All companies contracted by or considering work for the DoD need to be aware of the new CMMC certification.
The United States Department of Defense (DoD) recently announced the Cybersecurity Maturity Model Certification (CMMC). All companies and subcontractors doing business or proposing to do business with the DoD must be assessed and certified against the CMMC starting in 2020, with the full CMMC slated for publication in January of 2020. This requirement follows a number of high-visibility security incidents involving DoD information.
The CMMC will unify a number of current cybersecurity standards (including NIST 800-53, NIST 800-171, and ISO 27001/27002) into a single standard for companies doing business with the DoD. Some parallels can be drawn between the DoD CMMC and the NIST Cybersecurity Framework (CSF), although the CSF is typically used as a voluntary framework for establishing or maturity a cybersecurity program, whereas the CMMC will be a mandatory certification program.
Companies being evaluated against the CMMC will be assessed against one of five levels of cybersecurity maturity. While the full CMMC documentation has not been published yet, the DoD has announced that the levels will range from "Basic" to "State-Of-The-Art". The results of the assessment and certification process will be taken into account in the determination of which companies will receive contracts with the DoD.
Companies seeking to do business with the DoD will be required to undergo assessment and certification by a DoD-certified third-party assessor. (Note: for some of the higher levels of certification for CMMC, assessment will be performed by DoD personnel.) Prior to assessment, companies will select a specific CMMC level against which to be evaluated and certified. Following the assessment process, a company will receive certification that reflects the cybersecurity maturity of the organization. In the event that a company suffers a cybersecurity incident, recertification against the CMMC may be required; the recertification requirement will be dependent upon the nature and severity of the cybersecurity incident. Specific recertification threshold information has not yet been released by the DoD.
The timeline for implementation of CMMC utilizes a phased approach, with the first version of the CMMC framework being released in January 2020. Following this, CMMC requirements will start being used in DoD Requests for Information (RFIs) in June 2020, and by September 2020, Requests for Proposals (RFPs) will begin requiring CMMC certification.
For companies currently doing business with the DoD, or considering doing business with the DoD, we recommend the following activities in preparation for assessment against the CMMC.
In the preparation phase, a company should identify the level of CMMC certification that is appropriate for the Federal work performed by the company. This can be determined by analysis of RFIs/RFPs that the company is likely to respond to, or by communication with their DoD contacts regarding existing contracts. While full information regarding the specific levels for CMMC certification has not been released, it is likely that parallels can be drawn between the CMMC certification level and the levels of the Capability Maturity Model (CMM).
Following this identification process, companies should select a firm to perform the assessment and certification (assuming that the assessment is not being performed by DoD personnel) and schedule the assessment. Given the short timeframe between the first release of the CMMC framework and the point at which CMMC certification will be required, we recommend utilizing an assessment firm that the company has worked with before, assuming an appropriate relationship exists. Given that CMMC assessment and certification must be performed by DoD-approved assessment firms, companies should be prepared for the possibility that the initial pool of qualified assessment firms may be relatively small.
In the pre-assessment phase, companies should produce a comprehensive gap analysis against their desired CMMC certification level and determine remediation plans for any gaps identified. This gap analysis process should be conducted as a lightweight assessment, collecting initial evidence to demonstrate compliance with the requirements of the CMMC and identifying areas where such evidence of compliance does not currently exist.
During the pre-assessment phase, many companies find it helpful to employ the services of a consulting firm, or other independent assessor that is familiar with Federal standards, to assist with the gap analysis and remediation processes. A consulting firm or independent assessor can reduce the internal resources needed for the gap analysis process, as well as providing expert guidance regarding the best strategies for remediation of gaps found during the gap analysis process. Once remediations are in place, it is appropriate to begin the assessment process with the third-party assessment firm employed by the company.
If your company is affected by the CMMC, watch for the upcoming DoD guidance and the release of the CMMC framework and prepare your action plan to be ready for Summer of 2020. Leviathan Security Group can assist with the preparation for CMMC certification and can also provide expert guidance during assessment and certification. Additionally, Leviathan Security Group can provide services for a wide range of cybersecurity and compliance needs, including in-depth software and hardware technical assessments, security and risk advising, and incident response and forensics.
Shea Nangle is the Federal Practice Lead for Leviathan Security Group.In addition to deep Federal security and compliance experience, he has significant experience in PCI DSS, SOC 2, and security maturation for growth stage companies.His research and volunteer activities include operational security and Open Source Intelligence.