Initial Updates on CMMC
By now, everyone has heard of the new CMMC model for cybersecurity assessment being rolled out by the DoD in 2020. We even addressed several concerns and questions we had in an article back in late July. With version 1.0 of the CMMC framework set to drop in January 2020 and the new regulations expected to be in place by June 2020, that doesn’t leave much time for businesses to become compliant with the new standards they’ll be held to. It’s hard for most companies to attend listening sessions, stay up to date on every new draft of CMMC, make and submit comments, and make sure their industry is being accurately represented. That’s where we come in.
Mission Multiplier has been working tirelessly to make sure that we are tracking new information regarding CMMC, and we are making sure to keep our clients and their respective industries in mind while giving feedback on this new model. We attended the listening session held in Huntsville on August 27th and have gone over the latest draft (Version 0.4) of CMMC, and we have a few takeaways and comments that we plan to submit to the Office of the Under Secretary of Defense for Acquisition & Sustainment using the comment matrix.
CMMC is under extreme scrutiny right now, and it will inevitably change and further develop before its final version is released at the start of the new year. Despite the fact that some of the current information we have on CMMC will change, we wanted to address and answer some of the questions we had back in July in light of what we gleaned from attending the listening session and reading Version 0.4.
How much inspiration will CMMC draw from existing compliance standards?
According to the Under Secretary of Defense for Acquisition and Sustainment, “The CMMC effort builds upon existing regulations (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements”. Specifically, the CMMC will draw off of the NIST SP 800-171 while adding components of other cyber security frameworks such as DIB SCC TF WG Top 10, NIST Cybersecurity Framework 1.1, ISO 27001:2013, and the CERT Resilience Management Model. It is important to note that CMMC is still in draft form, and the requirements are subject to change.
Are we going to get nitty-gritty details of exactly how the DoD wants the controls implemented and audited?
As of right now, the DoD says they will be giving specific requirements and clearly outline their expectations. The government has said that they’re going to come up with very specific auditing standards. According to the “Securing the Supply Chain” slide deck provided during the listening sessions, “CMMC will be agile enough to adapt to emerging and evolving cyber threats to the DIB sector. A neutral 3rd party will maintain the standard for the Department”.
How often will audits need to be conducted?
At this time, the duration of certification is still under consideration. According to the Under Secretary of Defense for Acquisition and Sustainment, “A compromise will not automatically require a recertification. However, depending on the circumstances of the compromise and the direction of your government program manager, you may be required to be recertified”.
Will primes and subcontractors be expected to have the same level of compliance?
It essentially depends on the specifics of the individual contracts, but in general subcontractors will be held to the same standard as every organization doing business with the DoD, in that they will have to obtain a obtain CMMC level of at least one. However, subcontractors will not necessarily have to maintain the same CMMC level requirements as the prime contractors that they work under unless it is specified in their contracts.
How will the “allowable cost” of IT security (and by extension the cost of CMMC certification) be handled?
So far, the only information the DoD has officially released on this topic is a statement that “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified”.
In one of the CMMC listening sessions, Stacy Bostjanick, Head of Contracting at the Defense Intelligence Agency, presented the expectation that the “allowable cost” will be built into the overhead and G&A rates of proposals, seeming to mean that the expectation would be that contractors should be able to recoup their security expenditures over time through increased rates. She did mention that there is awareness that this could pose an issue to small businesses, as they may not be able to afford the upfront investment. Bostjanick said that they are talking about setting up some programs for small businesses to secure the necessary funding, but there was nothing official that she could announce yet.
How are the organizations that will be third-party auditors going to be selected?
We don’t have clear answers to this question yet, but Stacy Bostjanick said during the listening sessions that this information is on the way and that there will be provisions in place to ensure that all auditors will adhere to the same, strict standards to ensure consistent practice in audits and evaluations.
When it comes to CMMC, there are certainly plenty of questions left to be answered. Mission Multiplier hopes to get answers to these questions in the coming months so that we can more effectively assist our fellow DoD contractors in achieving the compliance they need while helping them stay within their budgets. As the deadline draws near for comments to be submitted on the model, we want to assure our clients as well as our fellow contractors that we are keeping their questions, concerns, and best interests in mind while commenting on and making suggestions for the new CMMC model.
If you, your organization or company, or someone you know would like more information on cyber compliance or our company, please do not hesitate to reach out to Mission Multiplier at firstname.lastname@example.org.