Lockheed Martin’s F-35 assembly line.
For more than a year the Defense Department has been preparing industry for the day it would begin to hold contractors to a higher cybersecurity standard, while posing the threat of being locked out of future DoD contracts if they don’t meet it—a process known as Cybersecurity Maturity Model Certification (CMMC). Today is the day CMMC takes effect. Contractors that don’t eventually comply will have to find a new line of work.
“Today is the start of the new day,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber, speaking at the virtual AFCEA TechNet conference. “This is a big cultural shift, and I think everyone well knows that this is the start of making cybersecurity foundational to (DoD procurement). “We need to make sure that we are imparting the best practices and helping the industry with the critical thinking around cybersecurity.”
The new Defense Federal Acquisition Regulation Supplement (DFARS) for CMMC includes three new rules that are in effect as you read this, but Arrington said DoD is taking a “crawl, walk, run” to implementation so companies are not put immediately at risk. There are steps the Defense Industrial Base (DIB) must take without delay.
The first one is the “crawl.” Under a trust-but-verify model, contractors must login to the DoD’s Supplier Performance Risk System and self-report on how their companies are implementing a National Institute of Standards and Technology (NIST) requirement governing Controlled Unclassified Information (CUI). Companies rate themselves between zero and 110, which is the number of required cybersecurity controls from NIST.
CUI is information that companies touch, store, control or transmit on behalf of the government that isn’t classified or secret but needs safeguarding. CUI can be anything from personally identifiable information (PII) to emergency response plans. Prior to 2008, CUI was known as “For Official Use Only” and “Sensitive but Unclassified” documents and data.
“The aggregate loss of controlled unclassified information from the DIB sector increases risk to national economic security and, in turn, national security,” states the Office of the Undersecretary of Defense for Acquisition and Sustainment, which developed CMMC. “In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks. CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene, as well as protect CUI that resides on industry partner networks.”
The second new control requires that any company that rates themselves between 80 and 110 be audited by the Defense Contracting and Management Agency (DCMA) to prove that they’re not exaggerating their cybersecurity stance. That’s the verify part, and it has been ongoing for about two years as companies could begin self assessing long before CMMC became a requirement. So audits are the “walk” part of the new controls.
The third control is the “run,” and that is actually where CMMC gets its name. It is “the instantiation of how we’re going to ensure cybersecurity is foundational to all acquisition,” said Arrington. Beginning later this year, CMMC requirements will become part of all DoD Requests for Information. Going forward, the ability of contractors to bid on certain DoD work will be dependent on their CMMC status.
There are two exceptions: CMMC is not required for “micro purchases” under $10,000 or for commercial-off-the-shelf products.
