On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”). This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations. (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)
As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”
DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award. DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification. DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.
Overview of the Current CMMC Framework Draft
The CMMC framework is DoD’s mechanism for incorporating select cybersecurity practices from a variety of sources, including from NIST SP 800-171 Rev.1, FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems), the draft of NIST SP 800-171B, CIS Controls v.7.1, the CERT Resilience Management Model, the UK NCSC Cyber Essentials, and the Defense Industrial Base (“DIB”) and other DoD stakeholders.
With the exception of compliance with the security controls in FAR 52.204-21 and NIST SP 800-171, reference to external sources in the model “does not indicate that meeting the CMMC practice meets the source or that meeting the sourced practice also meets the CMMC practice.” Accordingly, even if contractors are familiar and compliant with existing industry standards, they will need to closely review how these practices are described in the CMMC Appendix to evaluate how DoD incorporated these requirements into the model. When implementing the CMMC, defense contractors can achieve certification for their entire enterprise network or for particular segments or enclaves depending on how those information systems will be used when meeting performance requirements.
DoD will designate procurements with one of five Levels, and the prime contractor under each procurement will be required to be certified by third party auditors at the designated Level and to comply with all requirements at that level, as well as all requirements that exist in the Levels below. It is not clear how DoD intends to draw the line between classifying contracts at one of the five certification Levels, but DoD has indicated that: (i) Level 1 will be a baseline requirement that will be sufficient to safeguard federal contract information (“FCI”); (ii) Level 2 will be a “transition step in cybersecurity maturity progression” to safeguard CUI; (iii) Level 3 will be the baseline certification necessary for contractors that handle CUI; and (iv) Level 4 and 5 certifications will be utilized when DoD expects contractors to “Protect CUI and reduce risk of Advanced Persistent Threats (APTs).”
At its core, the CMMC is a matrix. This matrix begins with “Domains,” such as “Access Control” and “Incident Response,” which are analogous to “Families” in NIST SP 800-171. Each Domain consists of several “Capabilities” related to that Domain, such as “Control Remote System Access” and “Detect and Report Events.” In turn, each Capability has multiple “Practices” that contractors must comply with, depending on the certification Level that they are seeking to achieve, and these Practices are analogous to “Requirements” in NIST SP 800-171. Practices include policy and technical controls such as “Restrict remote network access based on organizationally defined risk factors. . .” and “Establish an operational incident-handling capability for organizational systems. . . .”
Finally, to be certified at a specific Level, contractors are required not only to implement each of the Practices required for the specific Level, but also to achieve a certain level of maturity for the specific Level regarding the implementation of all the Practices. For example, Level 1, simply requires contractors to “Perform” the Practices, while Level 3 requires all the related Practices to be “Managed”, and Level 5 requires all the Practices to be “Optimized.”
|Domains||Key sets (or families) of cybersecurity requirements.||17 Domains in total.|
|Capabilities||Sub-set of requirements within each Domain.||43 Capabilities in total.|
|Practices||Security controls required by Level necessary to achieve a certain Capability.||171 Practices when aggregated across all certification Levels.|
|Processes||Measure of maturity (or institutionalization) of policies, plans, and activities associated with Practices.||5 Processes when aggregated across all certification Levels.|
Along with the release of the updated model, DoD announced that it was working on a Defense Federal Acquisition Regulation Supplement (“DFARS”) rule that should cover some of the implementation issues associated with the CMMC. However, as discussed in more detail below, DoD has not indicated which specific requirements this DFARS rule will address, such as whether the rule will include requirements for assessing the required certification Level of lower tier subcontractors, appeal rights for the denial of a certain certification Level, the assignment of auditors, or other operational questions.
DoD has made progress towards refining the technical aspects of the CMMC as it has moved through various drafts of the model and incorporated feedback from industry. As noted above, the release version of the model now contains fewer requirements than the initial Version 0.4 public draft (although the requirements are still numerous), and also includes a lengthy Appendices section that provides additional guidance about each Practice contained in the CMMC. There remain, however, a number of outstanding questions with regard to implementation of the CMMC, some of which are discussed below.
- Ensuring Consistency in Auditor Assessment of Compliance with the CMMC. DoD has not yet provided any detail on how auditors will be managed, selected, trained, or assigned to contractors beyond an initial RFI and designation of an Accreditation Body, which DoD only recently stood up. The RFI originally sought responses only from non-profit organizations, but was later expanded to include for-profit entities with the stipulation that a single non-profit organization would remain the overall Accreditation Body. DoD has in the past actively sought input from industry in the formation of the Model and it is expected that there will continue to be some interaction with industry on the accreditation issues.
As the CMMC Accreditation Body begins taking the necessary steps to select and train auditors, a key challenge for the Body will be to ensure that auditors are trained to conduct these audits consistently across the industry with an appropriate level of oversight. Given the breath of the Practices that DoD has imposed at higher certification Levels, there likely will be room for interpretation as to whether each Practice has been sufficiently implemented. Because a single technical non-compliance with an individual Practice could make a contractor ineligible to compete for certain work because certification at the required Level would not be achieved, a single auditor’s opinion could have a significant impact on a contractor’s business.
- Appeal Rights. DoD has not yet explained what recourse, if any, contractors will have to appeal an adverse finding on non-compliance from an accreditor. If DoD were to implement an appeal process, it is not clear who would adjudicate the decision, whether it would be the Accreditation Body, another third party auditor, or a DoD representative. Although DoD has stated that contractors are required to be compliant at the time of contract award (rather than at the time of bid submission), contractors may face significant risk by bidding on work that they are not yet compliant to perform.
- Flow Down Issues. DoD representatives confirmed at the press conference releasing Version 1.0 of the CMMC that not all subcontractors will be required to meet the same certification Level as the one assigned to the procurement. In particular, the DoD representatives noted that if a prime contractor did not flow down any Covered Defense Information (“CDI”) to a subcontractor, that subcontractor would only need to meet the minimum Level 1 certification that will be required of all contractors and subcontractors performing on DoD programs. What remains unclear, however, is whether a prime contractor can independently designate information that it flows down to a subcontractor at a Level lower than at which the overall procurement is designated or whether DoD will establish a process for approving such designations.
- Impact to Critical Programs. Although the new certification requirement likely will help to improve the security of DoD’s supply chain and the confidentiality of CUI and CDI, it will inevitably limit the pool of qualified contractors that DoD will be able to make awards to across all industries. The impact of the CMMC may be especially pronounced for small business contractors, which may not have the resources available to adequately ensure compliance and may come as a surprise to companies selling commercial off the shelf items to the DoD or others that sell to DoD. DoD has suggested the creation of financial assistance programs for the small business community, but did not provide any further information with the release of Version 1.0. Moreover, although DoD has indicated that the costs of compliance would be allowable, commercial companies that do not have cost reimbursement contracts where these costs can be recovered as overhead will either need to bear these costs or increase their pricing. Thus, it remains to be seen how DoD will balance the need for appropriate information security controls with the continuing need to develop and maintain a robust DIB, although the pendulum clearly appears to be swinging toward security.
- Ability to Contest Designations. DoD has not yet released detailed guidance on how source selection officials will determine which certification Level to assign to a particular procurement. Because these determinations are tied to national security, it may be difficult for contractors to have any meaningful ability to contest a certification Level assigned to an RFP.
Takeaways in Preparing for the Audit
Coming into compliance with all applicable requirements likely will be a challenge for many contractors, particularly since the requirements impose new technical controls and levels of maturity that apply more broadly than just to those contractors that handle CUI, CDI, or FCI. Although contractors will need to take concerted steps specific to their business to come into compliance with CMMC requirements, there are a few considerations that are apparent with this release version of the model.
- Don’t Underestimate the Rollout. DoD has publicly stated that it expects only ten RFPs to contains CMMC requirements later this year and that full implementation of the CMMC will not occur until Fiscal Year 2026. Based on the number of subcontractors that DoD has estimated for these programs, some of these contracts may involve large programs. However, contractors should begin taking steps to come into compliance with CMMC requirements as early as possible to ensure that they are positioned to bid on any work that contains a CMMC compliance requirement, particularly as prime contractors begin to seek out certified subcontractors to perform work. Further, DoD is likely to continue to refine the CMMC over time, and may adjust existing technical controls or impose new controls in the model. Thus, even if contractors do not see CMMC compliance requirements in existing RFPs this year, they may be faced with a moving target that may become progressively more difficult as the threat and the CMMC evolves.
- Don’t Overlook the Processes. Even where contractors have taken significant steps to become compliant with the technical controls for a particular Level of the CMMC, they should be cautious not to overlook the Process (or maturity) requirements applicable to that Level. Ultimately, CMMC auditors will be seeking to evaluate how ingrained Practices are within an organization, which in some cases require input not just from an organization’s information technology and legal teams, but as DoD has made clear, from an organization’s senior management as well.
- Consider Conducting Pre-Assessments. Although the first sets of compliance reviews may be the first live evaluations of CMMC Practices by auditors, they do not necessarily have to be the contractors’ first external evaluations. Depending on the individual circumstances of a company, whether to conduct a pre-audit review under privilege is a point for consideration. Considering the potential impacts to some contractors’ business if they became ineligible for DoD awards due to an adverse audit finding, contractors may want to consider the relative costs and benefits of conducting pre-assessments to identify these deficiencies before a CMMC auditor does.
- Pay Attention to Subcontractors. Prime contractors and higher-tier subcontractors should not only take steps to ensure that they will be certified at a particular Level, but should also take steps to ensure that their subcontractors will also be certified at an appropriate Level. As discussed above, DoD intends for these requirements to flow throughout a contractor’s supply chain, so if a critical subcontractor is not certified to handle necessary information, then a prime contractor or higher tier subcontractor may find itself unable to perform its contractual requirements. Contractors will need to incorporate this certification into their vetting procedures for their subcontractors and suppliers and to modify their contractual agreements consistent with the CMMC requirements.