Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a training, certification, and third-party assessment program of cybersecurity for DoD contractors (also referred to as the Defense Industrial Base or DIB). Why should you care about CMMC? FAR and DFARS clauses require it. It will be a factor in proposal scores (e.g. the Polaris GWAC scores 6,000 points for cybersecurity and 5,000 for risk assessment compared to 750 points for CMMI certification). NASA, DHS, GSA, and other government organizations are expected to follow DoD with the implementation of CMMC. These are the important bullet points for CMMC:

• FAR 52.204-21. Basic Safeguarding of Covered Contractor Information Systems. Correlates with the CMMC Level 1 requirements for protecting Federal Contract Information (FCI).
• DFARS clause 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016) required compliance with NIST SP 800-171 no later than December 31, 2017.
• DFARS clause 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements (November 2020). Suppliers are required to perform an assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order, at a Basic, Medium, or High level in accordance with the NIST SP 800-171 DoD Assessment Methodology and submit their score (not more than 3 years old) in the Supplier Performance Risk System (SPRS). A Basic assessment is a self-generated score. A Medium assessment is performed by the Government. A High assessment includes everything in a Medium assessment as well as validation of the contractor's System Security Plan (SSP).
• DFARS clause 252.204.7020 NIST SP 800-171 DoD Assessment Requirements (November 2020). Defines Basic, Medium, and High assessments.
• DFARS clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements (November 2020). Requires CMMC certificate at the CMMC level appropriate for the information that is being flowed down to the contractor.
• CMMC v1.0 was released on January 31, 2021.
• CMMC v2.0 was released on November 4, 2021. Per Town Hall sessions held by the Deputy DoD CIO (David McKeown) in February 2022, CMMC v2.0 is not expected to be finalized until it completes the DoD rulemaking process which could take up to 24 months. The new version simplified the program:
  • 3 Levels
    • Level 1. Foundational
      • For contractors and subcontractors that only handle Federal Contract Information (FCI) as defined in the FAR. The DoD estimates that about 140,000 such companies exist in the DIB.
      • 17 security controls aligned with FAR 52.204-21.
      • Annual self-assessment.
    • Level 2. Advanced.
      • Allows CUI handling.
      • Aligns with NIST SP 800-171 rev 2. 110 security controls. The rumor is that the "delta 20" which were in the CMMC v1.0 Level 3 will be added in to NIST SP 800-171 version 3. These include FAR Clause 52.204-21, NIST SP 800-53 Rev. 4, an d NIST Cybersecurity Framework (CSF) v1.1). Includes Level 1 requirements.
      • Annual self-assessment.
      • Triennial 3rd-party and government-led assessments for some Level 2 programs. The original estimate is that 40,000 companies will require 3rd party assessment. Per the February 10, 2022 Town Hall, Deputy DoD CIO David McKeown said further analysis has shown all 80,000 CMMC Level 2 DIB contractors will require third-party assessments.
    • Level 3. Expert.
      • NIST SP 800-172 Enhanced Security Requirement for Protecting Controlled Unclassified Information, a supplement to NIST SP 800-171. Includes Level 2 requirements.
      • Only about 500 companies out of 300,000 in the DIB will be subject to Level 3 certification.
      • Triennial 3rd-party and government-led assessments via the Defense Contract Management Agency Defense (DCMA) Industrial Base Cybersecurity Assessment Center (DIBCAC).

• "CMMC eMASS" is expected to be available to the DIB to store assessment artifacts, create POA&Ms, and maintain the System Security Plan (SSP). Expected April/May 2022.
• A Plan of Action and Milestones (POA&M) will be allowed for up to six months for non-compliant controls. POA&Ms for the highest-weighted requirements will not be allowed. A minimum score will be required to support certification with POA&Ms. Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk. Waivers will be time bound and require senior DoD approval.
• The Department of Justice announced in their Civil Cyber-Fraud Initiative that they will utilize the False Claims Act to pursue cybersecurity-related fraud by government clients (which includes falsely claiming compliance with CMMC). 
• The government may offer incentives for DoD contractors who comply earlier than the CMMC v2.0 implementation deadline (or when it makes it through the rulemaking process and the DFARS clauses are allowed in contracts).
• DoD will lay out the new policies, such as waiver processes, through Title 32 National Defense regulations. The Pentagon will also codify the policy into Title 48 Federal Acquisition Regulations (FAR) and Defense Acquisition Regulation Supplement (DFARS) so contracting officers can use CMMC 2.0 in acquisitions. This could take up to 2 years (expect CMMC 2.0 to be in contracts by summer 2023). Rulemaking under 32 CFR is required to establish the CMMC program. Rulemaking under 48 CFR is required to update the contractual requirements in the DFARS to implement the CMMC 2.0 program. Until rulemaking formally implements CMMC 2.0, the DIB's participation in CMMC will be voluntary. Expect the final CMMC Rule 32 CFR and 48 CFR between December 2022 and May 2023.
• The CMMC Assessment Process (CAP) was released on July 26, 2022. C3PAOs can begin assessing DIB companies now.
• CMMC Roles:
  • OSC. Organization Seeking Certification
  • C3PAO. CMMC Third-Party Assessor Organization. Contract with OSCs, hire and train certified assessors, schedule assessments, and manage assessments.
  • Assessors. Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA). Credentialed to conduct assessments at a particular level (1, 2, or 3).
  • RP. Registered Practitioner. Individuals that provide advice, consulting, and recommendations to their clients. Do not conduct Certified CMMC Assessments.
  • RPO. Registered Provider Organization. Implementers and consultants that assist companies with CMMC. Do not conduct Certified CMMC Assessments.
  • LPP. Licensed Partner Publisher. Publish educational courses and content related to CMMC.
  • LTP. Licensed Training Partner. Provide education and training services related to CMMC.

If I Were an Authorizing Official (AO)

I have been involved in the Certification and Accreditation (C&A) and Assessment and Authorization (A&A) processes used by government customers since the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) was released in 1997. As we progressed through the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) in 2006 and in 2014 moved to the DoDI 8510.01, "Risk Management Framework (RMF) for DOD Information Technology (IT)", I've gone through hundreds of security controls, thousands of assessment procedures, or Control Correlation Indenters (CCIs), authored and review dozens of policy and procedure documents, and otherwise managed accreditation packages that eventually navigated through an approval chain to obtain an Authority to Operate (ATO) issued by an Authorizing Official (AO). I've thought about what I would do if I was sitting in the AO's seat and here's what I'd look for:

• More time spent on risk assessment versus compliance. We are very good at applying checklists and providing compliance scores and dashboards, but not much time is spent analyzing assessment results, managing Plans of Actions and Milestones (POA&Ms), applying mitigations, and determining residual risk. At the end of the day, the AO needs to decide whether to authorize a system or not, and to do that, the risk of operating the system must be understood, not how many security controls are open.
• Develop, provide, and use the Continuous Monitoring Plan as soon as possible in the System/Software Development Lifecycle (SDLC). Per NIST SP 800-37, a Continuous Monitoring Plan should be submitted to the AO at Step 2 of the Risk Management Framework (RMF) process (Selection of Security Controls). Attention should be paid to the change management process, providing a security impact analysis for changes, and documenting the decision to accept the risk introduced with the change. The change management process needs to be clear as to what constitutes a major change that must be elevated to the AO for approval and what changes can be accepted by the team responsible for the day-to-day development, operations, and security of the system. An effective Continuous Monitoring Plan keeps the security posture of the system at the same level it was when it was authorized and there should never be a mad rush to clean it up before the ATO expires and the system will be reassessed.
• Don't be afraid of reporting bad news. Use your skills to find vulnerabilities. If open findings cannot be closed, expose them to the AO, and don't try to bury them in a POA&M that has unrealistic mitigations or milestones to close them. 
• Be more technical and less administrative. The assessment and authorization process should not be a paperwork drill to populate an Enterprise Mission Support System (eMASS) record. When looking at open findings in Security Technical Implementation Guide (STIG) assessments, discuss ways to close or mitigate the finding, and just don't open a POA&M item with an indefinite due date. Establish realistic milestones and follow up on due dates to make sure progress is being made.
• Use inherited controls from your common control providers. When deploying an application in Cloud Service Provider (CSP) environment, two NIST SP 800-53 control families should be entirely inheritable:  Physical and Environmental (PE) and Media Protection (MP) as well as several in Maintenance (MA). Many more security controls, particularly Incident Response (IR) should be inheritable from the Cybersecurity Service Provider (CSSP). Applying an enterprise policy record should further reduce the controls the system owner is responsible for. For example, on an Impact Level 4 system deployed in AWS GovCloud (US), we were able to inherit 91 CCIs from the CSP, 120 CCIs from the CSSP, and 435 CCIs from the enterprise policy record.
• Keep an accurate inventory. Know the operating systems, applications, databases, network components, and cloud resources (if applicable) within your accreditation boundary. Be aware of the cloud resources you are consuming are in scope at your Impact Level when deploying a DoD application in accordance with the DoD Cloud Computing Security Requirements Guide (SRG). Keep a STIG traceability matrix that is associated with your inventory. Be able to generate a Software Bill of Materials (SBOM) so if a major vulnerability such as Log4j is announced you'll know quickly whether you are affected and which systems need attention.
• Document data flows. Your architecture and data flow diagrams should reflect the external services your system needs to access, external connections to on-premise services, and interfaces to the CSSP for vulnerability assessment and log collection. Ports, protocols and services exceptions and firewall rules should align with data flow documentation.

Whether you are responsible for NIST SP 800-53, NIST SP 800-171, NIST SP 800-172, PCI DSS, ISO 27001, or another security control set, keep these points in mind as you perform your assessments. As a Defense Industrial Base (DIB) contractor, I sit in the position as the company official who has to implement, assess, and attest to compliance with the 110 NIST SP 800-171 security controls required per Cybersecurity Maturity Model Certification (CMMC) Level 2 - essentially an AO. I'm fortunate we have the in-house expertise and experience to be well along the way towards being ready to be assessed by a Cybersecurity 3rd Party Assessment Organization (3CPAO).

Where Can I Find a List of Products Approved for DoD?

 

• ​DISA Approved Products List Integrated Tracking System
• DITPR
  
• Army Portfolio Management System (APMS)
• Army C&A Tracking Database (CtDB). Retired, replaced by eMASS.
• Army Certificate of Networthiness. Retired, replaced by Assess Only records in eMASS.
• RNEC-NCR Approved Hardware and Software