What is the Cybersecurity Maturity Model Certification (CMMC)?

Tuesday, November 5, 2019

Being a Defense Government Contractor is a lot like walking a tightrope – always trying to balance two “opposing views” (compliance vs. profit) with little room for compromise.  The pros make it look effortless. In fact, they can make it look fun. But our Ringmaster (the Pentagon) is ready to add a new stunt to this death-defying act – one that will separate legends from amateurs.

Coming in FY20, proof of adequate cybersecurity is going to be a requirement for all Defense contractors. The program, known as the Cybersecurity Maturity Model Certification (CMMC), will impact virtually every vendor in the DoD supply chain — potentially hundreds of thousands of U.S. companies, according to Pentagon officials.

The sideshow of CMMC and just how significantly it will impact the Defense Industrial Base (DIB) has us all watching, holding our breath – so we decided to send out our advance team before the big tent comes to town. We sat down with Mr. Alexander W. Major, a Partner at McCarter & English and Co-Leader of the firm’s Government Contracts and Export Controls Practice Group, to discuss what exactly we should be expecting from our Industry’s Greatest Show on Earth.


 

The Government and Industry alike are working to understand, develop and shape the Cyber Maturity Model Certification (CMMC) framework. In that respect—what do we know about CMMC?

In short, CMMC will be a program that directs contractors what to do then grades them on how well they do it.

We know the CMMC is a good idea and one that makes a certain amount of sense, albeit very late to the party.  The CMMC is intended to be the DoD’s “standard” against which defense contractors – ALL DEFENSE CONTRACTORS – are to be judged on how they protect all of their data at a variety of different practices or capability “levels.” With the levels identified as 1-5, each showing additional “maturity” in addressing cybersecurity as you move up the ladder. For defense contractors, this is a bit of a departure, as this standard appears to relate currently to ALL contractors and ALL types of data (more on this later).

As for the standard itself, it is intended to be a unified standard that combines various, existing cybersecurity control standards from all over the industry, the government, and even foreign governments, into one while, at the same time, expected to measure the maturity of a contractor’s institutionalization of cybersecurity practices and processes.

Since 2013 DoD cybersecurity controls are focused on contractors who hold “Covered Defense Information” (CDI) pursuant to the clauses at the Department of Defense Acquisition Regulation Supplement (DFARS) 252.204-7008 and 252.204-7012.

This means that the security requirements under the existing model follow the data and aren’t necessarily assigned to the systems of a contractor who worked for the DoD.  This has been happening to varying levels of success, but candidly it has been hampered – in my opinion – due to DoD having some trouble identifying, labeling, and informing contractors on what exactly CDI—which is a subset of Controlled Unclassified Information (CUI)—contractors may be receiving, holding, obtaining or flowing down to its subcontractors. Contractors can’t protect what they don’t know – and if the government can’t accurate verbalize what they want to be protected then everyone loses.

The above-referenced clauses are currently operable in most defense contracts and are expected to remain operable even when or if CMMC goes live (more on that later). Learned defense contractors also know that part and part parcel to those DFARS clauses is the requirement that they provide “adequate security” on all unclassified information systems holding CDI.  A key part of that adequate security includes the contractor’s implementation of the 110 security safeguarding requirements described in National Institute of Standards and Technology (NIST) SP 800-171 to address the confidentiality of CDI

All of this should be “old hat” for a myriad of defense contractors who are <cough..ahem…cough> totally compliant—and will need to remain as such—with the existing cybersecurity regime.

By contrast to the DFARS clauses, the required CMMC levels are intended to be included in Sections L or M of the solicitation (attention proposal managers) **.  This means that the CMMC isn’t intended as a regulation. It is a contractual term that is co-extensive with the DFARS clauses and NIST SP 800-171, and one upon which award decisions (allegedly) will be made and performance (maybe) will be judged. 

 

**According to CMMC’s present intention, this is supposed to be a go/no-go decision-maker on award decisions. A contractor wishing to become CMMC “rated” will be expected to “coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule its CMMC assessment,” but those independent third-party organizations have yet to be identified.  It will be these commercial certification organizations that will provide the DoD contractors with their “grade” – er – “Level” and provide the ticket contractors may need to be punched in order to receive an award.

 

And now let’s cover the unknowns. What are the current unknowns regarding CMMC? Let’s just keep it to the most impactful.

The most impactful would have to be just what, exactly, the final standard will look like. 

As we’re discussing this the industry is awaiting the release of Version 0.6 that should have some more specificity as to what the eventual, actual standard will look like.  But, in light of what we’ve seen with Version 0.4, it is still very much up in the air what the next iteration will look like—especially in light of the roadshow comments, answers and promises that the DoD leadership promoting this program are all so quick to make – but don’t seem to be writing down or memorializing to any good effect.

 

Why is the CMMC framework necessary? Do current certifications (i.e. FedRAMP) not meet this requirement and/or need?

I recognize that I’m being flippant with many of my responses, but ultimately, I support what CMMC is trying to do in practice. It’s simply the way it is being rolled out that has me (and a good portion of the community) suspect. 

This a very hard problem. One that contractors aren’t very good at dealing with because, honestly, they don’t want to spend the money. “Compliance,” a word I hate when describing cybersecurity, costs. And no matter how much money you throw at it – and CEOs/CFOs generally prefer that one throws “just enough” to keep the Feds off their backs – you’re facing a losing proposition.

The bad guys are good. They’re damn good. They are much better at breaking into places than those places are at defending themselves. Where things like FedRAMP and NIST SP 800-171 (in all of its current and pending iterations) can be/are effective, that effectiveness is only as good as the vigilance that is applied by contractors to maintaining and surpassing those standards.

The challenge is that defense contractors work in a dynamic environment which is why lawyers – in addition to technical vendors- need to be involved. The effort that contractors put towards cybersecurity must be equally dynamic and properly assess and balance needs and risks. All too often, like most compliance undertakings, such efforts are static and uninformed. As defined by the threat imposed by folks in black hats and white hats (e.g. regulators) and the demands of the DoD, a contractor’s response cannot be static – and that takes time, money, and intent. The CMMC bakes that into its equation across the entire Defense Industrial Base (DIB).

Again, it’s a great idea. I’m simply concerned with the execution of the certification and that, while the CMMC Program Management Office (PMO) might be focused on the standard itself, it does not appear to be addressing how, exactly, it’s eventual certification standard will operate.

A great example is a mandate that CMMC will flow down to subcontractors.

If my business is certified at CMMC Level 4, and I have a need for three (3) subcontractors, must they each be Level 4 too? If not, is my company permitted to gauge what level they need to be to hold whatever type of data I want to give them?  Where is the guidance on that effort?

Right now, a key effort undertaken by the Defense Contract Management Agency (DCMA) is to assess how well cybersecurity clauses are being flown down to subcontractors. But that’s straight forward – a clear standard that follows data.  Presently, in operation, if there is no CDI that needs to flow down (and that is a need assessment Primes must undertake), then there is no need for the clause to flow down.

When the CMMC goes live, and as it applies to all contractors, there is no such limitation – it applies equally to everyone…maybe. If it does, how are Primes supposed to assess it and the eventual Level of the subcontractors? There are mechanics that need to be in a place that, right now, appear to be missing.

Moreover, we already know that DoD is having difficulties properly labeling CUI before distribution; will CMMC require DoD Contracting Officers to oversee how data is disseminated through the supply chain?

Again, there are a lot of questions out there from an operational standpoint that makes the CMMC adoption in, oh, two (2) months a little too aspirational to be realistic in my opinion. Or, if it does stick to its intended schedule, a possible disaster waiting to happen.

 

The biggest concern in Industry right now is the impact CMMC can or will have on small business vendors and the Pentagon’s ability to leverage startups. Is this a valid concern?

This is a hard one for me and I can’t divorce my answer from my retired Air Force Intelligence Officer side. Will CMMC affect a small business? Absolutely. The real question is candidly, and maybe harshly, so what? While we all understand the government has an interest in promoting small business, the government – and the DoD specifically – has an even greater interest in protecting our country, its platforms, and its personnel.

The CMMC could be a barrier to entry for some, but is that really a bad thing? Do we want companies who are unable or unwilling to invest in securing data holding information related to platform instabilities, refueling depots, or troop movements? As a Veteran, I’m going to say “No. No, thank you” on that one.

But for those who can compete, who can afford to invest in technology, people, processes and procedures necessary to secure data, it will provide a great deal of opportunity. As many find out far too late, government contracting isn’t for everyone. It’s rife with compliance obstacles and hurdles that many contractors choose to overlook or not address until their facing suspension, debarment, or a complaint from a False Claims Act (FCA) realtor.

So, will it impact small businesses? Yes, but I think it’s designed to do exactly that. I still believe, however, that the most significant impact will be the CMMC’s applicability towards subcontractors and how primes are going to have to deal with that.

 

Will CMMC apply to Other Transaction Authority (OTAs) contracts and Non-Traditional Vendors?

Waaaaaay too early to tell.

There are so much rumor and pie-in-the-sky conjecture out there about the CMMC to take anything as gospel. Every time the CMMC PMO speaks new details seem to be revealed, which may or may not ultimately take root.

The revival-like settings of the CMMC information sessions may be entertaining, but the ones I’ve seen have not been too informative or rooted in any real sense for how contractors can prepare. It’s like watching different trailers for a movie and leaving the theater wondering if it’s a ribald comedy, slasher horror, or an angsty drama of one teen’s journey to redemption with a cat and a ’69 Camaro.

As Attorneys and contractors, we should all recognize that what matters, where the rubber meets the road, is what is in (a) writing, and (b) your contract. Contractors aren’t prepared for word of mouth regulatory regiments…and neither are their lawyers.

 

Will CMMC apply to Small Business Innovation Research (SBIR) awardees? How about Grant awardees?

Any place where CDI currently resides or may reside, and thereby DFARS 252.204-7012 is resident, I suspect to find CMMC haunting the pages.

Again, these aren’t expressly addressed in any of the written materials I’ve seen, but I fully expect that it will. Moreover, as these recipients may be a part of the DIB, it’s even more telling that the CMMC will apply.  Research institutes of all varieties are gearing up for whatever comes their way.

 

Will CMMC be applicable to all vendor services and/or offerings (i.e. materials, products, etc.)?

I’m prophesying here – but I’m going to go with “yes.” 

The DoD is casting a very wide net with CMMC and I have yet to see any carve-outs. I assume that there may be some sort of carve-out for agencies like Defense Commissary Agency (DeCA) and it is contracting of resale grocery products and services, but at this point, I have no idea and I would theorize that neither does CMMC.

 

How can vendors prepare for CMMC? What should they be doing now?

This is a simple one – do what is in your contracts.

For any defense contractor, from lawn service providers to maintenance providers, ensure your meeting the basic requirements in FAR 52.204-21. That is presently in your contract so get at least that far and document it. For others in the DoD that work or may work in/near/around CDI – keep maintaining your ability to meet the requirements of DFARS 252.204-7012 and the iterations of NIST SP 800-171 that are out and coming out (rev 2, rev 3). Examine NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, to assess whether your efforts and systems are up to snuff.  Then, if you’re feeling adventurous or believe that it might apply to your company, take a look at SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, to assess what you would need to make it to those defined enhancements if/when demanded.

For now, the one thing I would suggest is not trying to aim at or hit CMMC. It’s moving entirely too fast behind way too much brush. You’re going to spend a lot of time, energy and ordinance on a fruitless endeavor. Just meet the requirements of your contract, then be prepared to pivot when the change comes.

 

DoD stated that they will stand up for a nonprofit organization (i.e. the CMMC Accreditation Body) to operate the certification program. Based on the limited knowledge we have—is there an OCI concern where a vendor (assuming this is farmed out like an OTA Consortium) is responsible for deciding if other vendors are suitable for Pentagon work?

This is an area to watch.

I think there will be some concerns regarding the provision of proprietary data to third parties but much of that may be able to be contracted away through things such as Non-Disclosure Agreements (NDAs). I get a sense that any companies performing this type of work will be effectively walled off from others like work…and if they’re not, they absolutely need to be. As I understand it now, the certification assessment industry is in the process of choosing sides, with some vendors happy to continue helping contractors get closer to compliance, while others are targeting the possibility of becoming a CMMC 3PAO. How it plays out over the next few months to a year will be a very interesting spectacle.

 


For more information on CMMC, please reach out to Alexander Major @ amajor@mccarter.com

More From The Pulse