Disruptive by Design: Preparing for the Industry-wide Shakeup of CMMC
“CMMC.” If you’re in the Department of Defense (DoD) or the defense contracting space, you’ve probably heard these letters thrown about in recent years. CMMC, short for Cybersecurity Maturity Model Certification, means a major transformation for the defense industry, and this radical, industry-wide change may prove to be disruptive. However, this disruption by design is necessary to correct the insufficiencies of the status quo and meet the ever-evolving, advanced security threats facing our nation.
The CMMC cybersecurity framework was developed by the DoD, Carnegie Mellon University and Johns Hopkins University. Originally planned for release in 2020, CMMC has been delayed by both COVID-19 and changes in DoD leadership, but it is now slated for implementation by late 2023/early 2024. These delays enabled the DoD to include multiple revisions to streamline its approach. CMMC 2.0 dictates a new set of standards designed to protect sensitive unclassified information within the defense industrial base (DIB) from the evolving and complex cyber attacks we face today.
CMMC 2.0 practices, based on the National Institute of Standards and Technology (NIST) and Defense Federal Acquisition Regulation Supplement policies, establish 110 various security practices across 14 domains to define how the defense industrial base must safeguard controlled unclassified information (CUI) to receive a DoD contract award. Under CMMC 2.0, all contractors pursuing DoD contracts are required to be assessed at one of three levels:
- Level 1, Foundational–Annual self-assessment and affirmation in line with 15 security requirements
- Level 2, Advanced–Triennial third-party assessment and annual affirmation in line with 110 requirements aligned with NIST SP 800-171
- Level 3, Expert–Triennial government-led assessment and annual affirmation in line with 110+ requirements based on NIST SP 800-171 & 800-172
Once CMMC rolls out, all DoD contracts under competitive acquisition will be assigned a CMMC-level as a prerequisite for all bidders. Think of it like an ISO or CMMI certification that is listed as a condition of award, but this will be affixed to all bids. Level 1 is the simplest to obtain, using an internal self-assessment and continuing affirmations of compliance with standards. Some contracts will use Level 1 as a baseline if they do not involve CUI. However, a requirement for a Level 2 or Level 3 assessment will be more common.
Again, every bidder will be required to demonstrate compliance with the appropriate CMMC level to be eligible for DoD contracts. Here, certified third-party assessment organizations, called C3PAOs, are expected to play a big role in conducting formal CMMC assessments. Level 3 assessments will likely be performed by the government.
While CMMC may seem far away, it will be here before we know it. If your primary line of business is DoD, then don’t be caught unaware. Take steps now to ensure that you’re ready to meet these requirements once compliance is mandatory. If you’re prepared, you can undergo your Level 2 assessment during this provisional timeframe. If you feel lost, you can start acting now to prepare yourself for this rollout. Plan for CMMC by reviewing NIST requirements, familiarizing yourself with CMMC resources, identifying your assessment scope, creating and reviewing security policies and controls and conducting mock assessments.
CMMC may seem like a lot of work, but it is vital to reinforce cooperation between the DoD and industry to help secure our defense systems against the ever-changing influx of cyber threats. Let’s all do our part to help ensure the safety and security of our industry and our nation through the rollout of this new program.
Lauren Beward is the business development manager for Bravura and the senior cybersecurity specialist with ArCybr.