(CA3). The exams for Certified Assessor Level 5 and Certified Instructor will begin later in 2021.
Licensed Training Partners will begin offering classes in the second quarter of 2021 and prepare students to take the certification exam. The certified classes are taught by a CMMC-AB provisional or certified instructor who uses CMMC-AB approved training material (CATM) developed by an LPP. The LPPs are projected to offer the first CATM courses by March or April of 2021.
The CMMC-AB will also be training Provisional Instructors from February 2021 routinely every month. These instructors have both Assessment and training experience.
Beta versions of the certification program are scheduled for release in May or June of 2021, and the full formal certification test for CP, CA1, and CA3 will be available in September.
Licensed Software Providers (LSP) will also be available soon to build software solutions that will help CAs, CPs, C3PAOs, RPs, and RPOs deliver CMMC services to their clients in line with CMMC-AB requirements and specifications.
CMMC Pilot program timeline 2021
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) requested pilot candidates from military services and component agencies in memoranda issued in August and November 2020. The criteria to qualify for the pilot program are:
- An expected contract in the 2021 financial year.
- Be a mid-sized contractor that processes, stores or transmits basic CUI.
- Not solely providing COTS products or operational technology systems that support industrial/manufacturing operations.
Candidate acquisitions have already been identified by the Army, Air Force, Navy, Missile Defense Agency, and Defence Logistics Agency. For the 2021 Financial year, the DoD plans to pilot up to 15 new acquisitions, with a set target of 475 by FY25. The OUSD (A&S) will approve using the clause for all new acquisitions up to 1 October 2025.
Here’s a provisional timeline for the CMMC Pilot:
- Offerers of acquisition services to the DoD are expected to prepare for certification by going through the NIST SP 800-171 self-assessment.
- The DoD and the CMMC-AB will have pilot kick-off meetings to chart the way for the CMMC pilot’s implementation in January and February.
- Offerers are expected to review CMMC requirements with their subcontractors and request assessment from an authorized C3PAO between March and April of 2021.
- The government will meanwhile issue RFPs and offer clarifications should they be needed between April and June 2021.
- Between late June and August, contractors are expected to submit proposals and obtain CMMC certification, after which the contracts will be awarded.
Basic CMMC Process Summary
The entire CMMC certification process is done before awarding of the contract. The process begins by identifying the level of certification required, usually found in RFIs, RFQs, or solicitations for the contract. The default training for the pilot program will be for level 3 certification.
The DIB contractor is then free to implement the appropriate CMMC practices and processes for the certification level required. The DIB may enlist the help of an RPO to prepare for certification or perform a self-assessment test and, if ready, selects and hires an authorized C3PAO that will provide an assessment. The accredited C3PAO then assigns a Certified Assessor who performs the assessment on the contractor and submits a report to the DoD. If approved, the C3PAO issues a CMMC certificate that is valid for three years.
ISO 17011 release plan: January 2021
We are currently not an ISO Accreditation body, but we plan to be one within the next two years. The ISO/IEC 17011:2017 is the ISO standard for accreditation bodies and which once granted to the CMMC-AB, will allow us to accredit C3PAOs. Currently, the CMMC accredits C3PAOs according to DoD guidelines. Once accredited, we will additionally have the ISO/IEC 17020 for our C3PAOs.
The C3PAOs will have to be ISO-accredited by the CMMC within 27 months. The ISO/IEC 17011 CMMC accreditation process is planned between January 2021 and mid-2022.
BlueSteel Cybersecurity is a CMMC RPO and can provide you with guidance to get your firm ready for assessment. Reach out today to learn more about our CMMC Readiness Service.