CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
DFARS Interim Rule – Effective 30 Nov 2020:
On 29 September 2020, DoD issued an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
This rule creates the following new solicitation provisions and contract clauses:
- 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements – the solicitation provision that advises offerors that they must have a current (not older than three years) assessment on record in a Government database called the Supplier Performance Risk System (SPRS).
- 252.204-7020, NIST SP 800-171 DoD Assessment Requirements – the contract clause that designates the NIST 800-171 DoD Assessment Methodology that contractors need to use when conducting Basic Assessments.
- 252.204-7021, Cybersecurity Maturity Model Certification Requirements – the solicitation provision for CMMC
The rule directs contracting officers (agreements officers) to verify in SPRS that an offeror has a current NIST SP 800-171 DoD Assessment on record, prior to contract award, if the offeror (emphasis added) is required to implement NIST SP 800-171 pursuant to DFARS clause 252.204-7012. The contracting officer is also directed to include DFARS provision 252.204-7019 and DFARS clause 252.204-7020 in solicitations and contracts.
Contractors are being encouraged to do a Basic self-assessment using the NIST 800-171 Assessment Methodology and upload it into SPRS now if they intend to respond to solicitations later this year where this assessment will be required prior to award. The interim rule states that the Basic Assessment is required “in order to continue to receive DoD awards or to continue performance on contracts and orders with options”.
The interim rule is effective 30 November 2020. The Government is accepting comments on the rule through 30 November 2020 for their consideration in the formation of a final rule.
- Cyber Certification is required for the DoD supply chain. There are 5 levels of certification.
- It is a complex interaction of technical and organizational requirements to protect controlled unclassified info and federal contract info.
- The level of certification required for primes is specified in their government contract; the prime determines the level required for each of its supply chain vendors.
- Many non-prime vendors are probably OK at level 3 or below.
- Recommendation for supply chain; Meet with your primes; understand what is levied on them and what they will impose on you; at least understand the 17 practices that are required for basic cyber certification at level 1
- A 2010 Executive Order (13556) requires Exec Branch to protect Controlled Unclassified Information (“CUI”) defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and government-wide policies.” CUI can be “For Official Use Only,” or other designations.
- Protection is also required for – Federal Contract Information (“FCI”), a category of less-sensitive information that is provided by, or generated for, the Government under contract and is not intended for public release.
- In 2016 the Executive branch promulgated a Cybersecurity framework (NIST Special Publication (“SP”) 800-171), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
- NIST 800-171 evolved to the Cybersecurity Maturity Model Certification (“CMMC”) because the cyber threat increased. A phased implementation of CMMC will continue through 2026, and DoD Solicitations (except for vendors who do COTS only) will require certification at a specified minimum CMMC level
- CMMC evaluates an organization’s proficiency at protecting CUI and FCI. It measures an organization’s cybersecurity maturity at one of five levels. – (1) Performed – Basic Cyber Hygiene – (Good for FCI); (2) Documented – Intermediate Cyber Hygiene (Begins transition to CUI); (3) Managed – Good Cyber Hygiene – (minimum CUI certification); (4) Reviewed – Proactive (Advanced); and (5) Optimizing – Advanced – Progressing – Continuous improvement.
- CMMC certification is Go/No Go decision to be made by contractors who are certified by accredited, independent, third-party commercial certification organizations known as CMMC Third Party Assessment Organizations. Self-certification is not allowed.
- Certification measures an organization’s cybersecurity proficiency within seventeen (17) domains (from NIST SP 800-171). Cyber Domains are spheres of knowledge.
- Within each domain there are processes, practices, and capabilities that an organization must do. There are 5 common processes for each domain.
- The processes that must be completed for certification are a function of the level of certification sought. Certification at a level requires previous certification at the levels below. The practices are aligned with the level of certification and domain. The 5 processes are listed (a-e) in the information that follows.
- Level 1 – There are 0 processes required for Certification at Level 1 – Cyber Practices are Ad-Hoc (17 practices (Appendix A) are required at Level 1)
- Level 2 – There are 2 processes required in each of the 17 domains for Certification at Level 2 – (a) Establishment of Policy and (b) Documented practices to implement policy. (55 practices are required at Level 2)
- Level 3 – If you are certified at Level, 2, you must complete 1 additional process for each of the 17 domains to be certified at Level 3 – (c) Establishment, maintenance, and resourcing a plan (58 practices are required at Level 3)
- Level 4 – If you are certified at Level, 3, you must complete 1 additional process for each of the 17 domains, to be certified at Level 4 – (d) Review and measure activities for effectiveness (26 practices are required at Level 4)
- Level 5 – If you are certified at Level, 4, you must complete 1 additional process for each of the 17 domains, to be certified at Level 5 – (e) Standardize and optimize a documented approach for each domain across all applicable organization units. (15 practices are required at level 5).
- DoD suggests that most of its supply chain will need certification at levels 1,2 and primes will need level three and above.