CMMC Compliance for Defense Industrial Base (DIB) Contractors: An Accelerated Certification Guide
Although CMMC is not a current requirement, all DIB contractors will eventually be required to obtain a CMMC certification by 2025. Since the first solicitations requiring a CMMC maturity level are appearing in 2020, there are advantages to starting the certification process as soon as possible. Within the next month, the DOD is expected to produce 10 “pathfinder” contracts. Each one is expected to affect some 150 contractors and subcontractors, and it will grow from there. To help Defense contractors at all stages of the certification, we’ve developed this resource page.
Below, you’ll find high-level introductory details about CMMC, what you’ll need to do to be compliant, the benefits of becoming compliant now, and how to officially get started.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) was created by the DoD in response to the ever-evolving threat landscape.
It is a verification mechanism designed to ensure adequate cybersecurity protection of Controlled Unclassified Information (CUI) residing on Defense Industrial Base (DIB) systems and networks. Combining elements from NIST and other cybersecurity control standards, CMMC will eventually become the singular standard for CUI cybersecurity.
Once CMMC is fully live, prime contractors (and their subcontractors) will need to meet a CMMC trust level (1-5) as determined by independent validation audits. Certifications are good for three years; without CMMC compliance, DIB contractors will not be eligible for initial awards or continuations of defense contracts.
Deeper detail and FAQs can be found on the OUSD A&S website.
How Does CMMC Differ From Prior Standards like NIST 800-171? What are the Implications?
CMMC grew out of a lack of compliance with NIST 800-171 across the DIB. The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with response to cybersecurity measures.
The CMMC standard was designed to be an enforceable, monitored, proactive approach to instilling a culture of cyber-security across the DOD supply chain. It differs in a few key areas:
-
Companies No Longer “Self-Attest”
Pentagon-approved third-parties, “CMMC 3rd-Party Assessment Organizations” (C3PAOs), will assess each company, under strict conflict-of-interest rules, at the company’s expense. The standards of training and certification of C3PAOs are currently being defined but there are several companies already stating their intentions publicly to play that role. The training and certification requirements are being published shortly.
-
If You’re not Compliant, You Won’t Get the Contract
There are no penalties for non-compliance; you simply won’t qualify for contract consideration. On the other hand, non-compliance with CMMC and NIST 800-171 does represent risks relative to contract termination if there’s a discovery of a failure to comply after a contract is accepted, the potential for criminal fraud if a company knowingly misstates compliance in a contract response, and tort risk for inadequate controls in the context of a breach.
-
Re-Certification
There is a requirement for a CMMC accreditation process every 3 years, which means that once met, ongoing compliance must be monitored and audited. Processes, controls, and policies must be maintained to pass the accreditation process every 3 years.
-
The Cost of Compliance is Being Treated as an “Allowable Cost’
Allowable expenses specified in a contract can be billed to the DoD. According to the CMMC website FAQ, “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP). The cost of tools, remediation, and preparation is included in this category. In other words, the investment in a Splunk/TekStream cybersecurity and CMMC compliance solution can be expensed to the DoD.
-
CMMC Certification Does Not Completely Correlate to NIST 800-171 Compliance
NIST 800-171 is primarily focused on protecting CUI at rest and in-flight. Successful CMMC attestation does not mean you are compliant with NIST 800-171. Appendix D of NIST 800-171 rev1 contains 110 Controlled Unclassified Information (CUI), and in Appendix E, there are also 63 Non-Federal Organization (NFO) controls. There is a separate set of dashboards and tools for NIST 800-171 monitoring and compliance in Splunk.
-
Differing Certification Levels on a Single Contract Have the Potential to Raise Complex Implementation Challenges for Primes and Subcontractors
A specific contract will have compliance requirements that flow down from prime to sub-contractors at varying levels, and these requirements will be contract specific.
What Should Defense Contractors Do Now?
We are still in the early phases of CMMC rollout, but DIB contractors need to be proactively learning about the technical requirements and getting ready for certification as well as continued compliance.
Contractors should also keep the following dates in mind:
- June 2020: CMMC to begin appearing in RFIs
- September 2020: CMMC to begin appearing in RFPs
The Fast Track to CMMC Readiness
CMMC is new and complex. That’s why TekStream and Splunk came together to create a simple, prescriptive solution to help you adapt to this new compliance model. Learn how one client used it to achieve CMMC readiness in under 30 days, and discover how you can, too.
The 5 CMMC Trust Levels
The level of certification necessary will depend on where you fall in the supply chain. There will be several dozen or more subcontractors working in concert to provide the necessary materials, time, and technologies to support the prime contractor.
The prime contractors and the government sponsor are responsible for the entire supply chain for CMMC levels.
The levels are described as follows:
The Benefits of Early Action and Where to Start
The first and most obvious benefit of going through the compliance process now is that this is going to be required in the next few years.
Acting early puts you ahead of the curve, prepares you to meet DoD needs now, and opens an opportunity for the pathfinder contracts (if applicable).
So, where should contractors start?
There are a number of consultants offering compliance assessments and reviews, but the quickest and most effective way to kick off your CMMC effort will be a tandem partnership with a prescriptive solution and implementation consultancy.
TekStream and Splunk have partnered to bring you the exact solution and expertise you need to make getting and, as importantly, staying compliant as seamless as possible and a smooth process for years to come.
Using Splunk, TekStream’s team can help you achieve CMMC readiness
in as little as 30 days.
No one needs another lengthy compliance assessment, and although an analysis of gaps and existing procedural controls is critical, it need not be the first step. Gaps can be identified in the process of implementing an automated CMMC monitoring solution. Essentially, the process starts with gathering all of the available information across your enterprise and implementing automated practice compliance. Gaps are naturally discovered in the process of implementing a solution.
The automated practice controls can be leveraged in the context of SOPs that are repurposed into applicable SSPs, POAMs, and business plans. The exact nature of the process will depend on your specific needs, but in general, the following will occur:
By partnering with TekStream and Splunk, you’ll be getting:
- Installation and configuration of Splunk, CMMC App, and Premium Apps in mere weeks.
- Pre/Post CMMC Assessment consulting work to ensure you are meeting or exceeding CMMC level requirements.
- Optional MSP/MSSP/compliance monitoring services to take away the burden of data management, security, and compliance monitoring.
Once you’ve gone through the CMMC compliance process with TekStream, compliance and auditing is ongoing and monitored on an automated basis for each practice and summarized in a centralized auditing dashboard.
It significantly reduces risk of non-compliance and the cost and effort associated with attestation every 3 years.
If you’re already using Splunk, this opportunity should be a no brainer.
If you are new to Splunk, what better way to procure a best-in-class security, compliance, and operational intelligence platform?