The Complete CMMC Compliance Checklist for DoD Contractors

If you want to work with the DoD (Department of Defense), you may be wondering, “What is Cybersecurity Maturity Model Certification (CMMC) and why you need it?”. Read on to find out what the CMMC requirements entail, who is affected, how to prepare, and what is next for DoD contractors.

What is CMMC?

It’s a unified standard for implementing cybersecurity across the DIB (defense industrial base), including over 300,000 companies in the supply chain. The security maturity model is the Department of Defense’s response to significant compromises of sensitive defense information located on contractors’ information systems.

Previously, contractors were responsible for conducting, monitoring, and certifying their IT systems’ security and any sensitive DoD data stored on/or transmitted by those systems. Contractors stay accountable for executing critical cybersecurity requirements. Still, the CMMC changes this paradigm requires third-party assessments of contractors’ compliance with certain mandatory practices, procedures, and capacities to adapt to new and evolving cyber threats from enemies.

Purpose

The main goal of CMMC is to secure the protection of two types of information from disclosure or unauthorized use:

• CUI (Controlled Unclassified Information) – Information that requires safeguarding or dissemination controls in accordance with and consistent with applicable law, regulations, and government-wide policies but isn’t classified under the Atomic Energy Act or Executive Order 13526, as amended;
• FCI (Federal Contract Information) – Information, not planned for public release, provided by or generated for the government under a contract to deliver/develop a product/service to the government.

Benefits

Since all new DoD contracts, RFPs and RFIs will require CMMC compliance, certified contractors will have a competitive advantage. That will be particularly true early on, with most contractors likely waiting until they need to be CMMC compliant before acquiring certification.

Beside easily getting and maintaining defense contracts, CMMC-compliant organizations will:

• Resolve the threats of nation-state actors, which made up 23 percent of all data breaches in 2019, up from 12 percent in 2018;
• Minimize their risk of data breaches, the cost for which averaged $3.62 million per incidence in 2017;
• Reduce the risk of insider threats and be deemed-compliant with other regulations, including NIST, HIPAA, FISMA, SOX, ISO.

Timeline

• May 2019 – Version 0.1;
• July 2019 – Version 0.2 identified and reviewed;
• September 2019 – Version 0.4 released;
• October 2019 – CMMC implemented requirements released;
• November 2019 – Version 0.6 to be released for public review;
• January 2020 – Version 1.0 finalization expected; compliance checklist released;
• June 2020 – CMMC starts appearing in RFIs;
• September 2020 – CMMC begins appearing in RFPs.

Who Should Comply with the CMMC?

All Department of Defense contractors will eventually be responsible for obtaining a DoD certification. This involves all suppliers at all tiers along the supply chain, commercial item contractors, small businesses, and foreign suppliers. The CMMC-AB (CMMC Accreditation Body) will coordinate directly with DoD to establish procedures to certify independent CP3AOs (Third-Party Assessment Organizations) and assessors that will assess companies’ CMMC DoD levels.

The certification applies to both “prime” contractors who engage directly with the Department of Defense and subcontractors who contract with primes to ensure those contracts’ fulfillment and implementation. Although some certification level will be an obligation of every contract starting in 2026, DoD has indicated that they intend to issue contract opportunities at all maturity model levels.  Therefore, some requests will require only a low level of certification, and some will demand higher certification levels.

What Are the 5 Levels of CMMC?

MMC Version 1.0 outlines 5 different maturity levels for organizations, which stretch from maintaining basic cyber hygiene to incorporating an advanced cybersecurity program.

Level 1

Basic Cyber Hygiene – The first level includes basic cybersecurity suitable for organizations using a subset of universally accepted standard procedures. It has 17 security practices that must be successfully implemented.

Level 2

Intermediate Cyber Hygiene – At the second level, an organization is expected to set up and document standard operating practices, policies, and strategic plans to guide the realization of its cybersecurity program. Procedures at this level would be documented, and access to CUI data will require multi-factor authentication. It includes an additional 55 security practices beyond that of the first CMMC level.

Level 3

Good Cyber Hygiene – An organization assessed at this level will have demonstrated good cyber hygiene and efficient implementation of controls that encounter the security requirements of NIST SP 800-171 Rev 1. Organizations that need access to CUI and/or generate CUI should fulfill CMMC Level 3. It includes an additional 58 procedures and indicates a basic ability to protect and sustain an organization’s assets and CUI. However, at this level, organizations will have challenges defending against APTs (advanced persistent threats).

Level 4

Proactive Cyber Hygiene – Here, an organization will need to implement advanced and sophisticated cybersecurity practices. The processes at this stage are periodically reviewed, adequately resourced, and are improved across the organization. The organization can adapt their protection and sustainment activities to meet the changing TTPS (tactics, techniques, and procedures) (TTPs) used by APTs. This phase has an additional 26 practices beyond the first 3 levels.

Level 5

Advanced/Progressive Cyber Hygiene – At Level 5, an organization has an advanced/progressive cybersecurity program with a demonstrated expertise to optimize their cybersecurity practices to reject APTs. For process maturity, a CMMC Level 5 company is expected to ensure that process implementation has been standardized across the enterprise. At this level, the processes involved include continuous improvement across the organization and defensive responses done at machine speed. It requires an additional 15 practices.

Possible Influences of CMMC

The Cybersecurity Maturity Model Certification represents a massive change for DoD contractors and will have a major impact on the industry and its practices. Here are three noteworthy changes that are likely to occur:

1. Cybersecurity Will Be Mandatory in DoD Procurement

CMMC has put cybersecurity at the front line of contract evaluation, scrutiny, and oversight. Being certified at a suitable level will be crucial for the DoD when obtaining services and goods from the industry supply chain.

The model will govern contractors and subcontractors that previously didn’t need to follow DoD cybersecurity standards, like companies not handling CDI (covered defense information). From now on, all DoD suppliers will be subject to CMMC level 1-5 certification.

While the CMMC security policy is strict, it’ll benefit contractors in 3 ways:

• It’ll eliminate cases of multiple agencies carrying out security assessments on an entity at the same time;
• Independent evaluations will merge security assessment standards, guaranteeing that every company’s cybersecurity is being reviewed in the same comprehensive way;
• Neutral third-party audits won’t allow contractors to make false or deceptive representations of their security hygiene. Thereby, there will be fewer cases of legal rebuttal caused by false claims.

2. Certain Companies Will Be Disqualified

Contractors will fall under 5 maturity categories, each with specific security obligations. According to information sensitivity and the perceived cyber threat, the Department of Defense will decide which levels qualify for a specific contract. Organizations without the proper level of certification will be disqualified from the examination. This will streamline the awarding of contracts and establish early adopters of cyber security model with a decided advantage.

3. The Emergence of the Industry Advisors

The DoD will rely hugely on certified third-party auditing agencies to audit and assess contractors’ CMMC qualification. CMMC-AB, a nonprofit accreditation organization, will supervise C3PAOs liable for offering cyber maturity model credentials to businesses. Over 300,000 companies are within the DoD supply chain, which will require a ramp-up phase leading up to the January 2021 incorporation of Cybersecurity Maturity Model Certification.

Therefore, a new class of information security consultants and advisors is emerging. They’ll leverage their compliance expertise to guide Department of Defense contractors to successful certification by delivering expert gap analysis, audit preparation, and ongoing support to ensure their IT systems stay compliant and secure.

How to Achieve CMMC Compliance?

Back in the day, contractors and subcontractors could verify their CUI and FCI cybersecurity procedures and the information systems housing this information themselves. With the introduction of the CMMC certification, this is no longer an option. As a result, organizations and businesses storing or transmitting CUI or FCI must either establish CMMC compliance using in-house means or hire a cybersecurity company capable of ensuring security maturity model compliance.

Also, you can take three necessary steps to achieve DoD certifications:

• Get an SSP (Systems Security Plan) and a POA&M (Plan of Action and Milestones) in place.
• Configure your existing environment or build a new domain to NIST 800-171 r2 compliance;
• Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process;
• Start building budgets for the improved support requirements and modifying rates to include the upgraded security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with an MSP (Managed Service Provider).

What Actions Should Defense Contractors Take in 2021?

DoD contractors should, without delay, learn the CMMC’s technical requirements and prepare not only for certification but long-term cybersecurity agility. Details on how the CMMC assessments will be executed and how to challenge those assessments are anticipated quickly. Contractors that have already begun to evaluate their practices, procedures, and gaps when the details are finalized will be well-positioned to navigate the process and suit the mandatory CMMC contract requirements for upcoming projects.

The OUSD A&S (Office of the Under Secretary of Defense for Acquisition & Sustainment) maintains a CMMC FAQ where contractors can keep up to date on the certification process.