How to prepare for a DoD CMMC audit and certification
Ms. Katie Arrington (Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber) gave a presentation to small DoD contractors on May 23, 2019 to announce a new program which will require cyber-security audits and certification for all DoD contractors.
The proposed program is called the Cybersecurity Capability Model Certification (CMMC).
Here are my notes from the presentation.
Background
Per Federal Acquisition Regulations (FAR), federal contractors must comply with a list of cyber-security best practices. Currently, contractors are required to self-certify that their computer systems follow cyber-security best practices if they deal withh Controlled Unclassified Information (CUI).
What is CUI?
Controlled Unclassified Information is data that needs to be protected against release, but has not been classified by the United States Government. For example, military vehicle design schematics could be considered Controlled Unclassified Information. This information may be shared with federal contractors in order to manufacture replacement parts, or for reference while performing maintenance contracts. CUI also includes well-known sensitive categories such as personally identifiable information and health records for service members.
The proposed CMMC will now require every DoD contractor to have their computer systems certified in order to bid on RFPs. The contractor does not need to be handling CUI.
The problem identified by Ms. Katie Arrington is that the self-certification requirement for cybersecurity is not working. Theft of sensitive information from federal contractor systems has increased over time, not decreased. As a solution, her office (DoD Cyber, Acquisitions) is leading an initiative called the Cybersecurity Maturity Model Certification (CMMC).
The CMMC initiative will require DoD contractor information systems to be certified compliant by an outside auditor. This solves an issue where some businesses self-certify compliance without fully implementing (or understanding) needed security controls.
CMMC predecessor – NIST SP 800-171
In 2016, the National Institute of Standards and Technology (NIST) released a document named “Special Publication 800-171”. This lists 110 cyber-security best practices that contractors with access to CUI must comply with. An example of an individual best practice is requiring strong passwords for any account that can access CUI.
While compliance with NIST 800-171 is a requirement in order to win new contracts, there is no auditing or certification program in place yet. Government contractors are allowed to self-certify that they meet the security requirements.
Highlights of the CMMC
- A single standard used across all DoD contracts starting in 2020-2021
- Considered a “go/no-go” requirement
- Based on the NIST 800-171 controls
- Identifies five levels of data security so that contractors can implement reasonable security for the data they deal with. Encourages government contract officers to pick an appropriate tier (not everything requires level 5)
- Provide automated tool which automatically gathers data to simplify reporting efforts
- Required CMMC level will be contained in RFP sections L & M
- Authorizes a non-profit organization to oversee the program and accredit private-sector auditors
- Makes cybersecurity an “allowable cost” in DoD contracts
- DoD contractors will need to be certified at a specific security level before they qualify to bid on contracts.
Timeline for CMMC enforcement
Ms. Katie Arrington described the following timeline for CMMC:
Mid 2019 – Working groups and creation of automated assessment tools.
Early 2020 – Begin developing oversight and certifier accreditation program, processes.
Mid 2020 – Test the certification program and revise it.
Mid/late 2020 – Accredit third-party certifiers.
Future – Begin adding CMMC requirement to all new DoD RFPs
Updated: How to become a CMMC auditor
Check this article on cmmcaudit.org which gives the latest info on the CMMC Accreditation Body and what is still needed to accredit auditors and certifiers.
Next are my thoughts about what DoD contractors should be doing to prepare. These steps are my recommendations as a cyber-security consultant and are not from Kate Arrington’s presentation.
Opinion: How is cyber security an allowable cost when your company doesn’t get the contract?
How many hours to prepare for CMMC or 800-171?
There are three factors for estimating the cost and work involved with compliance.
- How complex is the network you are evaluating?
- Does your network already have secure configurations and security programs installed?
- What CMMC level are you trying to meet?
This Reddit thread has a frank discussion of the effort involved with a NIST 800-171 or 800-53 compliance project. The original poster thought that 60 hours to do a “gap analysis” (no fixes, just finding out what is wrong) was insane. Almost all responses agreed that that estimate was low. Many people gave estimates for the full effort involved (which includes fixes) – this was between 1,000 and 2,000 hours by a knowledgeable consultant.
CMMC level 1 and 2 should take less effort than the above estimates, but it will still be significant.
DoD Contractors – How to Prepare for the CMMC
My recommendations below are going to be a mixture of NIST SP 800-171 and the newer CMMC draft requirements. Remember that if your company deals with CUI, you should already be compliant with 800-171…start there. If not, then skip straight to the draft CMMC requirements and begin reviewing your network.
1. Ask these questions first
What security level applies to my company’s network? If you manage Controlled Unclassified Information (CUI) in any way, you have to meet at least security level 3.
Not all government contractors deal with CUI. If you aren’t sure, ask your contracting officer or read the RFP. Examples of CUI are personally identifiable information, schematics of military equipment, sensitive information about schedules and personnel, and configuration documentation for government networks.
It looks like most subcontractors won’t need the same security level as primes. But the latest news is that every DoD contractor will need to be at least CMMC level 1 in order to bid on RFPs.
As time progresses toward 2021, RFPs will specify the CMMC level requirement for bid. For existing contracts, you may be able to ask the contract officer to identify which CMMC level will apply to the renewal.
Is it possible to isolate your information to fewer systems, fewer networks, or fewer users, while still fulfilling the terms of your contract? You don’t need to secure ALL computer systems for the entire company. You just need to secure the systems that store data about the contract. Make the job easier by reducing your footprint.
Companies dealing with CUI
Is the CUI stored or accessed on your contractor information systems right now? If you have CUI on your systems now, you need to protect it according to NIST SP 800-171 requirements. It will take time before CMMC comes into effect. 800-171 is in effect now.
If you are a subcontractor – ask your prime to identify what information is CUI, and whether you NEED to store or access it using your information systems (as opposed to government systems or your prime’s systems). If you can avoid storing CUI on your own systems, do so! It reduces risk to your company (and probably will protect the data better) if you can store it elsewhere.
If you are a prime – ask your contract officer to identify what information is CUI, and whether you NEED to store or access it using your information systems (as opposed to government systems). Government systems have to adhere to very stringent requirements for cyber security. This is the best place to store CUI if you have an option.
2. Perform a Risk Assessment
Work with a cybersecurity professional who currently specializes in NIST 800-171 and have them perform a risk assessment. This assessment will review your progress toward compliance with the NIST 800-171 controls and list the ones that are deficient. Some form of vulnerability scanning and penetration testing will normally be included, with a report of findings.
Draft CMMC requirements are starting to be posted for review. While the details may change, and you might lose some work, if you want an early advantage, you should a use recent draft to audit your network.
For example, a reseller company with no CUI and very little proprietary data will probably need to attain CMMC level 1. If you review the draft requirements, they aren’t very hard to implement, but you still need to create policies, write plans, and gather evidence for your audit.
Using the NIST SP 800-171 document templates is still a valid move. If you prepare for this standard, you should have about 95% of the work done toward CMMC levels 1-3.
3. Write a Systems Security Plan
NIST provides a template for this plan here. You should describe how your information systems are secured and what policies are in place that relate to cybersecurity. This plan should give a POA&M (Plan of Action & Milestones) to resolve each deficient control. Note that you do not need to be 100% compliant with all security controls. You do need to have the most critical 17 addressed (as defined in DFARS 252.204-7012), a plan to fix the rest or explain why they don’t apply, and show progress over time.
4. Prepare for Incident Management
Make sure that you have a high quality Incident Management plan and practice it regularly. Besides implementing security controls, you are also expected to report security incidents to the DoD within 72 hours.
Make sure to register with the DoD reporting website ahead of time. The DoD will want to issue you a certificate to verify your identity, which can take a few days. The reporting website is https://dibnet.dod.mil
5. Follow Up and Continual Improvements
Ensure that your policies are realistic. Many organizations write policies that state that they will keep all systems fully patched at all times. If the organization then fails to patch systems for two months, and has an incident as a result, their failure to follow their own policy will count doubly against them. To the converse, if you have a really good reason to only patch every three months, and have written that into your policy, it might protect you against liability if there is an incident at the two month mark.
Next article: Free Incident Response template, definitions, and training scenarios
CMMC Audit Preparation Home
The CMMC Audit Preparation website is a good community resource for news and information. https://www.cmmcaudit.org/
References
NIST Special Publication 800-171 Website https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
Federal Contractor Incident Reporting Website https://dibnet.dod.mil
System Security Plan Template https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-1/final/documents/CUI-SSP-Template-final.docx
Barbara George, PhD
July 3, 2019 @ 7:23 am
Hemisphere Cyber has been preaching this concept since December 2016.
Barb Wert
July 8, 2019 @ 12:01 pm
The OUSD(A&S) website says that “all companies conducting business with the DoD must be certified”. This is different from the information in #1 above, which indicates some contracts may not require the certification if no CUI is involved.
What is the basis of your statement? OUSD(A&S) is directly working with other agencies to put this certification together, so I think they would be pretty clear in the information they posted.
D.W.
December 5, 2019 @ 1:36 pm
If you manage Controlled Unclassified Information (CUI) in any way, you have to meet at least security level 3.
It looks like most subcontractors won’t need the same security level as primes. But the latest news is that every DoD contractor will need to be at least CMMC level 1 in order to bid on RFPs.
Amira Armond
July 8, 2019 @ 1:35 pm
Hello Barb,
This article is my notes from an in-person presentation. I haven’t gone out to the OUSD website to double-check the official stance. So I might be wrong.
However, it doesn’t make any sense to me that “all companies conducting business with the DoD” must go through a DFARS 252.204-7012 and NIST 800-171 audit. Both of these programs are specifically for companies that are holding Controlled Unclassifed Information. That is not every company.
For example, companies that provide landscaping on Naval bases probably don’t have CUI to protect. I don’t think the CMMC will apply to them.
Amira Armond
December 13, 2019 @ 8:43 am
How time flies – as you can see, my comment from July is wrong and Barb’s is up to date. They later released that all DOD contractors have to get audited, no matter what. Oi!
Cl;arence Johnson
November 12, 2019 @ 11:18 pm
How do I get certified as a trainer or Auditor for CMMC ?
Joe Rance
April 8, 2020 @ 6:27 am
Katie Arrington, who leads this program stated in a webinar that ALL DoD contracts will need to have an audited and certified system, regardless of security level. She showed an example of a lawn maintenance company who prepares his bid by calculating the square feet of grass using a drawing of the air base. The drawing is considered CUI even though it is being used to calculate a lawn mowing bid. This was just one example she used to justify having ALL suppliers certified, even office supply vendors.