The rollout of the Cybersecurity Maturity Model Certification (CMMC) as a mandatory contract requirement for government contractors working with the Department of Defense (DoD) is an enormous undertaking involving government, a newly established non-profit, many independent assessors who need to be accredited, and up to 300,000 firms in the Defense Industrial Base. The CMMC Version 1.0 model was published on 1/31/2020 and, separately, the non-profit independent CMMC Accreditation Board (CMMC AB) was established. The CMMC AB will be responsible for training and certification of independent assessors that will verify that government contractors are compliant with CMMC. In case you missed it, check out our quick review of the CMMC in our blog post.
A key purpose of the CMMC is to provide a unified cybersecurity standard for DoD acquisitions. The model includes five levels that describe the maturity of a government contractor’s cybersecurity practices and processes. Levels 1-5 are labeled Basic, Intermediate, Good, Proactive and Advanced/Progressive Cyber Hygiene respectively. All DoD government contractors will be required to be compliant with at least Level 1, with government contractors who manage Controlled Unclassified Information required to be at Level 3. Levels 1-3 of the CMMC are largely based on the NIST 800-171 standard. Learn more about these levels and the CMMC in our white paper.
The next key milestones for CMMC include developing training material by the CMMC AB and the training of the first group of assessors. This was scheduled for late March through June. The schedule was recognized as challenging given all the work that needs to be accomplished to develop a robust mechanism that is cost-effective and affordable, especially for smaller businesses.
In the June timeframe, the first RFIs with the CMMC requirement will be issued, with the first RFPs in October 2020. In parallel, changes need to be made to the DFAR rules that will make the CMMC standard law of the land (i.e. replacing NIST 800-171) by October 2020.
Impact of COVID-19 on CMMC Schedule
Given the rapid and unanticipated impact of Coronavirus/COVID-19, there are questions from many industry observers whether this demanding and aggressive schedule can now be accomplished.
Katie Arrington, the Chief Information Security Officer for the DoD’s acquisition office, and who leads the CMMC effort for the DoD, is very active providing briefings on status and progress. Katie maintains that the DoD intends to stay on schedule while respecting health concerns and to do that, will turn to do more remote training via webinars. In a recent webcast, Katie was adamant that training of assessors will occur by June and RFIs with CMMC requirements are still expected to come out in June 2020 as well.
Katie also recently confirmed that the DoD has achieved another important CMMC milestone and officially entered into an agreement with the CMMC AB for its CMMC program. As of early April, the Memorandum of Understanding has yet to be released publicly but is another indication that COVID-19 will not impact the timeline for the CMMC requirement for all DoD government contractors.
In other recent developments that may be related to help the CMMC rollout stay on track, the DoD has assigned the National Institute of Standard and Technology to help create requirements for independent assessors under the CMMC program. The CMMC AB will remain as the main entity for overseeing training and certification for third-party evaluators. Katie stated that the CMMC AB will also have the authority to make modifications to the credentialing process.
Katie noted that NIST will work to prevent conflicts in the certification process in line with the CMMC AB’s “very stringent ethical rules”.
In summary, Katie’s schedule for CMMC continues to meet its milestones. While the schedule is very aggressive, the odds are that CMMC rollout will continue as announced.