In January 2020, the US Office of the Under Secretary of Defense for Acquisition and Sustainment introduced the Cyber Maturity Model Certification (CMMC). It is the next evolutionary step for the US Department of Defense (DoD), from the previous Defense Federal Acquisition Regulation (DFAR) requirements.
The CMMC will become the standard requirement for suppliers to operate within the US DoD acquisition and procurement process. All companies supplying to DoD projects, sustainment and operations must become certified and it will be a ‘go, no-go’ process where suppliers need to be certified before commencing supply.
The CMMC is a unified cyber security standard for suppliers that are part of the United States Defense Industry Base (DIB). It is designed to support efforts across the DoD to better manage cyber risk in its supply chains, currently involving over 300,000 companies globally.
The standard is assessed across five levels of maturity, with Level 1 requiring the most basic cyber security and Level 5 requiring the most advanced with 171 embedded practices and processes to ensure security and compliance with suppliers who hold Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Requirements will be cumulative, so requirements at Level 1 are also required at every other Level and so on (Figure 1 refers).
Figure 1 - Cybersecurity Maturity Model Certification Capability Domains and Levels
What does it cover?
The matrix at Figure 2 outlines the number of practices required to achieve the level and cross-references to existing certifications. The certification requires compliance with the DFAR/NIST 800-171 requirements and is harmonised with the Australian Cyber Security Centre’s Essential 8 and the United Kingdom’s Cyber Essentials. CMMC will not replace other compliance requirements but is required in addition to other requirements.
Figure 2 – Cybersecurity Maturity Model Certification Levels
Companies already using NIST 800-171 are well on the way to meeting requirements set out under the CMMC. The major difference between NIST800-171 and CMMC is the new maturity model outlines the practical implementation of requirements. The CMMC will also indicate where requirements map to NIST 800-171 as well as other compliance requirements like FedRAMP.
How has it been developed?
The CMMC Advisory Board (CMMC-AB) has initiated working groups who are developing the individual processes required for broad implementation. These include:
- CMMC Standards Management
- Standards Management Committee and Industry Working Group
- Credentialling Committee
- Accelerating Initial Assessment Working Group
- Assessment Quality Assurance Working Group
- CMMC Assessment Methodology Working Group
- Training Committee
- Review of CMMC-AB Training and Certification Framework
- Structure of Learning Objectives of Provisional Certification Assessor – Level 3 examination
- Development of pool of exam questions for Provisional Certification Assessor Level 3 examination.
This also includes what will be classified as controlled unclassified information (CUI), training of DoD acquisition employees on the CMMC requirements and certification of companies endorsed as certifiers for CMMC.
The CMMC-AB will also work with partners in Australia, Canada, New Zealand the United Kingdom to build strategic relationships with local accreditation bodies or certify allied foreign nationals to assess local companies.
What is the timing on implementation?
The CMMC will apply to contractors, sub-contractors and third-party suppliers/ providers. It is likely to be a five to six-year transition to full implementation of CMMC and NIST 800-171 will continue to be utilised until then.
From 3 May 2020, the certification of qualified certifying organisations will commence, followed by an indication of providers and associated/ expected levels of CMMC in June 2020. It is expected that by October this year, the CMMC will start to appear in RFP paperwork. Note the COVID-19 pandemic may impact these timeframes.
What does this mean for Australian cyber security companies?
The adoption of the CMMC across the DIB will create both opportunities and pressures for Australian companies looking to enter the market to work with US DoD.
Australian companies should consider the level of CMMC that may be required in order to operate with US DoD. All companies within the US acquisition and procurement cycle will be required to be fully compliant by 2025.
More information on the CMMC can be found at https://www.acq.osd.mil/cmmc/faq.html and updates will be provided by our Special Projects and US Ecosystem Development Lead, Michelle Mosey ([email protected]) over the coming months on the initial uplift.