What You Need to Know: DoD CMMC Requirement

Why all companies who do work with DoD should read this.

All companies that are pursuing new prime contracts or are currently conducting business with the DoD must obtain the Cybersecurity Maturity Model Certification (CMMC) or risk disqualification from bidding on contracts that require it. This includes contractors with flexibility to assign subcontracts a maturity level lower.

What is the purpose of the new CMMC requirement?

Led by the Office of the Under Secretary of Defense (OUSD) Acquisition and Sustainment (A&S) to work with the Defense Industrial Base (DIB) sector, this new requirement is designed to unify cybersecurity standards and best practices for DoD acquisitions and map controls and processes across maturity levels (basic cyber hygiene to advanced).

The requirement’s focus is on protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), including risk reduction of Advanced Persistent Threats (APTs).

Planning for the CMMC Certification

The CMMC Model v1.0 was officially released for industry review on January 31st.

  • It’s comprised of 17 capability domains and 43 capabilities
  • It includes 5 processes across five levels to measure process maturity
  • It applies 171 practices across five levels to measure technical capabilities
CMMC Level, Practices, Processes, & Focus Areas
CMMC Capability Domains

The capability domains listed below are the specific processes, practices, and capabilities that span across the five certification levels (Table 1).

  1. Access Control (AC)
  2. Asset Management (AM)
  3. Awareness and Training (AT)
  4. Audit and Accountability (AU)
  5. Configuration Management (CM)
  6. Identification and Authentication (IA)
  7. Incident Response (IR)
  8. Maintenance (MA)
  9. Media Protection (MP)
  10. Personnel Security (PS)
  11. Physical Protection (PE)
  12. Recovery (RE)
  13. Risk Management (RM)
  14. Security Assessment (CA)
  15. Situational Awareness (SA)
  16. System and Communications Protection (SC)
  17. System and Information Integrity (SI)
CMMC Level, Process, & Practices
Getting CMMC Certified
  • Red Team recommends clients start the process of becoming CMMC L1 certified in 2020.
  • Certification requires an independent third-party organization, who has been trained and given authority by the CMMC-AB, to conduct audits and inform risk. Companies are required to coordinate directly with an accredited and independent third-party commercial certification organization to schedule a CMMC assessment. Certifications are good for 3 years – no self-certification option will be allowable.
  • Companies must specify which certification level they request based on specific business requirements. (See Table 2 for specifics) Certification award at the requested CMMC level is based upon demonstrating capability and organizational maturity to the assessor and certifier.
  • The cost for certification has not been determined and will scale with the level requested. The cost of certification will be considered an allowable, reimbursable cost.
  • Assessors will receive a license from the CMMC Accreditation Body (formed in January 2020) and will work for Certified Third-Party Assessment Organizations (C3PAOs). C3PAOs are informed by and assessing under DFARS regulations and NIST 800-171 guidance.
  • Beware of tools that promise CMMC compliance as the CMMC-AB is still working on defining and completing the standards, best practices, and training curriculum.
CMMC Certification: What’s Next?
  • DoD will issue a new DFARS clause in the April/May 2020 timeframe and then include the CMMC requirements in ~10 RFIs in June/July 2020, and ~10 RFPs by September/October 2020.
    • DoD does not intend to modify any existing contracts to include the CMMC requirements.
  • DoD’s intent is to identify the required CMMC level in RFP sections L&M and apply these requirements as a go / no-go decision factor.
  • We’re estimating that CMMC will be fully implemented FY 2026 as existing contracts end and are replaced by newly competed contracts containing CMMC requirements.
  • Concerns already on cost-effectiveness and affordability for small businesses to implement at the lower CMMC levels, which provides opportunities for large businesses to mentor, partner with, or even acquire small and medium sized businesses.

For more information, check out the CMMC FAQ here.