The U.S. Department of Defense continues it’s push to strengthen the security of the Defense Industrial Base and the critical information contained therein. Businesses either currently involved in, or hoping to bid on, contracts with the U.S. Department of Defense must soon prove their commitment to cybersecurity before being allowed to even bid on new work – in perhaps as little as one year from now.
A New Cybersecurity Requirement in Less Than a Year….
This new effort is led by the DoD’s Undersecretary for Defense for Acquisition and Sustainment and is called the Cybersecurity Maturity Model Certification (CMMC) program. Under this new program, prior to bidding on and winning contract work, companies must undergo a cybersecurity assessment by an authorized 3rd-party assessor. These assessors will use security control frameworks such as NIST SP 800-171, ISO 27001, NIST SP 800-53 and others to evaluate the maturity and effectiveness of a company’s cybersecurity program. Once assessed, a rating between 1 and 5 is assigned, with 1 being basic compliance and 5 indicating advanced and comprehensive compliance.
Security Assessments by Authorized Assessors
According to the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, starting mid CY2020 contracts will include a Cybersecurity Maturity Model Certification (CMMC) rating requirement of 1 to 5. To respond and bid on this work, the responding company must hold a CMMC rating of equal or greater value than that specified in the Request for Proposal (RFP). This rating must have been earned through an assessment by an authorized assessor, recognized by the Department of Defense. These assessors are intended to be independent entities, not associated with other products or services sold to the government or its contractors.
The CMMC required rating is based on the sensitivity of the information associated with, or generated in support of, the contract work. We expect that most contracts will require a rating of 1 to 3, with 1 being associated with contracts for which little to no sensitive information is generated, up to 3 for those that may included sensitive information categorized as controlled unclassified information (CUI) and special access to government systems and facilities. The ratings of 4 to 5 will likely be reserved for programs with additional sensitive information, plans, technology and other unique requirements.
The Resource Challenge
Obviously, this effort is intended to stem the tide of U.S. intellectual property and critical data being stolen by U.S. adversaries. We have all heard the many reports of exploits, compromises and data leaks that plague not only our Defense Industrial Base (DIB), but also our commercial and personal interests. From this perspective, such an effort is commendable though daunting. Many small business have only recently come to terms with the security requirements for handling CUI which went into effect less than 2 years ago, and remains a challenge. The CMMC requirement poses another significant challenge to resource-constrained small businesses. The Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, speaking at various recent conferences, has noted that a mechanism is planned to allow reimbursement for some of the cybersecurity costs via allowable charges in contract terms.
An Aggressive Timeline
While the DoD has been pressing for increased DIB cybersecurity since the introduction of NIST SP 800-171 and DFARS 7012, the Cybersecurity Maturity Model Certification program was rapidly introduced with details still slow to emerge. A number of announcements and discussion sessions are underway and representatives from OUSD(A&S) are speaking at various defense conferences. The announced timeline thus far includes published CMMC version 1.0 standards by the end of January 2020, assessment organizations offering services soon after, and government requests for proposals (RFP) and requests for information RFI) including CMMC requirements by June 2020 with contracts requiring assessed compliance soon after.
Assured Bridge is your Compliance Partner
The Assured Bridge Team is following these developments closely to ensure our secure environment services are commensurate with the CMMC requirements, while maintaining and improving compliance with the NIST SP 800-171 framework. We envision that adherence with NIST SP 800-171 standards will meet the vast majority of requirements for CMMC levels 1-3. We have begun designs for improvements to support those customers requiring compliance to levels 4-5 as well. We remain committed to providing secure and compliant operations environments and resource knowledge that our customers can depend on to protect their sensitive information and meet the U.S. government’s compliance objectives.
The United States Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification has created a web site with information that will be updated as the program matures: https://www.acq.osd.mil/cmmc/index.html.