Wednesday, June 17, 2020

Analysis of the Cybersecurity Maturity Model Certification (CMMC) and Implications for Contractors

The Cybersecurity Maturity Model Certification (CMMC) is currently being developed by the US Department of Defense (DoD) as the next generation cybersecurity requirement for contractors.  Section 1 below summarizes the publicly available information regarding CMMC, highlighting key facts, key dates, and key unknowns. Section 2 provides an analysis of how to interpret CMMC and what it may mean for future contracting efforts with the DoD. Section 3 provides the sources used. 

Key Takeaways: 

  • CMMC may be very important for future interactions with the DoD, as it establishes cybersecurity compliance requirements for *all* entities contracting (or subcontracting) with the DoD. 
  • CMMC requirements are currently planned to be included in all DoD contracts by JAN 2026.
  • CMMC is an evolution in the DoD’s treatment of CUI, adding a “verification component” to what had previously been a regime “based on trust.”
  • CMMC establishes five levels of cybersecurity requirements, ranging from “Basic Cyber Hygiene” to “Advanced/Progressive.”
  • Presently, there are still uncertainties regarding how the program will be implemented and what assessments will look like.
  • The substantive challenges, frequent changes, and emergence of COVID-19 all cast doubts on whether CMMC will actually be implemented as currently envisioned.
  • Organizations that anticipate needing CMMC certification should continue to monitor the developments in this space.  Organizations with current DoD contracts should work with their contract officer and review the CMMC document to self evaluate compliance.

1. What We Know So Far


The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity compliance framework being developed by the Department of Defense (DoD).  CMMC is an evolution of the DoD's current requirements for the protection of Controlled Unclassified Information (CUI), outline in DFARS 252.204-7012.  CMMC expressly acknowledges that the CUI DFARS in "based on trusted", and CMMC is intended to add "a verification component".  However, CMMC goes beyond the protection of CUI, and intends to establish cybersecurity requirements for every entity that contracts with the DoD (often collectively referred to as the "Defense Industrial Base", or DIB.[1]

The Office of the Undersecretary of Defense for Acquisition and Sustainment is generating CMMC in collaboration with “DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and industry.”[2] CMMC will combine a number of existing cybersecurity standards, including “NIST 800-171, NIST 800-53, AIA NAS9933, and others.”[3] The current proposed requirements are available in the CMMC Version 1.02 document.[4] CMMC materials also note that it will go beyond assessing the “maturity of . . . controls,” and assess “the company’s maturity/institutionalization of cybersecurity practices and processes.”

The Requirements:

The core of CMMC is a five-level “maturity model” [5] specifying required “practices” and “processes” for compliance. Every DoD contract will eventually have a CMMC level requirement that must be satisfied by defense contractors wishing to bid on that contract. Contractors must have their specified cybersecurity level evaluated and certified by an accredited “CMMC 3rd Party Assessment Organization” (C3PAO) or individual assessor.[6] The different CMMC levels are intended to protect against different adversaries or attacks.[7]

  • Level 1: “Basic Cyber Hygiene” establishes the minimal set of requirements for CMMC, which are largely a restatement of the federal contract requirements in FAR 52.204-21.[8] Every DoD contractor will be required to satisfy at least Level 1. 
  • Level 2: “Intermediate Cyber Hygiene” is an intermediate step for organizations targeting Level 3. This level is not currently planned to be included in any DoD contracts, but may be used as a competitive advantage when bidding on Level 1 contracts.
  • Level 3: “Good Cyber Hygiene” is the required level for any contract handling CUI.[9] The requirements for Level 3 are largely a restatement of NIST SP 800-171/DFARS 252.204-7012, along with an additional 20 controls. 
  • Level 4: “Proactive” focuses on the protection of CUI from Advanced Persistent Threats (APTs), drawing on controls in NIST SP 800-171B.
  • Level 5: “Advanced/Progressive” is the highest level, reserved for the most critical non-classified contracts. Level 5 also focuses on the protection of CUI from APTs, but requires even “greater depth and sophistication of cybersecurity capabilities.”
The DoD has provided some clarifications and examples on interpretation of CMMC’s required practices and processes.[10]


The most recent statement from DoD is that CMMC will be incorporated into contracts slowly over a 6 year period. During the first year, CMMC is planned to only be included in a small number of contracts with major prime contractors (est. 10-15 contracts).[11] However, since these requirements will flow down to any subcontractors, the total number of impacted organizations may still be CMMC requirements will then be gradually included in more contracts until JAN 2026, when CMMC requirements are planned to be included in every DoD contract.


Finally, the CMMC website states that “[t]he goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.”[12] For instance, Katie Arrington has stated her desire for a Level 1 certification for a small-to-medium sized business to cost less than $3000. Presently there is no evidence we have been able to find for how this goal will be implemented. The FAQs also state that “[t]he cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive” (emphasis added).


The CMMC program will be governed by a recently constituted “Accreditation Body” (AB).[13] The CMMC AB is a non-profit, independent organization whose Board of Directors is composed of representatives of the DIB. The CMMC AB is operating under an Memorandum of Understanding (MOU) with the DoD, and is tasked with creating and operating the CMMC certification program, including training and accreditation of C3PAOs and individual assessors. The AB is also developing tools to help contractors achieve CMMC compliance. To date, a number of governance elements surrounding the CMMC program are unclear, including whether there will be an appeals process, how litigation will play out, and how the AB will accredit organizations to conduct assessments.

Key Facts: 

    • CMMC will eventually apply to *all* DoD contracts, including those without CUI requirements. This includes all DoD subcontractors. 
      • Only companies that supply COTS products will be excluded.
      • The estimated number of impacted organizations is ~350,000.
    • CMMC will be gradually rolled out, with requirements included in ~10-15 contracts during 2020, and complete incorporation planned by January 2026.
    • Third party certification assessment is required for all CMMC levels, even those without CUI requirements.
    • The contractor determines the scope of CMMC certifications (organization-wide or partial).[14]
    • The initial set of C3PAOs will consist of 250 companies, with additional assessors being added monthly.
    • There is no self certification.[15]
    • Certification will last 3 years.
    • Plans of Action and Milestones (POAMs) are not allowed.
    • Data breaches / incidents *may* prompt a requirement to get recertified. (Details not specified.) 
    • CMMC applies only to DoD contracts (i.e., does not carry over to other government contracts).
    • CMMC levels will be required in RFP sections L and M, and used as a “go /no go decision.”[16]
    • CMMC levels will be evaluated equally across all contractor sizes. However, lower levels are designed to be achievable by small, non-technical contractors.

    Key Dates: 

        • MAR 2019: CMMC first announced.
        • JUL - OCT 2019: CMMC “listening tour.”
        • JAN 2020: Version 1.0 of the CMMC framework released.
        • MAR 2020: CMMC Accreditation Body signed MOU with DoD.
        • MAR 2020: Version 1.02 released.
        • APRIL 2020: CMMC AB issues RFP for continuous monitoring.[17]
        • MID 2020[18]: Planned DFARS update from 800-171 to CMMC.
        • JUN 2020: Planned release of training from the AB.
        • JUN 2020: Planned date for incorporation into Requests for Information (RFIs) for selected prime contractors.
        • JAN 2026: Planned date for incorporation into all Request for Proposals (RFPs).

        Key Unknows: 

            • It is not clear whether the proposed development timeline will be realized. The short history of CMMC development has shown a pattern of aggressive timeline estimates that aren’t realized. 
            • It is not clear how contracts will be assigned specific CMMC levels.
            • It is not clear how recertification will be managed.
            • It is not clear how C3PAOs will be chosen, what form the assessments will take, and how much they will cost.[19]
            • It is not clear what role DoD contracting officers (or other stakeholders) will play in evaluating cybersecurity requirements (outside of verifying the CMMC certification level).
            • It is not clear whether CMMC will apply to other vehicles; e.g. grants, cooperative agreements (CAs), or other transactional authorities (OTAs).

            2. Analysis 

            CMMC could be a major evolution in the way the DoD approaches cybersecurity for defense contractors. Drawing upon the CUI DFARS clause, the DoD appears to be looking for ways to better verify that the requirements it sets are actually being satisfactorily implemented. For instance, the CMMC website states that the DFARS clause is “based on trust,” whereas CMMC will add “a verification component.” Furthermore, the emphasis placed on third party assessors, the application to all DoD contracts, and the full spectrum of levels (from “Basic Cyber Hygiene” through “Advanced/Progressive”) all suggest that the DoD is looking for ways to comprehensively evaluate the cybersecurity of the DIB at scale.

            Notwithstanding these stated intentions, the core of CMMC appears to be a restatement of existing cybersecurity compliance control sets, drawing from NIST SP 800-171, NIST SP 800-53, and other well known control sets. Although CMMC might use these control sets in a way that avoids the problems of most cybersecurity frameworks, most notably the “checkbox mentality,”[20] early evidence does not support this conclusion. CMMC appears to be placing a heavy emphasis on third party assessors and clearly defined “levels,” implying that CMMC compliance is likely to be evaluated in a mechanical, checkbox manner consistent with most contemporary cybersecurity compliance regimes.

            Despite being built from existing control sets, the underlying structure of CMMC is new, making it difficult to evaluate what compliance will look like. Most strikingly, the core distinction between “practices” and “processes” has the potential for considerable overlap. For example, the Basic Cyber Hygiene level currently has no process requirements whatsoever. However, it includes process language in its practices (i.e., “. . . in an ad hoc manner.”) Higher levels of practices also employ process language, in some cases actually using the word “process” as a practice requirement. (I.e. “The organization has a process . . .”) Moreover, despite using the words “processes,” “policy,” “practices,” and “plan” each as distinct requirements, none of these terms are defined.

            On a positive note, the establishment of clear ‘levels’ could simplify the DoD contracting environment for cybersecurity, as this will reduce uncertainty regarding what is required for CUI compliance, and the certification process should remove redundancies when negotiating multiple contracts with multiple different contracting officers. Additionally, the highest levels (4 and 5) are expected to only apply to a select few large defense contractors, while Level 1 is designed to encompass even entirely small, non-technical organizations. (One third party referred to it as being for “the lawn mowing company.”) This broad scope, coupled with the currently published requirements, suggests that although CMMC will apply to every defense contractor, the requirements will potentially not be too burdensome.

            However, even if the individual CMMC level requirements are reasonable, CMMC could also run into problems from overly aggressive application of “flow down” requirements. “Flow down” essentially requires contractors to include the same requirements in their subcontracts. If CMMC certification is required for *every* subcontractor, this could be prohibitive for large organizations (with a large number of subcontractors) wishing to pursue relatively small DoD contracts, such as research universities. Data-specific compliance regimes limit this problem by only flowing down with the relevant data. Generalized compliance regimes may not have a clear limiting principle in this respect.

            Moreover, there appears to be a conflict with regard to scope. CMMC has consistently pushed toward establishing “enterprise-wide” security certifications, in contrast to the data-specific regimes typically employed by cybersecurity standards (e.g., NIST SP 800-171 applies only to CUI). And yet, it allows the contractor to pick a specific segment of the network where the information to be protected is located. This creates an additional problem for non-IT contractors, since it is unclear which information is in scope.

            The concept of enterprise-wide cybersecurity compliance audits is a daunting one, as organizations typically do not apply security controls universally, the amount of documentation likely required for a larger organization could be prohibitive, and the process of certifying enterprise-wide compliance of even basic security controls is likely to be extremely expensive.

            Finally, since CMMC does not state an intent to apply to grants, CAs, or OTAs, these vehicles may not be impacted, and organizations may wish to prioritize these vehicles when multiple funding vehicles are possible options. Note, however, that some level of CMMC compliance may still be required if the work performed under these other vehicles generates or requires access to CUI.


                  The primary caveat to evaluating the impact of CMMC is that its history of pursuing overly aggressive timelines, frequent changes, the COVID-19 pandemic, and the upcoming election make the likelihood of it rolling out as planned questionable. Standing up a cybersecurity requirements and assessment program for the entire DIB is a gigantic task, and the proposed system has a number of flaws that has led to a significant amount of public criticism. Most notably, there has been pushback from industry trade groups,[21] Educause,[22] and former DoD Under Secretary of Defense for Acquisition, Technology and Logistics Frank Kendall,[23] all questioning the wisdom of CMMC and calling for either significant changes or its outright abandonment.

                  3. Sources 


                    [1] Defense Industrial Base is defined as “the Department of Defense, government, and private sector worldwide industrial complex with capabilities to perform research and development and design, produce, and maintain military weapon systems, subsystems, components, or parts to meet military requirements.”


                    [3] Other control sets and frameworks currently referenced include the CIS Critical Security Controls, DIB SCC TF WG Top 10, and the CERT Resilience Management Model.


                    [5] Note, despite the name, CMMC does not operate as a typical maturity model.

                    [6] Contractors without a current CMMC certification will be allowed to submit proposals but must complete certification prior to funding.

                    [7] “For a given CMMC level, the associated controls and processes . . . will reduce risk against a specific set of cyber threats.” Currently this “threat protection” appears to be manifested only by a statement for each level specifying “resistance against data exfiltration” and “resilience against malicious actions.”


                    [9] DFARS 252.204-7012 will continue to apply to CUI until it is superseded by CMMC.





                    [14] According to the CMMC v1.02 document, “...A DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s), depending on where the information to be protected is handled and stored.”

                    [15] FAQ #12,

                    [16] FAQ #4,

                    [17] The CMMC AB issued an RFP on April 22, 2020 for vendors to provide “continuous monitoring” in the form of “non-intrusive” review of the company’s internet traffic, a secure portal for displaying monitoring data, and security of AB/DOD intellectual property.

                    [18] This date is unlikely to be met since COVID-19 has delayed public hearing for the DFARS rule change

                    [19] However, the FAQ does state that the cost of certification will be reimbursable. FAQ#19

                    [20] The term “checkbox mentality” or “checkbox security” refers to a common problem in security where organizations are more concerned with their compliance with legal requirements than the actual security of their mission.



                    [23] “Cybersecurity Maturity Model Certification: An Idea Whose Time Has Not Come and Never May” by Frank Kendall, former Undersecretary of Defense for Acquisition Technology