OSD(A&S) graphic

Cybersecurity Maturity Model Certification (CMMC) levels

PENTAGON: Defense contractors subcontractors — please don’t panic. As acquisition undersecretary Ellen Lord and other officials rolled out a new cybersecurity scheme for defense contractors this morning, they emphasized over and over they’d worked closely with industry to ensure that achieving Cybersecurity Maturity Model Certification (CMMC) won’t be too burdensome for small business.

Ellen Lord

“One of my biggest concerns is implementing CMMC for small and medium businesses,” Lord emphasized. That’s because they’re a major source of both innovative technology – crucial to the Pentagon’s race to keep up with Russia and China – and cyber vulnerabilities – which are key to how Russia and China keep up with us.

The new certification won’t be required for any contracts already signed, only on new ones. the first 10 “pathfinder” solicitations mandating CMMC come out this fall. That means it will take until 2026 to bring all contractors into compliance. That’s because five years is the typical duration of many contracts (and of the Pentagon’s budget-planning process), so it’ll take that long to allow all existing contracts to run their course and replace them with new ones requiring some level of CMMC.

Lord expects big prime contractors to help their subcontractors meet CMMC requirements, and the required level of cybersecurity will often be different between the prime and its subs, depending on who actually has to see sensitive data to do their job. If your company doesn’t work with what’s called “Controlled Unclassified Information” – say, if you cut the grass on base or sell burger patties to the mess hall – you’ll only have to achieve a bare-minimum “Level One” certification:

  • Level One can be “as simple as … does your company have anti-virus software? Are you updating your anti-virus software? Are you updating your passwords”?” said Katie Arrington, a senior cyber aide. (Arrington’s full title – deep breath now – is “special assistant to the assistant secretary of defense for acquisition for cyber”). The CMMC framework identifies some 17 specific aspects (“domains”) of cybersecurity, and Level One compliance simply requires instituting one basic “control” measure in each of the 17.
  • Level Two is a transitional phase, where the Pentagon helps companies get ready for the higher levels by instituting new processes, planning, and budgeting. The goal, again, Arrington said, is “helping small business, mainly.”
  • The big jump is to Level Three, the minimum required to handle Controlled Unclassified Information, where companies have to go from the 17 controls required at Level One and Two to more than 110. Those are derived from the National Institute of Standard & Technology NIST 800-171 (Revised), which many companies claim they’re already compliant with.
  • Level Four and Level Five add additional controls for what Arrington called “very critical technology companies” working on the most sensitive contracts. Those standards will derive from ones published or under development by NIST, the International Standards Organization (ISO), the Aerospace Industries Association (AIA), and others.

If all the standards are already out there somewhere, what’s the big difference? It’s this: Under CMMC, companies will no longer “self-attest” they meet a given standard and have the government take their word for it. Instead, Pentagon-approved third-parties will assess each company, under strict conflict-of-interest rules, at the company’s expense. How much this will all cost, and who the “CMMC 3rd-Party Assessment Organizations” (C3PAOs) will be, is something Lord is still working on with industry groups.

Starting with the 10 pathfinder Requests For Proposal in September, more and more RFPs – all of them, by 2026 – will specify which CMMC level a bidder must achieve by the time of the award. In theory, that means you can bid without being compliant, but you’d better get there before the Pentagon chooses a winner, or you won’t be ineligible.

OSD(A&S) graphic

Cybersecurity Maturity Model Certification (CMMC) timeline

There’ll be no fines for non-compliance, Lord emphasized: You just won’t get the contract – or any other contract requiring that particular level of certification. And Pentagon officials will not be allowed to give any company a pass on cybersecurity because they really like the price or product that it’s offering.

“This is not a trade with cost and schedule and performance,” Lord said. “There’s a minimum standard that needs to be met.”

“We understand that CMMC could be a burden to small companies particularly and we will continue to work to minimize impacts, but not at the cost of national security,” she said. The Pentagon, prime contractors, and industry associations are looking at ways to build computing infrastructure that meets the various CMMC levels and then give subcontractors access to it, so they don’t have to pay the expense of creating it themselves.

How Long, O Lord?

Lord and her aides laid out a detailed timeline to implement the Cybersecurity Maturity Model Certification scheme.

2019

  • April: Defense Department officials began meeting weekly with defense associations on CMMC, as well as making regular pilgrimages to Capitol seeking feedback from Congress.
  • September-December: The Pentagon received and reviewed “thousands of public comments” on draft versions of CMMC.

2020

  • January: 13 experts from industry, academic, and the cybersecurity community – half of them with small-business backgrounds — came together to form a CMMC “Accreditation Body. That’s basically an independent, non-profit, industry-funded board that will oversee the training and credentialing of the third-party assessors. A detailed Memorandum of Understanding between the Defense Department and the board is in the works.
  • March-April: The board’s online “marketplace” – where companies seeking CMMC certification can find and hire a 3rd-party accreditation firm – will go live.
  • May-June: By “late spring/early summer,” the Pentagon will complete the formal rulemaking process and release a new Defense Federal Acquisition Regulation (DFAR) on how CMMC works.
  • June: A big month. The Defense Acquisition University (DAU) will begin offering online courses on CMMC, and the Pentagon will issue the Requests For Information (RFIs) for the first 10 “pathfinder” contracts, each expected to affect some 150 contractors and subcontractors. Some of these contracts will only require CMMC Level One, others Level Three, and “one or two” may require Level Four or Five.
  • September: Based on industry feedback from the RFIs, the Pentagon will issue the formal Requests For Proposal (RFPs) for the 10 pathfinder contracts. The actual awards will come weeks or months later.

2020-2026

  • Lord’s office will watch how the pathfinders work out and make adjustments to the CMMC process as necessary before issuing new RFIs and RFPs for further contracts. Over six years, as old, pre-CMMC contracts are completed and new, CMMC-mandating ones are issued, all contracts will move to the new system.

Isn’t that a long time to take for something as important as cybersecurity? The Pentagon will prioritize the most sensitive and important programs, Lord said, especially nuclear weapons, missile defense, and a host of rapid prototyping efforts under Other Transaction Authority (OTA), Section 804 Mid-Tier Acquisition, Small Business Innovation Research (SBIR), and other streamlined processes. Other, less urgent programs can afford to take longer, she said.

The Defense Department doesn’t want its small-business subcontractors to leak secrets, but it doesn’t want to make doing business with DoD so difficult that those innovative firms give up, either. It’s a delicate balancing act indeed.

“This is a complicated roll-out to industry and we’re being realistic,” Lord said.

CMMC Briefing Slides by BreakingDefense on Scribd