The release of the Cybersecurity Maturity Model Certification (CMMC) adds to the complexity of cybersecurity requirements facing members of the defense industrial base (DIB) and has many asking questions.
To help bring clarity to a confusing situation for DoD prime contractors and lower-tier suppliers, Exostar led a webinar, “CMMC is here, but 800-171 isn’t going away – know what to do?” In the webinar, we addressed the top five concerns that DoD suppliers had.
When will CMMC affect us?
DoD plans to roll out CMMC in 2020 and expects the transition from NIST 800-171 to CMMC to continue until 2026. However, CMMC will not be inserted retroactively into ongoing programs. Only new DoD programs and those up for renewal will be subject to it. For individual companies, they would need to obtain CMMC certification depending on the lifecycles of their current contracts and any future bids.
Where do we start? Do we still need to comply with NIST 800-171, or should we jump right to CMMC?
NIST 800-171 will remain relevant for the foreseeable future, particularly as CMMC slowly ramps up over the next couple of years before accelerating. Organizations that store or handle CUI still need to be NIST 800-171 compliant. Even though self-attestation is allowed, these businesses should expect increased scrutiny in the form of audits conducted by DCMA. Inconsistencies between self-assessments and audits could put companies in jeopardy of adverse contract impacts or penalties under the False Claims Act.
On an important note, Plans of Action and Milestones (POA&Ms) that may have been accepted as part of NIST 800-171 compliance likely will not be allowed to successfully achieve CMMC certification. So, contractors subject to 800-171 compliance should be prioritizing implementation (and thus elimination) of their POA&Ms.
Are we still responsible for ensuring that our subcontractors and suppliers can receive and protect CUI?
The current version of DFARS includes a flowdown provision that places the onus on primes to ensure that their entire supply chain is in compliance with NIST 800-171 if they are to receive CUI. This provision will remain valid for all current DoD programs until contract completion or renewal.
Meanwhile, the DoD plans to update DFARS to account for the introduction of CMMC. CMMC mandates all participants on a bid team to possess certain levels of certification, with the minimum being a CMMC Level 1 for any first-tier subcontractors. So, even though CMMC supplements flowdown provisions and potentially shifts the onus by requiring all companies in the DoD supply chain to obtain their own certification, prime contractors must still maintain visibility into the CUI capabilities and certifications of all of their subcontractors and suppliers. This will allow them to confidently bid on contracts at all five CMMC levels, particularly those at Level 3 and above when CUI is a factor, as well as protect their own sensitive data and intellectual property.
Security isn’t free, and neither is certification. Who pays?
The DoD has consistently stated it doesn’t want to place undue fiscal burden on the DIB, particularly on smaller businesses that may only seek a Level 1 certification. For this level, the DoD selected cybersecurity practices that represent basic protection that most organizations should already have in place as required by the FAR.
The DoD also recognizes that stepping up to CMMC presents ongoing resource challenges for all members of the DIB. For this reason, security will be an allowable cost that contractors can claim for programs that require CMMC certification, based on contract type and required CMMC levels. Prime contractors may also offer assistance to their subcontractors to help them successfully achieve the necessary levels of certification.
Where can we get help?
The DoD continues to publish documents intended to clarify the practices and processes regarding CMMC. However, many companies lack the cybersecurity expertise or personnel to leverage these resources.
While cybersecurity consulting services are an option, these services can often be costly and time-consuming, while creating an ongoing dependency. For suppliers facing these issues, risk management products may be a more viable alternative. An effective risk management product includes an intuitive, easy-to-use interface and comprehensive explanation that provides guidance for its users.
Exostar Products That Support CMMC: