On December 13, the Department of Defense (“DoD”) released the latest version of its Cybersecurity Maturity Model Certification (“CMMC”). This is the third iteration of the draft model that DoD has publicly released since it issued the first draft in October. (We previously discussed Version 0.4 and Version 0.6 of the CMMC in prior blog posts.)
DoD describes the CMMC as “a DoD certification process that measures a DIB sector company’s ability to protect FCI [Federal Contract Information] and CUI [Controlled Unclassified Information].” DoD has stated publicly that it intends to begin incorporating certification requirements into solicitations starting in Fall 2020, with compliance audits beginning in late 2020 or early 2021. Depending the sensitivity of the information that contractors will receive in the course of performing work for DoD, they will be expected to demonstrate compliance through third party audits with the requirements set forth under one of five certification levels. This applies even where contractors will not be handling FCI or CUI in the course of performing their contracts.
The two most significant updates to the model in this version of the draft are (i) the addition of “Practices” for obtaining Level 4 and 5 certifications, and (ii) an expansion of “clarifications” section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1. These changes and others are discussed in more detail below. Given the expected release in late January 2020, it is likely that the requirements in this draft will closely resemble those that will be set forth in Version 1.0 of the CMMC framework, which is anticipated to serve as the basis for the first contractor audits.
Addition of Practices to Levels 4 and 5
Version 0.7 of the CMMC retains the matrix format that we have seen in prior versions. This matrix is composed of “Domains,” “Capabilities,” “Practices,” and “Processes.” Each domain consists of multiple Capabilities, and each Capability consists of multiple Practices. Capabilities are general achievements to ensure cybersecurity objectives are met within each Domain. Practices more specifically outline the technical requirements necessary to achieve compliance with a given Capability, while Processes measure how well Practices have been implemented across a contractor’s business.
|Key sets of capabilities for cybersecurity.|
|Capabilities||Achievements to ensure cybersecurity within each domain.|
|Practices & Processes||Activities required by level to achieve a capability.|
Although it is not yet clear how DoD intends to draw the line between classifying contracts at one of the five certification levels, DoD has previously indicated that although Level 3 will be the baseline certification necessary for contractors that handle CUI, Level 4 and 5 certifications will apply to CUI associated with DoD “critical programs and technologies.” The CMMC does not define “critical programs and technologies,” but adopts 33 enhanced security requirements for “Critical Programs and High Value Assets” from NIST’s Draft Special Publication (“SP”) 800-171B. That draft publication provides a set of enhanced security requirements to protect the confidentiality of CUI in nonfederal contractor systems from advanced persistent threats (APTs). The NIST publication does not define the terms critical program or high value asset other than to state that these would be programs “likely to attract attention from” APTs.
Version 0.4 of the CMMC contained a litany of Practices and Processes necessary for obtaining Level 4 and 5 certifications. However, DoD subsequently removed all Practices and Processes for these levels in Version 0.6, pending further evaluation of public comments. Version 0.7 now contains what we expect to be a near-final set of Practices necessary for obtaining Level 4 and 5 certifications, and relegates all Processes to much simplified table that is intended to apply across all Domains.
As compared against the initial public release of the CMMC, the requirements in Levels 4 and 5 are greatly consolidated. Nonetheless, they still represent a significant set of compliance obligations that contractors must follow in order to perform work on contracts designated at either of these two certification levels. Level 4 now incorporates 13 controls set forth in the draft NIST SP 800-171B, and Level 5 certification requirements includes requirements for an additional five controls from draft NIST SP 800-171B.
Consistent with what we have seen for Levels 2 and 3 in prior drafts, Levels 4 and 5 also include requirements from a number of other sources, including from the CMMC working groups. In addition to retaining new standards that may make this model dependent on foreign government updates, this version continues the practice of including multiple controls for certain practices, thereby increasing the possibility of conflicting guidance. Moreover, standards that are pulled from NIST SP 800-171B in some cases appear to have been incorporated into the CMMC on a modified or a partial basis. For this reason, even those contractors that have implemented sophisticated cybersecurity controls in line with the standards set forth in NIST publications should closely review how these requirements and others have been described in the CMMC to ensure that they will be compliant with all applicable Practices at the time that they undergo an audit.
New Practice and Process Clarifications
Perhaps the most helpful update for contractors is the inclusion of new clarification sections for Level 2 and 3 Practices that build upon the Level 1 clarifications that we saw in Version 0.6 of the model, in addition to new clarifications of Processes. These sections includes brief “discussions” of the requirements, “clarifications” to further explain DoD expectations, and in some cases, “examples” that describe scenarios where compliance is appropriately demonstrated within an organization. The inclusion of clarifications for Level 3 in this draft is an unexpected but welcome addition, as Version 0.6 of the CMMC indicated that Version 1.0 would only feature clarifications for Levels 1 and 2.
We expect that these clarifications will be vital to understanding and interpreting the very brief and limited descriptions of Practices and Processes that are set forth in the matrix itself. Indeed, one of the new Process clarifications applicable to Process Maturity Level 2 describes minimum elements that policy statements from a contractor’s senior management should contain to appropriately document security requirements that are applicable to the network. Along these lines, contractors should be mindful to read the CMMC as a whole to ensure they do not encounter unexpected issues during their third party audits.
Thus far, DoD has adopted a regular cadence for updating and revising the CMMC. Although we would expect to see more additions to the model in the future (potentially including an expansion of the clarification section to cover the newly added Level 4 and 5 requirements), the model is nearing a ready-to-release format, and it appears likely that DoD will meet its January 2020 release date target for Version 1.0. For this reason, contractors should continue to take steps to implement all requirements described in this latest draft, as implementation may represent a significant effort, requiring input not just from an organization’s information technology and legal departments, but as prescribed in the current model, from an organization’s senior management.
Further, DoD has expressed a desire to revise the model on a continuous basis to rapidly address new and evolving threats. Thus, any contractors that are left playing catch up at the time that DoD begins including certification requirements to its RFPs in Fall 2020 will have a difficult time staying ahead of the curve as the model continues to evolve.
Finally, notwithstanding DoD’s efforts to simplify and clarify the requirements of the model, a number of questions that we previously raised in our post discussing the November release of Version 0.6 persist, including (i) how DoD and its auditors will handle the immediate influx of contractors requiring certifications, (ii) the specific criteria for determining the certification level necessary to perform a contract (both prime contracts and subcontracts), (iii) how DoD and its Accreditation Body will ensure that third party audits are conducted in a consistent manner, and (iv) how DoD will address the impact on commercial item and small business contractors, which ordinarily do not obtain significant cost recovery under reimbursable contracts with the Government. DoD has continued to indicate publicly that assistance may be available to small business contractors but has yet to release a plan for funding or assistance programs.
 The CMMC does not rely on the term Covered Defense information (“CDI”), which is used in DFARS 252.204-7012, “Safeguarding covered defense information and cyber incident reporting.”