Last year, the DoD announced that it was developing a CMMC framework under which all defense contractors would be required to obtain certification. The DoD explained that Certified Third Party Assessment Organizations (C3PAOs) will independently verify whether defense contractors have the appropriate levels of cybersecurity controls and processes to protect controlled unclassified information (CUI) housed on contractor systems. The CMMC framework will assess and enhance the cybersecurity posture of the Defense Industrial Base, because it will require demonstrated contractor capabilities across a number of technical areas. The C3PAO evaluators will assess and measure each company’s cybersecurity practices and processes and assign a corresponding level of CMMC certification using a scale of levels 1–5. We first discussed the CMMC framework in a blog post back in September 2019 and followed up with a podcast in March 2020.
Memorandum of understanding
On June 1, 2020, DoD issued a press release announcing that the Under Secretary of Defense for Acquisition and Sustainment Ellen Lord and CMMC Accreditation Body Chairman Ty Schieber signed a Memorandum of Understanding (MOU) establishing the roles, responsibilities, and authorities of each organization. Importantly, the MOU provides that the DoD will only accept certifications from accredited organizations that the Accreditation Body (AB) has approved to make assessments. The MOU confirmed that the CMMC Accreditation Body will provide approve for private C3PAOs, which will then hire CMMC AB-certified assessors trained by CMMC AB-certified instructors. Companies that receive assessments from non-accredited (i.e., non-certified) organizations will not meet the standards for receiving a contract award once CMMC accreditation is required. While some companies have started to advertise themselves as valid CMMC auditors, contractors should be wary of such organizations if they have not yet been approved by the CMMC AB as C3PAOs.
Requests for information
The DoD is currently conducting market research and seeking information from industry under the Request for Information (RFI) process. As of the date of this alert, two RFIs are open and more are expected to be released in the weeks ahead. The first RFI seeks information that will assist the CMMC AB with identifying interested sources capable of reviewing third-party developed training. The second RFI seeks information to help with the identification of interested and capable sources to support the creation and delivery of exams to evaluate and certify professionals in the CMMC ecosystem. Both of these RFIs can be found at cmmcab.org. As in the past, the DoD is using the RFI process to gain insights into the private sector’s ability to help the Accreditation Body actualize the intent of CMMC implementation. Through the RFI process, stakeholders within the defense community will be given the opportunity to influence important aspects of a program that will eventually impact them.
Defense Federal Acquisition Regulations
In addition to seeking information from stakeholders, the DoD is also updating the Defense Federal Acquisition Regulations (DFARS) to support the CMMC roll out. The DoD Acquisition Council has opened a rulemaking case to insert a clause for the inclusion of CMMC certification requirements in its procurements. DFAR Case 2019-D041 will establish the rule that will implement “a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the [NIST SP 800-171] …, and a DoD certification process, known as the Cybersecurity Maturity Model Certification (CMMC), that measures a company’s maturity and institutionalization of cybersecurity practices and processes.” As of the date of this alert, the draft DFARS rule is being reviewed by the Office of Information and Regulatory Affairs at the Office of Management and Budget. Because this regulation will have a significant impact, it is being thoroughly vetted via the procurement rulemaking notice and comment process. Accordingly, defense contractors will have ample opportunity to provide comments for consideration, and should avail themselves of this opportunity to ensure that their voices are heard.
Recommendations and takeaways
Defense contractors should continue to prepare for the new compliance requirements soon to be imposed by the CMMC. Notably, contractors will need to be aware of the 1-5 scale that measures levels of cybersecurity maturity and capability.
Contractors seeking CMMC certification should also know that entities offering to engage in the certification process cannot themselves grant certification, although they may be helpful in navigating compliance and preparing for the certification process. Only CMMC Third Party Assessment Organizations and individual assessors accredited by the CMMC Accreditation Body will be able to perform CMMC assessments.
For more information on the new measurement levels or about accreditation for assessors, please contact one of the authors of this alert.
Client Alert 2020-384