Many of you may have begun to hear about a new requirement that will be placed in your RFP contracts next year called the Cybersecurity Maturity Model Certification (CMMC). As your trusted advisor with new cyber regulations, I wanted to give you an update on what is known about this program.
I just attended the DoDIIS show in Tampa with the specific goal of getting the most up to date information about the Cyber Security Maturity Model Certification (CMMC). The Director of this program, Stacy Bostjanick, spoke at the conference. I not only went to both events and peppered her with questions on your behalf, but I was also able to have over an hour of one-on-one time with her to bring up concerns from a SMB point of view. Because this program is still in development, I think I know as much as can be known at this point.
Q. What is the CMMC?
A. It is a new and much more robust Cyber security rating of 1-5 that will be required on all DoD contracts starting Fall of 2020 (currently level 3 is seen as the minimum level to process CUI data). In order to be eligible to even bid on a contract you will need to produce an independent “certification” of which maturity level your organization falls under. Your level will then be matched with the minimum standard on that contract and there will be a “go/no go policy for acceptance to next phase”. I did voice the opinion that many contractors are still confused on what constitutes CUI data and how hugely helpful it would be if the government would start marking what they consider sensitive under CUI rules. This will be an annual certification as it stands now (much like ISO).
Q. Why are they adding more cyber rules? Isn’t DFARS enough?
A. They say no.
“It is staggering how many contractors are attesting to full compliance with DFARS when they are not.”
The Department of Defense started an audit several years ago and found many contractors were attesting to DFARS compliance but were not actually in compliance. We are losing over $600 billion per year to foreign exfiltration of US taxpayer funder initiatives. “We are tired of our intellectual property that is taxpayer-funded showing up in foreign militaries. The fact that the Chinese have a plane that looks exactly like the F-35 is not an accident.” More recently, Aerodyne was fined $15 million for attesting that they were compliant when they were not. Because of these cases, the Secretary of Defense ordered a new Maturity Model Component Program to be added in addition to the DFARS law. This will take into consideration NIST 800-171, as well as some FED RAMP and ISO controls (as yet to be determined) that make sense to be a part of this new requirement. To be clear, this is not currently a law, nor does it replace DFARS, it will add to it. Stacy Bostjanick says that while there is a lot of movement and support right now to push this through bill writing, the Acting Secretary of Defense does not want to wait the 2 years it typically takes to get a bill through. As a result, this will become a contractual requirement that the DoD will place in RFP (Request for Proposals) by next fall (the target is November of 2020, according to Mrs. Bostjanick).
Q. So who will audit this program? DSS-DCSA?
A. No.
There is not enough bandwidth for the government to audit and certify over 300,000 government contractors in 9 months’ time. (I did point out the timeline was too aggressive, in my opinion, but they are committed to keeping it). The DoD, in conjunction with leading university think tanks, are designing not only the controls that will be assessed, but they are also developing the training program for the private sector assessors. This accreditation will be an add-on accreditation to an auditor’s already approved certification (that we at F1 Solutions will be first in line to take). This accreditation program will be rolled out sometime in Q1 of 2020. Their goal is to have accredited third-party auditors in the field by June 1, 2020. (I also voiced my concern that this was also too aggressive, as there may not be enough assessors in the country to meet this demand.)
Q. If I am DFARS compliant will I be CMMC certified?
A. No
CMMC controls will be greater than the current 800-171 controls, so the certification will have to be issued in addition to DFARS compliance.
Q. Will this effect current contracts?
A. No.
If you currently have a signed contract, it will not retroactively apply to this agreement. However, when the renewal does comes up, do not be surprised to see the CMMC language added.
Q. What is the working timeline for all of this?
A. Timeline below:
By January 1, 2020 the board wants to have the consortium that will govern this program set up and hear grievances. They will also have the controls defined and set, as well as all the training requirements and the accreditation process set.
By the end of Q1 of 2020, they hope to have auditors going through the accreditation program, as well as the full release of controls provided, with desk references for contractors to follow.
By June 1, 2020, they want to have assessors accredited and staring to set appointments to assess and certify environments within Q3.
By November 1, 2020 (the soft date might change), the language will start appearing in contracts and RFP’s that will have the CMMC requirement to bid.
Q. This is going to be a significant expense to sub-contractors. Can this be a line item charge off?
A. No.
The government is fully counting on the fact that you will start adding these IT infrastructure remediations and the certification costs into your future quotes. They consider this a baseline pillar. You can discuss the particular ways for you to account for these additional 2020 costs with your contracts’ manager. (I did fight for a grant program, but I am not sure there is much acceptance of that through the DoD yet.)
Q. What do I do right now in anticipation of CMMC?
A. Get compliant with the DFARS NIST 800-171 controls over the next 5 months. Then wait until January for the CMMC controls to be released. I will be following this very closely and am in contact with the team at Stacy Bostjanick’s office. Here is their web site:
htpps://www.acq.osd.mil/cmmc/index.html
Stay tuned for further updates as F1 stays on top of this for you. For our managed service clients that will need these third-party certifications next year, we are partnering with several groups that will have this accreditation and will charge a reasonable rate.
If you have any questions, please feel free to contact me by email at [email protected] or call 256-461-0040.