The U.S. Department of Defense recently released the final version of the Cybersecurity Maturity Model Certification (CMMC v. 1.0), which is its new supplier cybersecurity compliance program. Many defense contractors and subcontractors are familiar with the NIST 800-171 compliance program, but there are key differences between the programs.
1. CMMC requires defense suppliers to be certified by CMMC assessors
One of the most important changes made by the CMMC is that suppliers must be inspected by assessors. Under 171, contractors could self-certify – i.e., they could claim current compliance, or they could claim their intention to be compliant (say within six months). DoD, however, is no longer satisfied with that approach, which is why they will require third-party assessments.
DoD estimates there are more than 300,000 defense suppliers, which means a large number of assessors will be needed. The CMMC Accreditation Body was established as a nonprofit organization in January 2020. Their goal is to train, test, and license up to 10,000 CMMC assessors, a herculean task.
There will also be assessment organizations, called CMMC 3rd Party Assessment Organizations (C3PAOs), that will be licensed by the Accreditation Body. In addition to being trained and tested on CMMC, assessors will undergo a security background check. The CMMC training for assessors is being created by Carnegie Mellon University’s Software Engineering Institute (SEI) group.
2. Defense suppliers will require CMMC compliance to win awards for selected RFPs
DoD wants to put additional muscle into the CMMC program that connects directly to DoD procurement practices. Beginning in June 2020, selected RFIs (Requests for Information) will refer to CMMC requirements, and in September 2020, selected RFPs (Requests for Proposals) will begin to include CMMC requirements. To be able to compete effectively for those contracts, offerors will need to meet these requirements by the time of the contract award.
3. Defense subcontractors may also require CMMC compliance for selected awards
Although large contractors and primes may be focusing on obtaining their own CMMC certification, that may not be sufficient. To participate in DoD procurements that have CMMC requirements, their subcontractors will also need to be CMMC certified. That means that primes will have to prod and help their subs get ready for CMMC assessments.
4. CMMC – scaling down for smaller suppliers
One goal of DoD is to build up the cybersecurity maturity of smaller defense suppliers. To do that, CMMC scales down the NIST 800-171 requirements for smaller companies. CMMC specifies five levels, with levels 1 and 2 being for smaller suppliers — representing the bulk of the 300,000 companies. Although CMMC requirements for Level 5 companies include 171 different controls or practices, Level 1 suppliers only need to comply with 17 of them. Level 2 suppliers must comply with a total of 72 practices.
5. CMMC – scaling up from 171 via extra practices of higher levels
To achieve compliance with CMMC Level 3, suppliers basically need to comply with NIST 800-171 level of practices. However, for Levels 4 and 5, additional domains, practices, and processes must be met.
There are more than 30 new practices – mostly for Levels 4 and 5 – that do not originate from 171. They are based on FAR clause 52.204-21, NIST 800-171B (which is being renamed going forward to NIST 800-172), as well as other practices from the Center for Internet Security (CIS), CERT Resilience Management Model (CERT-RMM), and NIST Cybersecurity Framework (CSF).
6. CMMC has three new domains
NIST 800-171 includes 14 domains. The CMMC increases the number of domains from 14 to 17 through the addition of domains for asset management, recovery, and situational awareness.
7. CMMC adds process maturity
NIST 800-171 is focused on controls and related practices. CMMC also has a practice focus and has a process requirement starting at Level 2 suppliers.
8. CMMC has a greater focus on cyber threat intelligence
CMMC retains the classic emphasis on access control, audits, configuration management, media, and personnel security. However, DoD is growing more concerned about the nature and speed of cyber threats. As a result, CMMC has a number of practices that are focused on situational awareness, cyber threat alerts, and cyber threat intelligence. CMMC Levels 2 and 3 focus on more basic practices with cyber threat intelligence. Levels 4 and 5 focus on practices with more advanced cyber threat intelligence (IOC’s, threat hunting, cyber threat sharing, etc.)
To learn more, watch the CMMC Academy’s webcast on CMMC 1.0 vs. NIST 800-171. The CMMC Academy is focused on helping defense contractors and subcontractors learn more about CMMC via webcasts, briefings and an online CMMC Reference Guide. The Academy is free and is an initiative of Celerium Inc. For more information, see: https://CMMC.Academy
About the Author
Tommy McDowell has been a consultant and auditor for a number of different compliance programs including Classified (DIACAP, DISCAP), NIST 800-53, DOE-C2M2, and NERC CIP. He also has worked in cyber threat intelligence programs at Mandiant and FireEye and is now the General Manager of Celerium Inc. which provides cyber threat intelligence and sharing solutions.”
