New cyber security framework for the US DoD
February 2022 | EXPERT BRIEFING | SECTOR ANALYSIS
financierworldwide.com
The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense’s (DoD’s) cyber security training, certification and third-party assessment programme aimed at measuring a contractor’s ability to demonstrate compliance with the federal rules and regulations requiring the protection of federal contract information (FCI) and controlled unclassified information (CUI).
For the past year, companies that contract or that are seeking to contract with the DoD have struggled to understand, and prepare for, the requirements the CMMC will impose so they do not jeopardise their ability to obtain valuable US defence contracts.
However, in early November 2021, the DoD sent shockwaves through the DoD contracting community by announcing that it was suspending CMMC 1.0 (what the original version is now being called). In its place, the DoD reported that it was implementing ‘CMMC 2.0’, which will be significantly different from its predecessor, and should make it easier for defence contractors to comply.
According to the DoD, the changes that will come with CMMC 2.0 will have meaningful benefits for contractors. CMMC 2.0 is designed to streamline compliance and reduce implementation costs for small and medium-sized businesses, many of which had expressed frustration with the imposing regulatory obligations under CMMC 1.0.
Additionally, CMMC 2.0 attempts to more plainly define DoD priorities for protecting critical US defence information. Finally, the new framework endeavours to reinforce synergies between the DoD and the private sector as both continue to combat increasingly sophisticated cyber attacks.
CMMC 1.0 was created to assess a defence contractor’s processes and practices associated with protecting its data and IT systems from cyber attacks. CMMC 1.0 referred to this as assessing a contractor’s cyber security “maturity”. Under CMMC 1.0, a defence contractor’s cyber security maturity could be assessed based on a scale comprised of five defined maturity levels: basic, intermediate, good, proactive and advanced. Under CMMC 2.0, there will only be three maturity levels: foundational, advanced and expert. CMMC 2.0 will eliminate CMMC 1.0 levels 2 (intermediate) and 4 (proactive), which were simply transitional levels for contractors to achieve level 3 and 5 certification. Understanding the requirements at each CMMC 2.0 level will be critical for defence contractors required to comply, but this new framework appears to make compliance slightly less onerous.
Companies that process, store or handle FCI will need to meet the requirements of the foundational level. The foundational level will require companies to comply with a limited subset of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls. Importantly, the DoD will allow companies to perform self assessments to demonstrate compliance. FCI is defined as information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided by the government to the public.
Companies that process, store or transmit CUI will be required to obtain advanced level certification. At the advanced level, companies will need to be fully compliant with the full suite of NIST SP 800-171 requirements. CUI is information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies, but is not classified. If the contract also involves information critical to national security, the DOD will require the contractor to obtain a third-party assessment from an organisation accredited by the CMMC Accreditation Body, otherwise the DoD will allow the company to perform a self assessment.
At the expert level, contractors will be required to comply with NIST SP 800-172 requirements and will likely be required to undergo an assessment conducted by government officials. The NIST SP 800-172 supplements the requirements imposed by the NIST SP 800-171 by providing 35 enhanced security requirements designed to safeguard CUI from cyber criminals who try to infiltrate systems to steal national security-related data. The DoD has indicated that the requirements at this level are still being drafted.
Defence contractors working toward CMMC 1.0 certification are well aware of the importance of the NIST SP 800-171, which is essentially a codification of 110 cyber security requirements that are designed to protect CUI housed in information systems. The NIST SP 800-171 requirements were a key aspect of the CMMC 1.0 framework. In 2016, preceding the announcement of CMMC 1.0, defence contractors were required to implement NIST SP 800-171 security requirements for all covered contractor information systems. CMMC 2.0 still tracks closely with the NIST SP 800-171, even though it reduces the number of maturity levels from five to three and simplifies the requirements at each of the three remaining levels. Defence contractors that are performing active contracts with the DoD should be able to attain advance level certification under CMMC 2.0, because many of the requirements at that level have been imposed by regulation since the 2016 time frame.
Another important aspect of CMMC 1.0 that will change with the implementation of CMMC 2.0 relates to the way a contractor will be deemed certified at a given level. Under CMMC 1.0, a third-party assessment organisation (C3PAO) was required to assess the contractor’s cyber security maturity and issue a certification of CMMC compliance at the level commensurate with the contractor’s internal cyber security controls. Under CMMC 1.0, self assessments and attestations were not sufficient at any of the five CMMC 1.0 levels.
CMMC 2.0 allows contractors to demonstrate compliance by conducting annual self assessments at the foundational level. Additionally, advanced level self assessments will also be acceptable for “non-prioritised” acquisitions. Unlike under CMMC 1.0, C3PAO assessments will only be required for high-priority procurements with national security implications. And for programmes that are determined to require an expert level 3 certification, defence contractor assessments will performed by the US government. This change will certainly address the enormous shortage of C3PAO assessors that existed under the CMMC 1.0 framework, and shorten time frames associated with certification.
Finally, a third significant difference between the CMMC 1.0 and CMMC 2.0 frameworks relates to the flexibility of the framework itself. CMMC 1.0 required contractors to fully implement all of their security practices before they would be certified at a particular level. By contrast, CMMC 2.0 will provide contractors with the flexibility to implement what in some cases are large-scale changes to their systems. In fact, CMMC 2.0 will permit companies to be awarded contracts if they have a plan of action and milestones (POA&M) to achieve certification at a given level within a certain time frame.
In these instances, the DoD will specify which baseline requirements must be achieved prior to contract award and permit the requirements to be addressed in the POA&M with a defined path to implementation. This flexibility will ensure that companies can take a measured and thoughtful approach to cyber security as opposed to rushing the process to obtain contracts, which could have negative impacts on the company’s implementation overall.
The US government will be providing more information regarding CMMC 2.0 in the coming months, and it has stated clearly that CMMC 2.0 will not be a contractual requirement until the rulemaking process is complete. This process is likely to take a year or two, at least. This is good news for companies which will now have additional time to review their cyber security health and to work to close any gaps in their processes that may impact their ability to be certified at a given CMMC 2.0 level.
Current requirements still mandate that defence contractors that hold CUI and FCI implement the NIST SP 800-171 standards in most cases and have a current NIST SP 800-171 DoD assessment posted in the supplier performance risk system (SPRS), which is the authoritative source to retrieve performance information assessments for the DoD acquisition community to use in identifying, assessing and monitoring unclassified performance.
Non-US companies that are performing contracts for the DoD or are looking to bid on contracts in the future should also continue to perform the same type of review of their internal cyber security protocols, as CMMC 2.0 will be applicable to them as well. The DoD has indicated that it is currently putting international agreements in place related to cyber security. The purpose of these agreements will be to ensure that the CMMC 2.0 framework can be thoughtfully and effectively applied to non-US companies.
Leigh Hansson and Liza Craig are partners and Joshuah Turner is an associate at Reed Smith. Ms Hansson can be contacted on +44 (0)20 3116 3394 or by email: lhansson@reedsmith.com. Ms Craig can be contacted on +1 (202) 414 9235 or by email: lcraig@reedsmith.com. Mr Turner can be contacted on +1 (202) 414 9254 or by email: jturner@reedsmith.com.
© Financier Worldwide
BY
Leigh Hansson, Liza Craig and Joshuah Turner
Reed Smith