By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
Assessment Requirements of the Department of Defense’s CMMC
If your company works with the Department of Defense (DoD), you have probably heard rumblings about the need to comply with CMMC. The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework, developed by the DoD, that will require third-party assessments and certifications of DoD contractors. The CMMC builds off National Institute of Standards and Technology’s (NIST’s) cybersecurity frameworks. Prior to CMMC, contractors were required to self-certify compliance with NIST SP 800-171; however, the DoD determined with the increasing cyber risks to the Defense Industrial Base (DIB) (e.g., ransomware, state-sponsored cyber-attacks) that the self-certification was insufficient.
As a result, beginning in 2021, CMMC requirements will begin to appear in some DoD solicitations and will phase in over the next five years, after which all new DoD solicitations, except for contracts related to COTS (commercial-off-the-shelf) suppliers, will have CMMC requirements.
The CMMC assessments must be performed by CMMC Third Party Assessor Organization (C3PAO). At present, there is only a small cadre C3PAO’s because training materials and testing are not yet generally available. Once more C3PAO and their assessor teams are certified, CMMC requirements are likely to appear more regularly in DoD solicitations.
The CMMC will be enforced through the contracting process. The DoD will specify the certification level required by the prime contractor in its request for proposal (RFP) based on the type of information the prime contractor generates or is provided under each contract. The prime contractor will determine the compliance level for the subcontractors. If a prime contractor does not have the required certification at the time of contract award, the company will be ineligible for contract award.
Explaining the CMMC Framework
The CMMC framework has five maturity levels (ML), ML-1 being the least rigorous and ML-5 being the most. The DoD expects that roughly 80 percent of DoD contracts will only require ML-1 compliance. The Maturity Level that a contractor must comply with is based on the type of data provided by or generated for the Government.
CMMC Maturity Levels
For contractors who only have access to Federal Contract Information (FCI), the CMMC Framework requires compliance with ML-1. For organizations who generate or receive Controlled Unclassified Information (CUI), they will be required to comply with either ML-3 or ML-5.
FCI is defined as Government generated or provided information that is not intended for public release. Meaning, information the Government provides to a contractor that has not also been provided to the public (e.g., through a public website). CUI is defined as information the Government creates or possesses, or that a contractor creates or possesses for the Government that requires safeguarding but is not considered classified information.
The DoD has partnered with the Carnegie Mellon University Software Engineering Institute (SEI) to develop the CMMC framework. To help explain the framework, Carnegie Mellon University SEI has produced numerous podcasts and blogs that can be found here.
Prime and Subcontractors Are Preparing
To ensure they are not unprepared, DoD contractors are beginning to perform readiness activities to ensure they are certified at the appropriate level when their current contracts come up for rebid and to be ready to bid on new contracts. The steps that contractors need to take are:
- Determine the CMMC Maturity Level with which they need to comply. To perform this step, contractors need to review their current contracts, and speak with their contracting officers, contracting officer’s technical representative (COTR), or other DoD representative to determine what type of information (CUI vs FCI) the government considers the contractor to have.
- Perform an assessment to determine if there are any CMMC requirements for their Maturity Level that the Company is not meeting.
- If gaps are identified, the contractor needs to implement corrective actions to resolve the gaps.
Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.