CMMC Still on Schedule Despite Covid-19 Setbacks
The Cybersecurity Maturity Model Certification (CMMC) is still on schedule according to articles posted by National Defense Magazine. CMMC was developed by the Department of Defense and industry as an effective means of implementing a risk based management approach to cybersecurity. The first draft (Version 1.0) was released in January 31, 2020.
This approach to cybersecurity will be accomplished by establishing baseline requirements for vendors in the defense industry. By the end of September 2020 the DoD required at least some companies to meet certain criteria of cybersecurity when responding to requests for proposals. By 2026 all new DoD contracts will require compliance.
Auditor Classes on Schedule as Well
Auditing of businesses involved in DoD contracts will occur by qualified third parties. These auditors will be qualified by means of CMMC Certified Third Party Organizations (C3PAO). Plans are still underway to get the first round of C3PAO classes running in May or June of this year. These audits will be performed on site.
Businesses Urged to Get Started
Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition commented that businesses should start implementing Level 1 requirements immediately. She was quoted as saying “CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure”. She also stressed a need for urgency saying “Waiting isn’t an option for any of us right now”.
SPRS Cybersecurity Assessment Requirements
To press companies toward compliance, and assure that the CMMC is still on schedule, the DoD created an interim ruling, DFARS 252.204-7012, to require Supplier Performance Risk System (SPRS) assessments in September of 2020. This has left businesses, especially second and third tier suppliers, scrambling to meet requirements. The SPRS Cybersecurity Assessment is a requirement for all businesses providing products or services to the Department of Defense (DoD). The SPRS assessment is to be completed by the contractor before DoD contracts can be awarded.
The assessment is based on a scoring methodology of security requirements based on the NIST SP 800-171 DoD assessment methodology. The methodology is comprised of three levels (basic, medium and high). The interim rule requires a basic level self-assessment to be completed by the contractor. Medium or high assessments must be completed by the government.
Self-attestation to NIST 800-171 is already a requirement under current regulations, however the interim ruling allows the government to inspect compliance more carefully. CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.
NIST SP 800-171
- Level 1 – Basic Cyber Hygiene
- Level 2 – Intermediate Cyber Hygiene
- Level 3 – Good Cyber Hygiene
- Level 4 – Proactive
- Level 5 – Advanced/Progressive
Each of these levels require an organization to have a minimum number of controls in place. To verify compliance an organization will need to be audited by a certified third party assessor organization (C3PAO).
CMMC is currently comprised of 171 controls involving people, processes, and technology. These include controls for access, configuration management, incident response, media protection, and situational awareness among others. While having these controls in place is essential, CMMC does not provide a means for effective management of these controls.
The Need for Effective Cybersecurity in Businesses is Very Real
As of the beginning of the year about $600 billion dollars of domestic product is lost through cyber theft per year. A large part of this is being undertaken by the Peoples Republic of China and the Democratic People’s Republic of Korea. For businesses involved in the manufacture or development of defense materiel, this is especially concerning.
Because of Covoid-19 many companies have had to institute remote work before establishing sufficient cyber protocols. At this time companies are being urged to remain diligent. Of late many businesses have had problems with Zoom. While Zoom is not alone with regards to vulnerabilities, its links to China make it a poor choice for members of the defense industrial base.
Concerns Over Industry Costs
In April of 2021 it was announced that The Defense Department was conducting an “internal assessment” of the CMMC. There have been a number of voices that have raised concerns about the costs of meeting CMMC to smaller businesses in the DoD contractors. Among them is Lauren Knausenberger, the Air Force Chief Information Officer, whom Fedscoop reported as having mixed feelings about locking out smaller innovative suppliers.
CVG Strategy CMMC Consultants
CVG Strategy is committed to getting businesses on track and competent with cybersecurity. The CMMC is still on schedule is your business? We are assisting businesses in performing their SPRS assessments and providing guidance as to how to move forward.