February 2020: CMMC Latest FAQs
On January 31, 2020 several issues answered by the DOD specific to the CMMC.
In 2019, the Department of Defense (DOD) announced the development of the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a framework not unlike the National Institute of Standards and Technology (NIST) 800-171. Unfortunately, it mostly duplicates it. CMMC is nothing more than an evolution of NIST 800-171, with elements from NIST 800-53, and several other cybersecurity frameworks, to provide a better cybersecurity posture for companies and agencies conducting business with the US government. This is a positive evolution that includes and requires third-party auditing by cybersecurity professionals recognized by the DOD.
In addition to assessing a company’s implementation of these wide-ranging cybersecurity controls, the CMMC will also evaluate the company’s maturity/ institutionalization of cybersecurity practices and processes. The principles of cybersecurity governance will apply security controls and their associated methodologies. These will be the rules and standards established by the DOD as the Tier 1 governing body per NIST 800-37, Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: A Security Life Cycle Approach, the foundational document for RMF.
Companies will be certified at the appropriate CMMC level based upon the sensitivity of the system and its data.
The level will be stated within formal contract requirements.
CMMC also affects sub-contractors that will also be required to meet CMMC standards.
CMMC is not Retroactive. There will be no penalties for non-compliance of existing contracts. However, future punitive actions by the government will be invoked via contract for non-conformance to include failure to follow the process.
The Roll-out of CMMC is “still very fluid.” The dates and size of implementation will continue to be delayed. The DOD has not fully scoped the Level of Effort of the cost to create a non-profit company to manage and accredit the thousands of contractors that will be potentially barred from future DOD contract actions. However, companies should continue to anticipate the security control requirements especially under the NIST 800-171 framework.
Mandatory CMMC certification will be required when finalized. Contractors are still expected to be driving toward the NIST 800-171 standards. They will need to be certified by the final contract award date.
Acquisition Policies and Regulation Changes. The DOD CISO has been actively engaged in several major changes to DODI 5000-series specific to CMMC implementation. Expect them to require building in security control measures to include reportable milestones and benchmarks to CMMC compliance. Additionally, DFARS changes are pending that will further mandate CMMC to include flow-down requirements to subcontractors.
Other facts:
There will be no foreign standards authorized under CMMC. Under current federal law systems attaching to federal networks must comply with NIST 800-53, and for those systems not directly attaching or handling federal information, must comply with either NIST 800-171 or the National (NIST-based) Cybersecurity Framework. Why are you add foreign cybersecurity standards? The reason these US standards were established because the Defense Industrial Base (DIB) continues to struggle with these frameworks. It’s the law, DOD!