The Fundamental CMMC Compliance Checklist for DoD Contractors

If you want to work with the DoD (Department of Defense), you may be asking, “What is Cybersecurity Maturity Model Certification (CMMC) and why you need it?”. Read on to find out what the CMMC requirements are required, who is affected, how to prepare, and what is next for defense contractors.

What is CMMC?

It’s a unified standard for incorporating cybersecurity across the DIB (defense industrial base), involving over 300,000 companies in the supply chain. The security maturity model is the Department of Defense’s response to significant compromises of sensitive information located on contractors’ information systems.

In the past, contractors were responsible for implementing, overseeing, and certifying their IT systems’ security and any sensitive DoD data stored on/or transmitted by those systems. Contractors remain reliable for implementing critical cybersecurity requirements. However, the CMMC changes this model requires third-party assessments of contractors’ compliance with certain mandatory practices, procedures, and abilities to adapt to new and evolving cyber threats from adversaries.

Goal

The main goal of DoD CMMC is to secure the protection of two types of information from disclosure or unauthorized use:

• CUI (Controlled Unclassified Information) – Information that requires safeguarding or dissemination controls in accordance with and consistent with applicable law, regulations, and government-wide policies but isn’t classified under the Atomic Energy Act or Executive Order 13526, as amended;
• FCI (Federal Contract Information) – Information, not intended for public release, provided by or generated for the government under a contract to deliver/develop a product/service to the government.

Advantages

Due to the new DoD contracts, RFPs and RFIs will require CMMC compliance; those certified contractors will have a competitive advantage. That will be particularly true early on, with most defense contractors likely waiting until they must be CMMC compliant before receiving certification.

Beside quickly obtaining and maintaining defense contracts, CMMC-compliant companies will:

• Repel the threats of nation-state actors, which made up 23 percent of all data breaches in 2019, up from 12 percent in 2018;
• Reduce the risk of data breaches, the cost for which averaged $3.62 million per incidence in 2017;
• Minimize the risk of insider threats and be deemed-compliant with other regulations, including NIST, HIPAA, SOX, FISMA, and ISO.

Timeline

• May 2019 – Version 0.1;
• July 2019 – Version 0.2 identified and reviewed;
• September 2019 – Version 0.4 released;
• October 2019 – CMMC implemented requirements released;
• November 2019 – Version 0.6 to be released for public review;
• January 2020 – Version 1.0 finalization expected; compliance checklist released;
• June 2020 – CMMC starts appearing in RFIs;
• September 2020 – CMMC begins appearing in RFPs.

Who Should Comply with the CMMC?

All defense contractors will eventually be responsible for acquiring a DoD certification. This involves all suppliers at all tiers along the supply chain, commercial item contractors, small businesses, and foreign suppliers. The CMMC-AB (CMMC Accreditation Body) will coordinate directly with Department of Defense to establish procedures for certifying independent CP3AOs (Third-Party Assessment Organizations) and assessors that will review companies’ CMMC DoD levels.

The certification applies to both “prime” contractors who engage directly with the DoD and subcontractors who contract with primes to make sure those contracts’ fulfillment and realization. Even though a certain certification level will be an obligation of every contract starting in 2026, DoD has indicated that they intend to issue contract opportunities at all maturity model levels. Hence, some requests will need only a low level of certification, and some will require higher certification levels.

What Are the Five Levels of CMMC?

MMC Version 1.0 features 5 different maturity levels for organizations, which stretch from maintaining basic cyber hygiene to implementing an advanced cybersecurity program.

Level 1

Basic Cyber Hygiene – This level includes basic cybersecurity appropriate for organizations employing a subset of universally accepted standard practices. It has 17 security procedures that must be efficiently incorporated.

Level 2

Intermediate Cyber Hygiene – At the second level, a company is expected to set up and document standard operating practices, policies, and strategic plans to guide the implementation of its cybersecurity program. Procedures at this level would be documented, and access to CUI data will need multi-factor authentication. It involves an additional 55 security practices beyond that of the first CMMC level.

Level 3

Good Cyber Hygiene – An organization assessed at Level 3 will have demonstrated good cyber hygiene and successful implementation of controls that encounter the security requirements of NIST SP 800-171 Rev 1. Companies that require access to CUI and/or generate CUI should meet CMMC Level 3. It includes an additional 58 practices and indicates a basic ability to defend and maintain an organization’s assets and CUI. Still, at this level, organizations will have challenges protecting against APTs (advanced persistent threats).

Level 4

Proactive Cyber Hygiene – Here, an organization will have to execute advanced and sophisticated cybersecurity practices. The processes at this stage are periodically reviewed, properly resourced, and are improved across the company. The organization can adapt their protection and sustainment activities to satisfy the evolving TTPS (tactics, techniques, and procedures) (TTPs) used by APTs. This stage has an additional 26 procedures beyond the first 3 levels.

Level 5

Advanced/Progressive Cyber Hygiene – At Level 5, an enterprise has an advanced/progressive cybersecurity program with proven expertise to optimize their cybersecurity practices to repel APTs. For process maturity, a CMMC Level 5 organization is expected to secure that process implementation has been standardized across the company. The processes involve continuous improvement across the enterprise and defensive responses performed at machine speed at this grade. It demands an additional 15 practices.

Potential Influences of CMMC

The Cybersecurity Maturity Model Certification shows a drastic change for DoD contractors and will have a huge impact on the industry and its procedures. Below are 3 notable changes that are likely to happen:

1. Cybersecurity Will Be Compulsory in DoD Procurement

CMMC has put cybersecurity at the front line of contract evaluation, scrutiny, and oversight. Being certified at the right level will be critical for the DoD when acquiring services and goods from the industry supply chain.

It will govern contractors and subcontractors that previously didn’t have to satisfy DoD cybersecurity standards, like organizations not handling CDI (covered defense information). From now on, all defense suppliers will be subject to CMMC level 1-5 certification.

While the CMMC security policy is strict, it’ll benefit contractors in three ways:

• It’ll eliminate possibilities of multiple agencies carrying out security assessments on an entity at the same time;
• Independent evaluations will merge security assessment standards, ensuring that every organization’s cybersecurity is being reviewed in the same comprehensive manner;
• Neutral third-party audits won’t let contractors make deceptive or false representations of their security hygiene. Therefore, there will be fewer cases of legal rebuttal caused by misleading claims.

2. Certain Organizations Will Be Disqualified

Contractors will fall under five maturity classes, each with specific security obligations. Relying on information sensitivity and the perceived cyber threat, the DoD will decide which levels qualify for a particular contract. Those companies without an adequate level of certification will be disqualified from the consideration. This will simplify the awarding of contracts and set up early adopters of the cybersecurity model with a decided advantage.

3. The Cropping Up of The Industry Advisors

The DoD will depend hugely on certified third-party auditing agencies to audit and review contractors’ CMMC qualifications. CMMC-AB, a nonprofit accreditation organization, will supervise C3PAOs accountable for offering cyber maturity model credentials to companies. Over 300,000 businesses are within the DoD supply chain, which will demand a ramp-up phase leading up to the January 2021 implementation of Cybersecurity Maturity Model Certification.

Thereby, a new breed of information security consultants and advisors is cropping up. They’ll leverage their compliance expertise to guide defense contractors to efficient certification by performing expert gap analysis, audit preparation, and ongoing support to make sure their IT systems remain compliant and secure.

How to Accomplish CMMC Compliance?

Previously, contractors and subcontractors could verify their CUI and FCI cybersecurity practices and the information systems housing this information themselves. With the introduction of the CMMC certification, this is no longer an option. As a result, organizations and businesses storing or transmitting CUI or FCI must either establish CMMC compliance using in-house means or hire a cybersecurity firm capable of providing security maturity model compliance.

Also, you can take 3 necessary steps to win DoD certifications:

• Implement an SSP (Systems Security Plan) and a POA&M (Plan of Action and Milestones);
• Configure your existing environment or build a new environment to NIST 800-171 r2 compliance;
• Many defense contractors are moving to Office 365 GCC High or other cloud providers to streamline this process;
• Begin building budgets for the improved support requirements and modifying rates to involve the upgraded security requirements. Weigh the costs and take into account outsourcing security, compliance, and MIS (management information system) with an MSP (managed service provider).

What Activities Should Defense Contractors Take in 2021?

DoD contractors should, without delay, learn the CMMC’s technical requirements and prepare not only for certification but long-term cybersecurity agility. Details on how the CMMC assessments will be implemented and how to challenge those assessments will be anticipated quickly. Contractors that have already started to access their practices, procedures, and gaps when the details are finalized will be well-placed to navigate the process and match the mandatory CMMC contract requirements for upcoming projects.

The OUSD A&S (Office of the Under Secretary of Defense for Acquisition & Sustainment) sustains a CMMC FAQ where contractors can keep up to date on board certification.