Recent events have highlighted why cybersecurity is crucial, and its cascading effects. The ransomware hack of the Colonial Pipeline sent gas prices skyrocketing in the US Southeast, causing shortages and untold cascading effects. US companies lose up to $600 billion per year due to lax cybersecurity. Cybersecurity is not just the purveyance of the US Department of Defense or federal government. This affects nearly every aspect of modern living, from the electrical grid to gas shortages, from infrastructure to your personal tax records and credit history, across public sector and private. The DoD has formerly left the cybersecurity of their supply chain up to each contract company, but no longer. In efforts to reduce risk, they are requiring that all contract companies with the Defense Industrial Base submit to certification by an accredited third-party organization or lose those contracts. The requirement is meant to be fully implemented by 2025, but is currently being phased in right now. Our choices are compliance or getting out of the defense contracting business. Learning Tree would like to help your company meet those requirements, giving you options and helping you to achieve the necessary certifications as quickly and cost-effectively as possible.
To get started we wanted to prepare you with the Top 10 things you need to know about CMMC:
1) What is CMMC?
The US Department of Defense (DoD) recognizes risk of loss via their supply chain, the contracts making up the Defense Industrial Base (DIB) supplying our military. The Cybersecurity Maturity Model Certification is designed to assess the security posture of DIB companies to verify that appropriate practices and procedures are implemented prior to granting contracts.
2) Who must be certified?
All entities bidding on and awarded contracts must be CMMC certified to the level specified in the requirements document or statement of work, except for those contracts acquiring solely commercial off-the-shelf (COTS) products, according to Defense Federal Acquisition Regulations (DFARS) 7021. This also includes subcontractors. In other words, ANY entity directly or indirectly working DoD contracts containing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) must comply or risk losing those contracts!
[sidebar_cta header="Navigating CMMC (Cybersecurity Maturity Model) Requirements Training" color="white" icon="" btn_href="https://www.learningtree.com/courses/2076/navigating-cmmc-cybersecurity-maturity-model-requirements-training/" btn_href_en="https://www.learningtree.com/courses/2076/navigating-cmmc-cybersecurity-maturity-model-requirements-training/" btn_href_ca="https://www.learningtree.com/courses/2076/navigating-cmmc-cybersecurity-maturity-model-requirements-training/" btn_href_uk="https://www.learningtree.com/courses/2076/navigating-cmmc-cybersecurity-maturity-model-requirements-training/" btn_href_se="https://www.learningtree.com/courses/2076/navigating-cmmc-cybersecurity-maturity-model-requirements-training/" btn_text="Sign up for your training here!"]
3) What is FCI and CUI?
FCI is Federal Contract Information.
FCI is information provided by or generated for the federal government under contract not intended for public release. So, for example, information published as part of the bidding process or available on the DoD public website is not FCI, but companies should assume everything else pertaining to the contract is FCI. FCI has no specific handling or legal requirements beyond the contract and DFARS rules, but nonetheless must be protected at a basic, foundational level. CMMC requirements specific that companies handling FCI must minimally meet Level 1 (Performed - Basic Cyber Hygiene) certification.
CUI is Controlled Unclassified Information.
CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. In other words, CUI has legal and policy requirements that must be met, but it doesn't fall under the DoD classification scheme. It's not that classified information doesn't have to be protected. Of course, classified information must be protected, but classified information already has protection schemes and requirements surrounding it. CMMC is for everything else that has legal/policy requirements that falls outside that scope of DoD classification schemes. CMMC requirements specific that companies storing/processing/transporting CUI must minimally meet Level 3 (Managed - Good Cyber Hygiene) certification.
4) How soon do we have to obtain certification?
October 1, 2025. DoD states that contracts awarded on that date or after can only go to fully certified entities meeting the compliance requirements. Companies not certified as meeting those requirements risk losing their existing contracts. Even prior to that date, the DFARS Interim Rule applies. This rule went into effect November, 2020 in an attempt to phase in the CMMC program, and even now, some companies risk losing their contracts. Contract companies that have met the certification requirements have a huge competitive advantage over other contractors.
5) What is the DFARS Interim Rule?
The CMMC program is meant to be phased in. Effective November 20, 2020, DFARS 2019 Interim Rule went into effect. Contractors continue to be required to self-assess and enter themselves into the Supplier Performance Risk System (SPRS) database. However, some contracts will also need to take it all the way to CMMC certification. It is at the discretion of the Office of Undersecretary of Defense (OUSD) to state which new contract awards must be CMMC certified as of right now. The goal/requirement is to award an increasing number of prime contracts each year to CMMC certified companies. In fiscal year 2021, DoD is only requiring a minimum of 15 prime contracts be awarded with the new CMMC requirements met, and that includes those primes subcontractors. If you are one of the few certified entities, you have a tremendous advantage outpacing your competition as more and more contracts are required to be awarded to CMMC certified companies. By 2025, all companies must be CMMC certified to successfully win contract awards.
6) How is CMMC different from 800-53 or 800-171?
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is for all US federal agencies and any entity housing US federal information or information systems. 800-171 is meant for protecting CUI stored/processed/disseminated in nonfederal systems. CMMC is not about auditing to ensure a set of specific boxes are checked. CMMC is about ascribing the overall cybersecurity posture of the organization as it pertains to CUI/FCI. It is not an audit, but rather an assessment. CMMC would say it is about the institutionalization of good cybersecurity practices throughout the organization. Much trust and faith is placed in the opinions of the assessment team to make those judgements. All CMMC requirements must be fully satisfied at that level of the Organization Seeking Certification (OSC) in order to be certified.
The requirements for CMMC extend beyond those of 800-171. While many of the practices and assessment guidance is ripped straight from 800-171, CMMC extended these requirements to add an additional 46 practices designed to enhance the security posture of an organization, such as actually reviewing the audit logs as part of an organization's regular practices.
7) Will my 800-171 assessment count (or my ISO 27000... or SOC... or RMF)?
The CMMC assessment is separate from the 800-171 and other assessments. While some work is being done to within the realm of model reciprocity to ensure that efforts are not continuously duplicated, right now the CMMC System Security Plan (SSP) is not the same document as the 800-53 SSP, the CCMC Plan of Action and Milestones (POA&M) is not the same as an ordinary system POA&M, and the CMMC certification is not the same as any other certification. These are separate certifications and must be treated as such, despite any overlap. It is ultimately up to the lead CMMC Certified Assessor (CCA) to determine when a CMMC control is met by an equivalent third party certification, including which controls were met, whether any gaps exist between the two control programs, if the third party assessment meets CMMC standards, etc... Regardless if some controls have been met, the OSC is not CMMC compliant until the assessment team evaluates their organization
8) What are the CMMC certification levels?
There are 5 levels of CMMC certifications
- Level 1 - Performed - Basic Cyber Hygiene
- Foundational level indicating that 17 basic practices are performed
- Documentation is not required at this level
- Level 2 - Documented - Intermediate Cyber Hygiene
- Practices and procedures are documented
- Practices and procedures are cumulative - all level 1 must be met to achieve level 2
- Level 3 - Managed - Good Cyber Hygiene
- 130 practices and 3 procedures must be met
- Planning and maintaining the security posture must be undertaken
- Practices and procedures are cumulative - all level 2 must be met to achieve level 3
- Level 4 - Reviewed - Proactive
- Measurements must be taken and reviewed for effectiveness
- Practices and procedures are cumulative - all level 3 must be met to achieve level 4
- Level 5 - Optimizing - Progressive/Advanced
- The organization attempts to standardize and optimize cybersecurity across the organization
- Practices and procedures are cumulative - all level 4 must be met to achieve level 5
Currently, organizations are only seeking provisional certifications because the requirements are not yet finalized, and the assessor organizations have not been approved as of yet. Currently, only Level 1 and Level 3 provisional requirements are fully defined, documented, and described. Level 2 isn't defined as it is only the interim between Level 1 and Level 3. If this organization must comply with CMMC as per the contract, Level 2 is not good enough to handle CUI.
9) My organization didn't bid on a contract but we assist one that did. Do we need to be certified?
If the organization handles CUI or FCI, even as a subcontractor, then that organization needs to be certified just as the prime contract owner is. This should be stated in the contract between the subcontractor and the prime contractor, but even if it is not explicitly stated, the subcontractor still needs to be certified or they need to inform the DoD and seek advice for how to remove/destroy the information appropriately from the systems.
This does not mean that you will need to obtain the same assessment level as the prime contract. It depends upon the type of information that is handled. If the subcontract only handles FCI, then Level 1 is the highest level of certification they will need to achieve. It is possible that the prime achieves a lower level than the subcontract as well, such as a Level 1 certified organization awarded the prime contract while the subcontract has a Level 3 certification. If CUI needs to be processed, then it must transit directly to the subcontract and not be handled by the prime. As long as no organization handles information outside the realm of the level they are certified to, all involved are still fully compliant.
10) My organization doesn't handle CUI. Do we still need to be certified?
Even if the organization is only handling FCI, the organization still needs to be certified at level 1. Pretty much any organization with a contract with the US DoD needs to be certified because the contract alone likely constitutes FCI. The few exceptions are payment information necessary to process a transaction and contracts dealing with pure COTS products.