Learning more about how the Cybersecurity Maturity Model Certification (CMMC) will affect contracts ranks as a top concern for Defense acquisition professionals. That’s because the CMMC process adds cybersecurity requirements to the National Institute of Standards and Technology (NIST 800-171) safeguards that private-sector companies in the Defense Industrial Base must currently meet.
More than 800 participants viewed the third CMMC webcast DAU hosted June 3 to learn about the impacts associated with selecting a CMMC level for a contract action.
“We started this open forum to help members of the acquisition workforce develop a network about CMMC,” event host Christopher Newborn, a DAU professor of Information Technology (Cybersecurity Emphasis), said, adding that the intent of the webcast series “is to share use cases and exchange best practices” as the new process is implemented.
Understanding the CMMC levels (1–5) will ensure acquisition professionals select the appropriate one for a contract action. Their selection should be based on the “sensitivity of information in the contract action and the capability of the threat,” Newborn said. “Limiting the damage should be the primary concern.”
CMMC levels 1–3 address moderate and below threats, such as individual or small teams of amateur hackers, script kiddies and hackers for hire, who develop tools to pursue specific targets. Implementing sufficient security capabilities can be in the thousands to millions of dollars.
CMMC levels 4–5, typically classified, address advanced persistent threats, such as large, well-organized criminal or non-state teams and highly capable state actors. These practitioners discover and exploit corporate and Government vulnerabilities and influence commercial-off-the-shelf products in the supply chain. Implementing sufficient security capabilities can be in the millions to billions of dollars.
Contracts with Federal Contract Information (FCI) require basic cybersecurity hygiene or CMMC level 1. Contracts that include Controlled Unclassified Information (CUI) require good cybersecurity hygiene or CMMC level 3. To move up in security beyond CMMC level 3, a company must have the security architecture, personnel processes and technology in place.
During the contracting process, both FCI and CUI have the potential to reside and transit through the information systems and networks of the prime, sub, vendor, and manufacturer. Security is two-way. Project managers identify FCI and CUI and mark it as such in all contracts. This lets private-sector companies know the information they must protect in their systems and subsystems.
Those involved in selecting the CMMC level must understand the terminology, the adversary, where the information will reside and how it will be protected. That’s why Newborn recommended “a team approach to identify the CMMC level.” Close coordination with an organization’s Information Security System Managers/Engineers is imperative so subject matter expertise and risk management framework aspects are considered during the CMMC level decision-making process.
Throughout the webinar, the chat room lit up with comments and questions from participants in government, industry, and academia. One asked if there was a role private-sector companies can play. Newborn said it depends on “the CMMC-Accreditation Body (AB) process and the time needed to do an assessment.” More than once, he recommended private-sector companies “concentrate on meeting and documenting the existing security requirements in NIST 800-171,” which will “feed a contract strategy when transitioning to CMMC.”
He added that private-sector companies need to implement strong enough security practices to protect information and to detect a threat. The need for “developing resiliency techniques,” Newborn said, outweighs the “recovery and restoration of information.” Once a contractor detects a threat and submits an incident report, collaboration with government acquisition and security professionals is key to limiting damage that may occur when information is stolen, removed, or copied.
DAU’s CMMC webcasts are timely. In June, the CMMC-AB plans to release details about the assessment and certification process for certified third-party assessment organizations, who will assess whether a private-sector company meets the CMMC level. Implementation of the CMMC process is in the pilot phase, and Newborn clarified that the CMMC does not affect current (FY 20) contracts but may affect selected FY 21 contracts.
“Now,” he said, “contracts must continue to meet the 110 security requirements in Defense Federal Acquisition Regulation Supplement 252.204-7012.”
The webcast was the latest in DAU's efforts to provide the Defense Acquisition Workforce with critical information on protecting critical DoD information through town halls and workshops across the country. More questions from the session and Newborn’s responses are posted on DAU.edu.
The next CMMC webcast on June 23 covers contract strategies to consider when implementing CMMC. For information on CMMC or to schedule a CMMC workshop in your area, please contact Mr. Newborn at chris.newborn@dau.edu.
Upcoming CMMC Webcasts
June 23, 2020: Request for Information/Proposal (RFI/RFP) Contract Strategy Considerations to Implement the CMMC
July 29, 2020: DoD Assessment Methodology Tool Implementation (NIST 800-171 v1.1)
Previous CMMC webcasts
May 13, 2020: Roles and Responsibilities of CMMC
May 19, 2020: Basic Safeguarding of Covered Contractor Information Systems and Controlled Unclassified Information (CUI)
