Cybersecurity Maturity Model Certification (CMMC): What We Know to be Facts vs. What We Need to Find Out (Third In A Series)
June 19, 2020
By: Jason L. Ott, Derrick L. Maultsby, Jr., and Adam Zaccari
As discussed in the first two entries in this series of four, while COVID-19 has many organizations focused on other priorities, the Cybersecurity Maturity Model Certification (CMMC) remains to be phased into DoD contracts beginning July 1, 2020. It is important that all affected organizations continue to prepare for the requirements. The U.S. Department of Defense (“DoD”) released version 1.0 of its CMMC on January 31, 2020. The CMMC is a unified standard based on several different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, CIS CSC 7.1 and others. Previously, contractors were responsible for implementing, monitoring, and self-certifying the security of their information technology systems and any Confidential Unclassified Information stored on or transmitted by those systems. The CMMC requires third-party certification of contractors' compliance with mandatory practices, procedures, and capabilities – a major change. In this blog entry we will discuss what we know to be as facts about the CMMC, and what we still do not know at this time. Stay tuned as we will be providing additional information as it becomes available.
What We Know to be Facts
There are more than 300,000 vendors in the DoD supply chain, each of which will require assessment. Organizations that will be seeking certification include Prime contractors and subcontractors – essentially any organization that sells or services the DoD.
Prime contractors and subcontractors must be certified under CMMC standards to any one of five levels. The highest levels are reserved for organizations exposed to the most sensitive information. The CMMC framework encompasses security processes, as well as cybersecurity best practices from various standards, frameworks, and references. There are a total of 171 practices mapped across the five levels of CMMC maturity.
The actual implementation rollout of the CMMC framework will begin in Q3 2020 and take up to 5 years. If a contract requires CMMC certification, it will be listed as a Request for Proposal. The CMMC-AB will be providing the standard for applying the model and certify trainers who will train assessors. The CMMC-AB will provide an online marketplace where organizations can find an available Certified Third-Party Assessment Organization (C3PAO). A certification will last 3 years, provided there are no incidents or other triggers inducing a re-assessment.
What We Need to Find Out
The thresholds for validating compliance have yet to be determined. Now that the model for CMMC has been released, the standard is now being built. Once the standard is built, training for the assessors will be created, as it does not exist as it stands today. With accredited training not yet created, be aware of anyone who claims they can guarantee compliance – after all, it depends on accreditation of C3PAOs and assessors. Until these items are created, organizations should be focusing on DFARS/NIST800-171 compliance. Any type of non-compliance from this standard can put your organization’s business with the DoD at risk. As for a timeline, there is not one yet, but we can tell you that it is in process and being worked on.
Considering the significant impact these provisions may have on your business, Jackson Kelly is committed to providing knowledgeable counsel to help our clients navigate these pending requirements. We have partnered with SecureSky, a leading cybersecurity firm specializing in helping companies meet compliance demands while improving their security posture. Jackson Kelly and SecureSky actively engage with industry leaders that provide technology, tools, and resources enabling companies around the globe to ensure compliance in all facets of business, specifically including the ever-growing world of data privacy and security regulation, such as the CMMC and the California Consumer Privacy Act that we have explored in this series as well. We are committed to helping your business understand what it might be required to do to ensure compliance. Please feel free to contact us any time to discuss your needs in more detail.