Right now, almost all contracts with the Department of Defense include the DFARS clause 252.204-7012, requiring companies to implement cybersecurity according to NIST SP 800-171. NIST SP 800-171 requires 110 cybersecurity practices, which are very stringent as compared to what most private sector companies perform. The department in charge of contract language, the Department of Defense Acquisitions, has been working to replace NIST SP 800-171 with the tiered model of the Cybersecurity Maturity Model Certification (CMMC). With CMMC, the DoD projects most defense companies will need “Basic Cyber Hygiene” while companies dealing with very sensitive data will need stronger cybersecurity, which is equal to or stronger than NIST SP 800-171. Additionally, CMMC adds a third-party auditor requirement rather than relying on self-attestation.
However, even CMMC Level 1, the so-called “Basic Cyber Hygiene” tier specified in 48 CFR 52.204-21, mandates a more formal information security program than many small-and-medium-sized businesses (SMBs) have in place today. PBMares is continually seeing the challenges that organizations, from medium-sized contracting firms to even very small mom-and-pop type shops that do business with the Defense Industrial Base (DIB), are experiencing as they take on the challenge of meeting the requirements of CMMC in order to continue doing business with the DoD.
At the end of the day, if you are a subcontractor and do any type of business with prime contractors in any way or are a prime yourself, you will be required to be at least CMMC Level 1 certified. Some organizations don’t believe they fall under this compliance requirement, but everyone from a janitorial service company that comes onsite, to a company that serves as a caterer bringing food onsite, is subject to CMMC compliance. The Department of Defense’s (DoD) attitude is that if a catering company is delivering food to a DoD location with its company name and URL on the side of the truck, that company is low-hanging fruit to a hacker. In this example, the catering company would be easier to hack than, let’s say, Boeing or Northrop Grumman. So, we are starting to see the DoD really push the primes. The primes, in return, are saying to their subcontractors – if we exchange money with you for any types of goods or services, whether you handle CUI or not, you have to at least have this bare minimum CMMC Level 1 in place. The problem is, organizations that have unlimited resources to put towards CMMC are still struggling to meet NIST SP 800-171 requirements, which has a ripple effect for the SMBs from a resource perspective.
Read on below as we share some fresh ideas on how small government suppliers can meet the looming CMMC Level 1 compliance challenge.
What is CMMC Level 1?
CMMC is a unified standard that aims to strengthen cybersecurity across the Defense Industrial Base, including non-DoD entities that store or process Controlled Unclassified Information (CUI). While the model has five levels of maturity, 100% of Department of Defense contractors, sub and prime are required to be, at a minimum, CMMC Level 1 compliant. Level 1 serves as the foundational requirements to reach additional levels of CMMC compliance by requiring basic security practices, including:
Challenges of CMMC Level 1 Implementation
Although CMMC Level 1 is the most basic of the 5 levels outlined in the maturity model, the implementation does come with a set of unique challenges.
- Maturity – We are seeing organizations struggle to implement all controls required for CMMC Level 1 due to the maturity level of their organization’s information technology security posture. With CMMC being a pass or fail certification, an organization must have all controls required by CMMC Level 1 in place and performing properly to gain a CMMC Level 1 certification. While many of the organizations PBMares has worked with for their CMMC Level 1 assessment do have some basic information security controls in place, they often do not meet the more stringent requirements outlined by CMMC. For example, an organization may utilize degaussing to erase hard drives which contained CUI data, as opposed to a more acceptable and secure form of hard drive destruction such as shredding.
- Documentation – Unlike other levels of CMMC compliance, Level 1 does not have specific requirements for the types of documentation to be retained as a means of validating the controls in place. This may present difficulties for organizations only seeking to implement Level 1 as they may not have developed processes to assist external reviewers in confirming the implementation of controls. As it relates to protection against malicious code (SI 1.211 and SI 1.212), most organizations have some form of anti-malware software deployed in their environment; however, they may not be familiar with generating reports demonstrating that the software is installed in the necessary parts of their environment and that the software is updated on a frequent basis. Both of these capabilities will be required in order for the independent assessor to confirm the implementation of these controls.
- New Process – With the introduction of CMMC, many DoD contractors are moving to a different framework. In the past, many DoD contractors utilized a self-assessment tool to test and diagnose their cybersecurity posture under DFARS, whereas CMMC now requires organizations to leverage a third-party auditor to get certified. For example, one company may diagnose their cybersecurity posture differently than a similar company whereas, CMMC introduces a standardized certification that must be completed by cybersecurity professionals that have received specialized training.
- Delays – CMMC has gone through multiple delays mostly attributed to COVID-19. The CMMC interim rule outlined a five-year phased rollout that was to start in 2020. Training for CMMC Certified Assessors, individuals that conduct CMMC assessments, was originally scheduled for 2020 but is now scheduled to start mid-summer 2021 according to the CMMC Accreditation Body. While these delays do introduce a level of uncertainty around specific timing, it is recommended that contractors begin implementing the necessary controls to achieve certification 12-18 months prior to the assessment.
- Scarce Information – A significant number of DoD contractors are struggling to get the most recent information surrounding CMMC making contractors unsure of all that CMMC encompasses.
What is the Process for Gaining a CMMC Level 1 Certification?
As stated above, CMMC is a pass or fail certification meaning that an organization must meet all requirements outlined at a specified level to become CMMC Level 1 certified; however, if your organization does not meet all requirements at a specified level your organization does not receive certification. To help you assess whether your organization meets the needed requirements and is ready to be CMMC Level 1 certified, PBMares can help in performing a CMMC Level 1 Readiness Assessment. PBMares will compare your current environment to the requirements of CMMC Level 1 and outline any gaps and work with you to put together a roadmap for remediation to ensure your organization meets all needed requirements before seeking certification. It is never too early to perform a readiness assessment to prepare for the CMMC Level 1 certification.
PBMares can be your organization’s resource for all information pertaining to CMMC.
PBMares is a C3PAO candidate company.