The compliance-conscious companies of the internet were set abuzz last month when everyone started catching wind of an announcement that the DoD is creating a cybersecurity assessment model and certification program called the Cybersecurity Maturity Model Certification, or CMMC. Everyone and their brothers were publishing nearly identical articles summarizing the slide deck that accompanied the announcement and pontificating on the implications. And while there was plenty of conjecture, there are very few answers to the many questions that the announcement left us with.
What We Know
Here are the high points of what we do know about CMMC:
- The current plan is for there to be five levels of certification, all denoting a different stage of cybersecurity maturity.
- Future DoD contracts will feature the required CMMC level in sections L and M of the RFP.
- Every contractor/vendor on every contract will have to have their compliance certified by a third-party auditor. CMMC will do away with the self-attestation of compliance that we have seen with DFARS 252.204-7012.
- There are supposed to be Listening Sessions (aka Industry Days) getting scheduled in at least 12 major hubs throughout the US. These days are meant to give the industry the chance to get more information on what is to come and to provide the DoD with feedback.
- San Diego, CA – July 25
- Washington D.C. – July 29
- Fairfax, VA – July 30
- Tampa, FL – August 21
- Augusta, GA – August 23
- Huntsville, AL – August 27
- Burlington, MA – October 10
- Detroit, MI – TBD
- Kansas City, KA – TBD
- San Antonio, TX – TBD
- Colorado Springs, CO – TBD
- Phoenix, AZ – TBD
- Seattle, WA – TBD
- The goal is to start certifying vendors as early as January 2020 and achieve widespread implementation of CMMC by the end of 2020.
What We Expect
We would rather wait for more information to be released than start making bad assumptions about what CMMC will actually end up looking like. But we do have a couple of expectations for how things will play out.
- Soon, all DoD contracts will have a CMMC level attached to them. That means that when CMMC finally hits, there could be a lot of existing contracts up for grabs if the incumbent contractors don’t have the CMMC level required to win the recompete. It might truly turn into a “you snooze, you lose” type of situation.
- It’s looking like NIST 800-171 will be the primary foundation for CMMC. So for companies wondering how to get a head start on setting themselves up for CMMC compliance, getting NIST 800-171 compliant as soon as possible with the help of someone like Mission Multiplier is going to be the way to go.
What We Wonder
The announcement left everyone with a lot of unknowns. We certainly have more questions than answers right now. Some of the main ones that we are hoping to answer in the coming months are:
- How much inspiration will CMMC draw from existing compliance standards? Are we looking at a more robust DFARS 252.2014-7012, or something different?
- Are we going to be looking at vague "check the box" types of compliance controls, or are we going to get nitty-gritty details of exactly how the DoD wants the controls implemented and audited?
- How often will audits need to be conducted? Are we looking at an annual requirement, or will events like major IT changes be triggers for re-evaluation?
- Will primes and subcontractors be expected to have the same level of compliance? If the primes are expected to maintain a higher level and essentially vouch for the subs, that puts a heavy burden on their shoulders. On the flip side, many subcontractors might not be able to afford the level of compliance they need without help.
- Speaking of costs, when CMMC hits, IT security costs are going to be considered an allowable charge on contracts. This development, along with the statement that the required CMMC level will be explicitly stated in the RFPs as a "go/no-go" criteria, has posed another series of questions. Will lower-level companies have the ability to win contracts with a contingency that they reach the required CMMC level by a certain time, with the government footing at least part of the bill to bring them up to the required level? Or will there be some sort of reimbursement scheme for companies that are already at the required level? It wouldn't make sense for contractors to get reimbursed multiple times, but how would it be decided which contract would pay out the reimbursement?
- What compliance components are the government going to consider “cost-effective” enough to be achievable by small businesses?
- How are the organizations that will be third-party auditors going to be selected? What criteria will they be evaluated on? Is it going to be a mad dash with hundreds of companies competing for the chance to be CMMC auditors, or will the slots go to companies that have handled similar audits before?
- For the organizations that get selected as auditors, what are the envisioned conflict of interest issues that may arise for companies that provide CMMC compliance-related services? Will they be able to simultaneously audit and provide the tools or consulting to assist with compliance?
When it comes to the new CMMC, there are certainly plenty of questions left to be answered. Mission Multiplier hopes to get answers to these questions and more in the coming months so that we can more effectively assist our fellow DoD contractors achieve the compliance they need without breaking the budget or dealing with headaches. You can expect us to be at the upcoming Huntsville CMMC listening session and to come away with far more information than everyone has right now.
If you, your organization or company, or someone you know would like more information on cyber compliance or our company, please do not hesitate to reach out to Mission Multiplier at firstname.lastname@example.org.