The first in a multi-part blog series on CMMC. You can find part two, how the unique aspects of the CMMC model are especially well suited to the individual needs of the small and medium businesses in the Defense Supply Chain (DSC), here.
In late 2017 the Department of Defense (DoD) mandated DFARS clause 252.204-7012. This mandate requires defense contractors handling controlled unclassified information (CUI) implement requirements contained in NIST 800-171. Compliance is established through self-attestation.
Guess what? One size fits all didn’t work well, especially at the smaller end of the DSC. Self-attestation didn’t work well either.
What is Special About CMMC?
In the Fed space we do a great job hiding information in acronyms. The name CMMC (Cyber Maturity Model Certification) actually identifies two of the three breakthrough elements of this mandated framework.
Cyber Maturity Model. Instead of the one size fits all approach (in 800-171 we are talking 110 controls), CMMC groups controls that map into five levels of maturity (think CMMI). Compliance with Maturity Level 1- controls enables a company to handle Federal Contract Information (FCI). Compliance through Maturity Level 3 controls enables a company to handle Controlled Unclassified Information (CUI). Maturity Levels 4 and 5 enable a company to handle tighter mandates that will be driven by specific contract requirements.
Certification. No more self-attestation. Once CMMC is in full swing and a DFARS clause updated for CMMC applies to a contract you may be awarded, you will need to have your compliance with CMMC certified.
CMMC Speaks Two Languages. “Parlez vous francais” is not in the acronym, however, it is the third really significant breakthrough in the CMMC model. NIST 800-171, as applied by DFARS 252.204-7012, is a practice and control framework. Each practice/control specifies a capability your company must have in place to be compliant. So, your response on the practice/control item is “Met” or “Not Met”.
CMMC adds controls that determine the maturity of the processes you have in place to manage these capabilities. Compliant management of the 130 practice/control items that comprise Level 3 Maturity means you comply with three separate process specifications for each of the seventeen security domains in the model. These are the seemingly mysterious controls numbered 999, 998 and 997. This amounts to a total of 51 practices that must be in place to have compliant Level 3 process maturity.
Learning a second language requires time and focus. And, adding this second language of process maturity means you are now measuring your cyber performance in two dimensions – practice/controls and processes. Visibility to both represents a significant improvement in your understanding of the cyber risk you face! The two dimensions also become key elements as you develop your cyber roadmap.
What is the Interim Period?
The “Interim (or Provisional) Period” is a source of a lot of confusion. This section parses out the Interim Period into what you need to know to stay in compliance.
The CMMC Accreditation Body (CMMC AB) has a major focus on assuring the structure and companies are in place to support CMMC. A key part of the support structure is the Certified Assessors (CA) who will certify (audit) that you are in compliance with CMMC.
Training for these CA’s is just getting started. Realistically it will be the summer of ‘21 at the earliest before you can be assessed by a CA. So, in the “interim”, companies are to report a score based on their 800-171 compliance. Until legit CA’s can certify your CMMC compliance, Provisional Assessors will audit your 800-171 score in advance of a contract award with this modified DFARS. Last year the CMMC AB identified their first cadre of Provisional Assessors, roughly 100.
How Is CMMC Good for the Medium and Small Businesses in the DSC?
OK, back to my opening premise. I meet with roughly 10 new companies a week on the topic of CMMC. I am currently leading a dozen or so on their CMMC journey. As our smaller companies do a quick take on CMMC they are simply rocked back on their heels. At first glance, CMMC appears to be a huge effort. A few of the companies I am working with today are having that discussion some of you may be having – “Is this worth it? Can I afford it?”
The irony is that CMMC is a great fit for smaller companies if applied properly. In my next edition in this series, I will get into the details about how smaller companies can efficiently and in an affordable way begin their CMMC journey toward certification.
Do This Now!
While you wait for the second installment in this series, I strongly urge you to do the following. Proactively reach out to the prime contractors you expect to work with in the coming 12 months. Ask each of them how they are handling CMMC in general and the Provisional Period in particular. This is a great way to get more of the “close at hand” facts you need to understand how CMMC will impact you.