What Government Contractors Should Know About the US DoD’s CMMC Guidelines

By now, defense contractors of all sizes and service types should know about the Cybersecurity Maturity Model Certification (CMMC). If they do not, it is important to learn about it sooner rather than later: Their livelihoods will depend on it.

CMMC is the latest security framework mandated by the US Department of Defense (DoD) to ensure that vendors seeking to contract with the department—referred to as the Defense Industrial Base (DIB) sector—have the cybersecurity practices in place to protect sensitive DoD data. Once CMMC is fully rolled out, all DIBs contracting with the DoD must be compliant with its standards. Those that are not may find themselves shut out of certain DoD contracts.

Though many details on how to become CMMC compliant are still to be determined, the CMMC has established five progressively secure levels that are primarily based on US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,¹ with corresponding practices and processes. Organizations should determine which level of CMMC compliance they should prepare for based first and foremost on the type of data they handle and the type of business they either currently or plan to engage in future DoD contracts. Ultimately, the DoD contracts will mandate the level based on the type of data, and the organizations should be prepared to bid on the contracts at the associated CMMC level. To achieve their desired level, they need to consider the amount of time, resources and costs required to reach it.

Understanding the Different CMMC Levels and the Time to Achieve Them

The first version of the CMMC requirements was released in late January 2020. In general, the program enables an organization to be certified at one of five levels, from Level 1: Basic Cyberhygiene to Level 5: Advanced/Progressive (figure 1). The CMMC Accreditation Body (AB) will require DIBs to undergo an assessment by a CMMC Third-Party Assessment Organization (C3PAO) to show they have met and are certified against that level’s requirements. The CMMC AB has approved more than 50 C3PAOs, but they are not yet able to conduct CMMC certification assessments for any level. The CMMC AB is still working on guidelines for C3PAOs.

EACH LEVEL BUILDS ON THE LEVEL BELOW IT, ADDING PROCESSES AND PRACTICES WITH THE INTENTION OF MAKING THAT LEVEL SUCCESSIVELY MORE SECURE.

Each level builds on the level below it, adding processes and practices with the intention of making that level successively more secure. Each level has the same 17 initial practices; Level 2 adds 55 practices for a total of 72, Level 3 adds 58 practices to that for a total of 130 and so on.

The length of time it can take for an organization to achieve a level depends on several factors, including whether it is starting from the beginning or whether it already has a mature, robust security process in place.

Level 1 only requires the initial 17 practices and has limited documentation requirements. A small organization should be able to implement these practices in a matter of weeks, and an assessment at this level would likely only take two to three weeks.

A Level 3 certification is far more complex. It has 130 practices and requires organizations to have the following in place:

• Policies and procedures
• A prepared resource plan for the 17 CMMC domains
• Three to 10 additional prepared plans, including:
  • System security plan
  • Contingency plan
  • Incident response plan

Level 3 includes all 110 NIST SP 800-171 requirements. DIBs that store, process, create or transmit controlled unclassified information (CUI) are already mandated to have all NIST SP 800-171 requirements implemented and all policy and procedures documented, so they have already met approximately 85 percent of the Level 3 practice compliance requirements. These DIBs may only need a few weeks to reach Level 3 readiness. However, if an organization is just starting to build its security program, it should allow four to six months, conservatively, to complete the requirements and develop the necessary documentation. Realistically, it could take up to one year to be fully ready, depending on the size and scope of the contract and the organization.

Levels 4 and 5 are meant for highly mature DIBs, as they require more technologically advanced solutions, such as 24/7 security operations center (SOC) monitoring and heuristic analysis capabilities. The 24/7 system monitoring requirement will prevent many small organizations from achieving this level of certification because it can be cost prohibitive. DIBs that already have 24/7 monitoring are more likely to have mature documentation and other aspects of security. As the levels increase, the time to complete the assessment increases as well. A very large, complex organization trying to achieve a Level 5 certification could easily expect the assessment process to last eight to 12 months.

The difference between Level 4 and Level 5 certification is a single additional process and 15 additional practices. From a technical perspective, Level 5 requirements are not much more stringent than Level 4 requirements. So, for an organization looking to achieve a Level 4 certification, it makes sense to seek to achieve Level 5 certification as well. In contrast, the technological requirements between Level 3 and Level 4 requirements are much greater.

Determining the Appropriate CMMC Level

The best way for a DIB to decide the level of CMMC compliance it should prepare for is to consider the type of data it handles.

Levels 1 and 2 are better for businesses that only process US federal contract information (FCI) and do not expect to deal with CUI.

Level 2 does not offer sufficient CUI protections and does not meet the current NIST SP 800-171 requirement, but DIBs should keep in mind that CMMC considers this a transitional step toward achieving Level 3.

Most DIBs seeking CMMC certification should aim for Level 3.² Level 3 is the minimally required maturity level to handle CUI. Level 3 includes all 110 requirements of SP 800-171, plus an additional 20 practices that are taken from other security frameworks, such as NIST SP 800-53³ and the NIST Cybersecurity Framework (CSF).⁴

DIBs that want to focus on achieving Level 3 should immediately do a NIST SP 800-171 gap analysis to find out if they are meeting Level 3 compliance requirements. The CMMC recently released assessment guidelines for Levels 1–3, and the gap analysis can help organizations determine if they are compliant with these requirements and practices.

It is possible for organizations to self-assess whether they have fulfilled NIST SP 800-171 requirements, but problems can arise. For example, many smaller DIBs do not have staff or resources with IT security and assessment experience, and they often have a hard time looking objectively at how they have implemented all the NIST SP 800- 171 requirements, leading to biased results.

Third-party assessors can offer a more objective evaluation. In addition, CMMC will require organizations to be assessed by C3PAOs to determine if they are compliant for a particular level, so this will help IT staff become familiar with the audit process.

Other advantages to having an independent assessor perform a NIST SP 800-171 gap analysis include the following:

• DIBs can leverage existing documentation and evidence toward proving 800-171 compliance, including:
  • Completing a security assessment plan
  • Gathering evidence to demonstrate requirement implementation
  • Prepping for staff interviews
• IT staff will obtain an actionable road map to follow so they can address and remediate weaknesses found during the
• It serves as a readiness review and risk reduction activity for an eventual CMMC certification

C3PAOS ARE REQUIRED TO UNDERGO THEIR OWN CMMC CERTIFICATION PROCESS PRIOR TO BEING ABLE TO PERFORM ASSESSMENTS.

Selecting a CMMC Assessor

As previously mentioned, organizations cannot currently select a C3PAO. The CMMC AB has released some guidance on how assessors can become licensed and the criteria by which C3PAOs become accredited; however, the processes are not yet fully in place, outside of the provisional process that is expected to go through the first quarter of 2021. At the time of writing, there are approved C3PAOs listed on the CMMC AB marketplace. However, none of these C3PAOs can perform assessments. C3PAOs are required to undergo their own CMMC certification process prior to being able to perform assessments, and the CMMC AB has yet to release those requirements.

Understanding the Costs

At this time, it is still difficult for DIBs to forecast their necessary financial commitment because the DoD and the CMMC AB still need to finalize the requirements. The cost to become compliant is heavily dependent on each organization and the size of its information system that stores, processes or transmits CUI or FCI.

If a DIB does not deal with any CUI and only processes FCI, then a Level 1 CMMC certification might be sufficient, as it does not require the development of as many documented policies and procedures and only requires implementation of 17 practices. As a result, undergoing a Level 1 assessment is relatively inexpensive. However, DIBs need to consider their certification level carefully as most DoD contracts contain CUI, and being limited to a Level 1 certification could affect the organization’s ability to do business with the DoD. In most cases, DIBs will benefit from achieving a Level 3 certification. Expenses might include:

• Hiring a third-party advisory service to help write the necessary policies, procedures and plans
• Implementing the necessary practices
• Preparing for an assessment

Depending on the size of its infrastructure, including the boundary of the CMMC certification assessment and the overall complexity of the organization and network/system, Level 3 certification for a smaller organization could cost up to US$50,000 or US$100,000, if not more.

In comparison, for larger, more complex DIBs, advisory services will increase in cost, depending on the organization’s overall preparedness and the services they will need.

Preparing for Certification

Some DIBs may be concerned that the CMMC could affect the DoD’s ability to get work completed— especially subcontractors to prime contractors—and that contracts might be cancelled if DIBs do not have the appropriate credentials. However, the DoD has explained that any currently held contracts will not be modified to include CMMC requirements; these contracts will only require the level of security that was required at the time of award (e.g., NIST SP 800-171).

IF AN ORGANIZATION CANNOT ACHIEVE COMPLIANCE FOR A CONTRACT THAT INCLUDES CMMC LEVEL REQUIREMENTS, IT WILL NOT BE AWARDED THE CONTRACT.

The DoD is currently proposing a phased approach to the CMMC rollout, with an increasing number of DIBs achieving Level 1–5 certifications over the next five years, and by FY 2026, all new DoD contracts will contain some level of CMMC requirements. For requests for proposals (RFPs) that include CMMC levels, DIBs will need to have achieved compliance by the time of the contract award. If an organization cannot achieve compliance for a contract that includes CMMC level requirements, it will not be awarded the contract. However, the projected FY 2026 date gives DIBs time to plan and implement solutions. DIBs should start doing the following to prepare:

• Determine what CMMC level they need to pursue based on the type of data they process.
• For those pursuing Level 3, become familiar with all 110 NIST SP 800-171
• Research potential independent assessors and undergo a NIST SP 800-171 gap analysis (Levels 3 through 5 will require third-party assessments, so having documentation in place will speed up the process).
• Budget the necessary time and financial resources—the higher the level, the longer the time and greater the
• Conduct a self-assessment or independent readiness assessment against their targeted CMMC

Conclusion

DIBs do have until the fall of 2025 before they are all faced with meeting CMMC standards in DoD contracts, but time passes quickly, and some of these requirements will take months, if not longer, to accomplish. DIBs that handle CUI are already required to meet NIST SP 800-171 standards, so they are well on their way to Level 3 certification. The bottom line is, time and effort expended now— researching the various levels, doing a gap analysis and budgeting for necessary resources—will pay off once CMMC is officially in place.

To learn more about the US DoD’s CMMC guidelines, watch Dettweiler discuss his article in this video interview.

Endnotes

¹ Ross, R.; Pillitteri; K. Dempsey; M. Riddle;Guissanie; Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, USA, February 2020, http://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
² Although the DoD has said that 80 percent of DoD contracts will likely require CMMC Level 1, TalaTek’s early experience working with vendors in the marketplace is that most contracts are going to require CMMC Level 3. This is evidenced by vendors that can demonstrably show that they do not process, store or transmit CUI still being asked to record a NIST SP 800-171 score in the DoD’s Supplier Performance Risk System (SPRS). If Level 1 were going to be the most sought-after level in DoD contracts, then vendors would not be required to register their SP 800-171 score because SP 800-171 only applies to vendors that process CUI. Based on this early evidence, it appears that the number of required Level 3 certifications is likely to be far more than the DoD is currently suggesting.
³ National Institute of Standards and Technology (NIST), NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, USA, September 2020, http://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
⁴ National Institute of Standards and Technology, NIST Cybersecurity Framework, USA, http://www.nist.gov/cyberframework

Johann Dettweiler, CISSP, CMMC RP

Is the director of operations and an information security consultant for TalaTek, an integrated risk management firm. As an IT security specialist, Dettweiler specializes in the security authorization phases outlined in NIST SP 800-37. He excels in risk assessment, strategic planning and problem solving. Dettweiler leverages a background in research and integration of new technology to specialize in developing solution- based work methodologies to meet client needs. He brings 16 years of experience across multiple fields of engineering and design and is adept in applying NIST, OMB, FISMA, FIPS and other US federal regulations and IT compliance requirements.