CMMC: What do I do?
by Brandon Graves, Partner
Cybersecurity, Government Contracting, Subcontracting
The Department of Defense (DOD) has been worried about the security of its contractors for years. Its FAR supplement has more stringent cybersecurity requirements than the FAR itself. Its supplement also has heightened reporting requirements in the case of a breach. But that is not enough; contractors are not all compliant with the requirements and breaches continue to occur. DOD began its development of the Cybersecurity Maturity Model Certification (CMMC) program to address these issues. CMMC is intended as a way for the DOD to ensure some of its contractors are complying with cybersecurity obligations through third party certifications.
The DOD has worked for several years now to get the CMMC program correct, which is to its credit. Unfortunately, the shifting requirements have caused significant confusion about CMMC, how it is implemented, the timeline, and what it actually means to everyone. Creating even more confusion are subcontractor certification forms that large prime contractors use: some of these forms still reference old versions of CMMC that DOD no longer recognizes but that subcontractors must comply with. Some consultants have taken advantage of this confusion to drive business.
This confusion leads to contractors (and in some cases, businesses with no connection at all to the DOD) to overinvest in security controls that may or may not actually improve their cybersecurity posture. Burned by consultants, these businesses will likely underinvest in the future.
What are the CMMC Requirements?
First, contractors need to understand what their actual requirements are. The current draft of CMMC has three different levels based, in part, on the information the contractor receives from the DOD. Some contractors equate CMMC with the middle level and seek to comply with its heightened security requirements. The lowest level of CMMC has the same security requirements as the current FAR clause that is in almost every government contract. In other words, many DOD contractors will have no additional work to do (assuming they are compliant with their current obligations, which may be a dangerous assumption).
Contractors need to look at several different places to determine their CMMC requirements: their government contracts, their contracts with primes, and potential future business. It can be difficult to understand exactly what those documents say because the CMMC clauses rely on the contractor to analyze their obligations. However, every CMMC compliance program needs to start with an analysis of these requirements.
Isn’t Everyone Moving to CMMC?
There is a lot of noise out there that everyone is moving to CMMC. This is patently false. Initially, other federal agencies indicated that they would watch CMMC roll out. Those agencies have either been silent or walked back from those statements. CMMC is currently DOD specific and likely to remain that way for some time. If an organization does not have contracts with DOD or commercial contracts that specifically mention CMMC, it should walk away from any consultants pitching CMMC compliance work. Even if an organization does have commercial contracts that mention CMMC, it should confirm with its counterparty the specific requirements before moving forward.
Isn’t CMMC the same as NIST SP 800-171?
CMMC level 2, in CMMC 2.0, is essentially the same as NIST SP 800-171, but not completely. Notice all the caveats in that sentence. First, CMMC and NIST SP 800-171 only overlap at CMMC level 2. Second, CMMC is still in flux. We are currently in 2.0, but there will be notice and comment, so the requirements may change. Third, there are important differences in which particular controls can be deferred. Finally, for at least some level 2 CMMC folks, a third-party auditor will be examining controls, which may result in significantly different results than what some of the consultants claiming to do 171 assessments are doing.
Every DOD prime contractor should be compliant with NIST SP 800-171 currently, but merely self-assessing compliance under existing standards does not mean an organization is compliant with CMMC. Likewise, rushing to get 171 compliant may not be the best use of an organization’s resources. It is important that organizations understand their current requirements and their likely future requirements and not conflate the two.
What Should I be Doing?
Everyone’s cybersecurity could improve. That is the nature of the endeavor, and that will not change as long as threat actors continue to evolve. That does not mean that organizations, especially government contractors, should target the most aggressive compliance regime. Resources are limited, and CMMC’s requirements may not be the best for any particular contractor. Contractors need to determine their actual CMMC obligations. Then, with remaining resources, a contractor can target specific controls most applicable to its unique situation.