What to Expect in DOD’s Cybersecurity Maturity Model Certification Rule

The Defense Department’s proposed rule released in late December codifying the Cybersecurity Maturity Model Certification (CMCC) Program is one step closer to fruition as it enters a comment period open until Feb. 26. Once finalized, the rule would impact any contractor that handles federal contract information (FCI) and controlled unclassified information (CUI) to prevent cyberattacks in the defense industrial base.

The program, dubbed CMMC 2.0, outlines the security controls for all three CMMC security levels, establishes processes for monitoring compliance and defines the roles in ensuring cybersecurity for the federal government, contractors and third parties. The rule applies to all DOD contractors and subcontractors that “process, store or transmit federal contract information (FCI) or controlled unclassified information (CUI) on contractor information systems.”

The only excluded parties are those with contracts exclusively using commercial off-the-shelf items and contracts that do not exceed the micro-purchase threshold.

“The easiest way to understand CMMC is to understand that it is an assessment program that is designed to verify the implementation of cybersecurity requirements. The trick, though, is that the CMMC program itself does not impose those cybersecurity requirements. It’s verifying cyber requirements that are imposed by other contract clauses,” Jacob Horne, chief security evangelist at Summit 7, told GovCIO Media & Research.

While CMMC modifies much of how sensitive unclassified information is handled outside of the DOD, it does not modify the Federal Acquisition Regulation (FAR) or the DOD FAR Supplement (DFARS), which will be tackled in a separate rule.

What is in the New Rule?

The new rule, dubbed CMMC 2.0, outlines three levels versus the original five stipulated in CMMC 1.0.

• The first level of certification, Level 1, impacts an estimated 63% of contractors and affects contracts and subcontracts handling FCI. Contractors at Level 1 must perform self-assessments to ensure compliance.
• Level 2, which impacts an estimated 37% of contractors, is required for contracts and subcontracts that handle CUI.
• Only 1% of contractors will be subjected to Level 3 requirements, which is an additional set of requirements to Level 2 contracts. At Level 2, contracts require self-assessments or a certification assessment performed by a CMMC third-party assessment organization to ensure compliance. At Level 3, DOD will additionally ensure compliance with the NIST SP 800-172 rule.

“This basic minimum standard was created with a lot of assumptions about what would have already been in place. As it turns out, that is not actually the case. Most companies spend little to no money on on cybersecurity, especially as you get into the sub tiers of the supply chain,” Horne said. “As soon as you get out into tier two and beyond, it suddenly assumes a lot of pre-existing maturity.”

Horne said DOD is taking a firmer stance on cybersecurity requirements through the implementation of this rule, as lax standards have been followed by small and large contractors alike.

The rule delegates the authority to investigate any active CMMC self-assessment or inaccurate CMMC certification assessment. It will be implemented in phases, with the organizations integrating the new rule into their workflows over a maximum of 30 months.

However, Horne said that contractors and subcontractors are likely to comply ahead of the 30-month deadline, as market forces shift toward being CMMC-compliant.

“The prime contractors are going to immediately tell their sub[contractors], ‘Go get a certification as soon as you can.’ And the market will move to push everyone to get the cert whether they have the clause in their contracts or not,” Horne said.

What’s Next Beyond CMMC?

While CMMC specifically applies to the DOD, the NIST 800-171 rule that CMMC is forcing contractors to comply with extends throughout the federal government, meaning other federal agencies might face similar circumstances and issues.

According to Horne, the CMMC program developments is an early indicator for other agencies of what’s to come.

“It’s very important to pay attention to the pain points that it’s exposing, the policy positions of the agency, the public comments coming from industry and how those things are working together to determine policy, because that will be the exact same situation that every other agency faces as soon as that rule comes out, which is on the unified agenda currently for this year,” Horne said.