On January 31, 2020, the Department of Defense (DoD) released the latest version (Version 1.0) of its Cybersecurity Maturity Model Certification (CMMC) framework, setting forth future cybersecurity requirements for thousands of DoD contractors and subcontractors. Outside of the DoD, the framework may influence courts’ and regulators’ understanding of what constitutes reasonable and appropriate security measures more broadly.

The CMMC is a certification framework that measures a contractor’s ability to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC implementation will require cybersecurity audits by CMMC Third Party Assessment Organizations (C3PAOs) for more than 300,000 companies. The DoD announced that it will include the new requirements in certain requests for information (RFIs) starting in June 2020, and requests for proposals (RFPs) in September 2020, and that all contractors will be required to obtain CMMC certifications by Fiscal Year 2026. The phased rollout approach is a change from DoD’s previous statements that it could implement CMMC more broadly this year. The required level of certification for a contract award will be indicated in each DoD solicitation. The DoD is currently drafting a rulemaking to implement CMMC, with the intent to publish a final rule by September 2020.

THE CMMC ACCREDITATION BODY

The DoD is currently working on a Memorandum of Understanding between the DoD and the newly-formed CMMC Accreditation Body (AB). The AB Board of Directors consists of 13 individuals from private industry. The AB will be responsible for managing, operating, and sustaining the CMMC program, CMMC training, and evaluating and accrediting individual assessors and C3PAOs. C3PAOs will conduct CMMC assessments, which are comprised of on-site evaluations of the capabilities, practices, and process maturity defined in the CMMC model. The DoD has indicated that it will provide initial training guidance to the AB in the first quarter of 2020. The AB will then use DoD materials to make training available to individual assessors and C3PAOs.

CMMC PRE-ASSESSMENTS

While the DoD develops CMMC’s regulatory and contractual framework, and the AB determines processes for accrediting and training individual assessors and C3PAOs, the AB advises contractors and potential contractors to conduct pre-assessments using the most current draft of CMMC. Pre-assessments will allow entities to be prepared to obtain a certification at the appropriate level in the short timeframe granted by the DoD’s requirements. Retaining legal counsel to oversee risk assessments, including CMMC pre-assessments, is advisable, due to the sensitive nature of such assessments and the potential liability that could result from the disclosure of non-privileged assessment results.

CMMC VERSION 1.0

Under the CMMC framework, defense contractors and subcontractors will be required to undergo a C3PAO assessment of their internal cybersecurity technical practices and process maturity against published standards. Each assessment must be guided by the CMMC and can result in certification at one of five levels, with Level 1 as the lowest level and Level 5 as the highest level. Much like HITRUST, CMMC recognizes a progression of maturity levels, ranging from simple documentation of security practices to establishing a standardized measurement and management framework on top of policy documentation. A Level 4 or 5 certification demonstrates the contractor’s ability to reduce the risk of Advanced Persistent Threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).

The CMMC framework focuses on 17 domains: Access Control, Asset Management, Audit and Accountability, Awareness and Training, Configuration Management, Identification and Authentication, Maintenance, Media Protection, Personnel Security, Physical Protection, Recovery, Risk Management, Security Assessment, Situational Awareness, System and Communications Protection, System and Information Integrity. Each domain consists of a set of processes and capabilities (and in turn, practices) across the five levels. With the exception of Asset Management, Recovery, and Situational Awareness (threat monitoring), these domains originate from the security-related areas in Federal Information Processing Standards (FIPS) Publication 200 and the related security requirement families from NIST SP 800-171.

Below are overviews of the CMMC maturity process and practice progressions.

CMMC MATURITY PROCESS PROGRESSION

CMMC PRACTICE PROGRESSION

The DoD provides an overview of the CMMC components in its briefing PDF, which accompanies the full CMMC Version 1.0 document.