Monday, October 28, 2019

The Cybersecurity Maturity Model Certification (CMMC): Implications for Contracting with the Department of Defense

One of the current trends for research organizations is the increasingly prominent role of privacy and cybersecurity compliance regimes, such as NIST 800-171, HIPAA, and GDPR. Historically, these compliance regimes have focused on regulated types of data: CUI, PHI, PII, etc. However, recently the Department of Defense (DoD) has signaled a shift away from these data-specific regulations, and towards a compliance regime that sets requirements for every organization that contracts with them, regardless of data. This new compliance regime, the Cybersecurity Maturity Model Certification (CMMC), is slated to begin as soon as Fall 2020, meaning that organizations that intend to be compliant will want to begin preparing almost immediately.

Key Takeaways: 
  • The CMMC may be very important for future interactions with the DoD, as it intends to impose cybersecurity compliance requirements on *all* entities contracting (or subcontracting) with the Department of Defense. 
  • The CMMC appears to be an evolution in the DoD’s treatment of CUI, adding a “verification component” to what had previously been a regime “based on trust.”
  • The CMMC will establish five “tiers” of cybersecurity requirements, ranging from “Basic Cyber Hygiene” to “Advanced.”
  • Presently, there are significant uncertainties regarding the requirements that will be imposed, how the program will be implemented, and the timeline for when these requirements will become active.
  • The aggressive timeline and lack of substantive detail cast doubts on whether the CMMC will actually be implemented as currently envisioned.
  • Organizations that anticipate needing CMMC certification should continue to monitor the developments in this space.

1 Overview

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity compliance framework
being developed by the Department of Defense (DoD). CMMC is an evolution of the DoD’s current requirements for the protection of Controlled Unclassified Information (CUI), outlined in DFARS 252.204-7012. CMMC expressly acknowledges that the CUI DFARS clause is “based on trust,” and CMMC is intended to add “a verification component.” However, CMMC goes beyond the protection of CUI, and intends to establish cybersecurity requirements for every entity that contracts with the DoD (often collectively referred to as the “Defense Industrial Base,” or DIB).

The core of CMMC is a five-tiered “maturity model,” with tiers ranging from “Basic Cyber Hygiene” to “Advanced/Progressive.” The lowest tier establishes only a minimal set of requirements (allowing for “ad hoc” implementation), whereas the highest tier requires a higher set of requirements than those specified in NIST SP 800-171. Every DoD contract will have a CMMC tier requirements that must be satisfied by defense contractors wishing to bid on that contract. Contractors must have their specified cybersecurity tier evaluated by an accredited third party auditor. These different tiers are intended to protect against different adversaries or attacks. Currently this “threat protection” appears to be manifested only by a statement for each tier specifying a level of “resistance against data exfiltration” and “resilience against malicious actions.” (E.g., “Basic Cyber Hygiene” will have “limited resistance against data exfiltration” and “limited resilience against malicious actions.”)

The organization of the CMMC requirements is somewhat complicated. The actual requirements are referred to as “practices” and “processes.” Practices are essentially security controls, and processes are requirements for how rigorously those controls are implemented. However, the practices and processes are grouped together by “capability,” and further grouped into “Domains.” Capabilities mostly serve to group together practices for different CMMC tiers, since higher level tiers include all requirements for lower level tiers. Domains group capabilities together, as the process requirements apply across the Domain. (We will discuss this complexity more in Section 2.)

The Office of the Undersecretary of Defense for Acquisition and Sustainment is generating the CMMC in collaboration with “DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and industry.” The CMMC will combine a number of existing cybersecurity standards, including “NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others.” The current proposed requirements are available in the CMMC Draft 0.4. CMMC materials also note that it will go beyond assessing the “maturity of . . . controls,” and assess “the company’s maturity/institutionalization of cybersecurity practices and processes.”

Finally, the CMMC website states that “[t]he goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.” Presently there is no evidence we have been able to find for how this goal will be implemented. The FAQs also state that “[t]he cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”

Key Facts:
  • The CMMC will apply to *all* DoD contracts, including those without CUI requirements. (This includes all DoD subcontractors.)
  • The estimated number of impacted organizations is ~300,000.
  • Third party audits are required for all tiers, even those without CUI requirements.
  • The initial set of auditors will consist of 250 companies, with additional auditors being added monthly.
  • There is no self certification.
  • Data breaches / incidents *may* prompt a requirement to get recertified. (Details not specified.) 
  • CMMC applies only to DoD contracts (i.e., does not carry over to other government contracts).
  • CMMC levels will be required in RFP sections L and M, and used as a “go /no go decision.”
  • Tiers will be evaluated equally across all contractor sizes. However, lower tiers are designed to be achievable by small, non-technical contractors.
Key Dates:
  • MAR 2019: CMMC first announced.
  • JUL - OCT 2019: CMMC “listening tour.”
  • SEP 2019: Draft CMMC Rev. 0.4 for public review.
  • NOV 2019: Draft CMMC Rev. 0.6 for public review.
  • JAN 2020: Version 1.0 of the CMMC framework will be made publicly available (to “support training requirements.”)
  • JUN 2020: Earliest date for incorporation into Requests for Information (RFIs).
  • Fall 2020: Earliest date for incorporation into Requests for Proposals (RFPs).
Key Unknowns:
  • It is not clear whether the CMMC will apply to other vehicles; e.g. grants, cooperative agreements (CAs), or other transactional authorities (OTAs).
  • It is not clear whether the proposed development timeline will be realized. The proposed timeline is very aggressive, and leaves limited time for organizations to actually be certified, even without taking into account the time required for the organizations to implement any new requirements.
  • It is not clear what the final requirements for each tier will be, what each tier’s threat-protection level will be, and how contracts will be assigned specific tiers. (Note, however, preliminary requirements are currently available for comment.)
  • It is not clear how long certification will last, and how recertification will be managed.
  • It is not clear who will be able to perform the audits, what form they will take, and how much they will cost.
  • It is not clear if DoD contracting officers (or other stakeholders) will still play a significant role in evaluating cybersecurity requirements (outside of verifying the CMMC certification level).
  • It is not clear whether the CMMC will apply to existing contracts when the Fall 2020 date comes online.
  • It is not clear whether the CMMC levels will allow for Plans of Action and Milestones (POAMs) to meet the certification requirements.
  • It is not clear how CMMC will interact with DFARS 252.204-7012, (specifically CMMC tiers 1 and 2.) 
  • It is not clear whether CMMC certifications can only be obtained by an entire organization, or if components of an organization can be certified independent of the parent organization.
  • It is unclear whether and how CMMC will “flow down” its requirements from prime to subcontractors. (E.g., does *every* subcontractor need to be certified?)

2 Analysis

The CMMC could be a major evolution in the way the DoD approaches cybersecurity for defense contractors. Drawing upon the CUI DFARS clause, the DoD appears to be looking for ways to better verify that the requirements it sets are actually being satisfactorily implemented. For instance, the CMMC website states that the DFARS clause is “based on trust,” whereas the CMMC will add “a verification component.” Furthermore, the emphasis placed on third party auditors, the application to all DoD contracts, and the full spectrum of ‘tiers’ (from “Basic Cyber Hygiene” through “Advanced/Progressive”) all suggest that the DoD is looking for ways to comprehensively evaluate the cybersecurity of the DIB at scale.

Notwithstanding these stated intentions, the core of the CMMC appears to be a restatement of existing cybersecurity compliance control sets, drawing from NIST SP 800-171, NIST SP 800-53, and other well known control sets. Although the CMMC might use these control sets in a way that avoids the problems of most cybersecurity frameworks (most notably the “checkbox mentality”), the early evidence does not support this conclusion. The CMMC appears to be placing a heavy emphasis on third party auditors and clearly defined “tiers,” implying that CMMC compliance will be evaluated in a mechanical, checkbox manner consistent with most contemporary cybersecurity compliance regimes.

Despite being built from existing control sets, the underlying structure of CMMC is new, making it difficult to evaluate what compliance will look like. Most strikingly, the core distinction between “practices” and “processes” has the potential for considerable overlap. For example, the Basic Cyber Hygiene level currently has no process requirements whatsoever. However, it includes process language in its practices (i.e., “. . . in an ad hoc manner.”) Higher levels of practices also employ process language, in some cases actually using the word “process” as a practice requirement. (I.e. “The organization has a process . . .”) Moreover, despite using the words “processes,” “policy,” “practices,” and “plan” each as distinct requirements, none of these terms are defined.

On a positive note, the establishment of clear ‘tiers’ could simplify the DoD contracting environment for cybersecurity, as this will reduce uncertainty regarding what is required for CUI compliance, and the certification process should remove redundancies when negotiating multiple contracts with multiple different contracting officers. Additionally, the highest tiers (4 and 5) are expected to only apply to a select few large defense contractors, while tier 1 is designed to encompass even entirely small, non-technical organizations. (One third party referred to it as being for “the lawn mowing company.”) This broad scope, coupled with the currently published requirements, suggests that although CMMC will apply to every defense contractor, the requirements will potentially not be too burdensome. Moreover, the current draft notes that “the model is still being refined and a reduction in size is anticipated,” suggesting that the currently available requirements are already more burdensome than the intended final product.

However, even if the individual tier requirements are reasonable, CMMC could also run into problems from overly aggressive application of “flow down” requirements. “Flow down” essentially requires contractors to include the same requirements in their subcontracts. If CMMC certification is required for *every* subcontractor, this could be prohibitive for large organizations (with a large number of subcontractors) wishing to pursue relatively small DoD contracts, such as research universities. Data-specific compliance regimes limit this problem by only flowing down with the relevant data. Generalized compliance regimes may not have a clear limiting principle in this respect.

Finally, since the CMMC does not state an intent to apply to grants, CAs, or OTAs, these vehicles may not be impacted, and organizations may wish to prioritize these vehicles when multiple funding vehicles are possible options. Note, however, that some level of CMMC compliance may still be required if the work performed under these other vehicles generates or requires access to CUI.

The primary caveat to evaluating the impact of the CMMC is that its aggressive timeline and limited publicly available information make the likelihood of it rolling out as planned questionable. Standing up a cybersecurity requirements and assessment program for the entire DIB is a gigantic task, and the proposed timeline suggested that the entire process will take barely over a year. I believe the aggressive deadlines will be exceptionally challenging to meet, even assuming there is no private sector pushback, congressional action, or project management hurdles.

Legal Backdrop
The CMMC will take the form of contractually imposed cybersecurity requirements (or alternatively, as a prerequisite for bidding on DoD contracts). Since the CMMC will be imposed through restrictions on procurement contracts, the Secretary of Defense has broad authority to set requirements, provided they do contradict existing statutory or Constitutional law. The publicly available materials point to the existing CUI DFARS clause as a foundation (and by extension, Executive Order 135556 “Controlled Unclassified Information”). To date, there has been no discussion of a DFARS clause specific to CMMC, although this does not rule it out as a future possibility.

3 Sources