If you’re in the Department of Defense supply chain, you’ve become familiar with DFARS and the corresponding NIST SP 800-171 r1 over the last few years. It is a list of 110 controls that you need to be compliant with in order to continue supplying certain contracts.
Coming in 2020 will be an improved standard called CMMC, that builds upon the NIST 800-171 controls. The goal is to create a unified cybersecurity standard, so a contractor won’t have one standard for the Army and another for the Navy, and will allow more granularity in implementation. If you’ve been taking DFARS seriously, and ensuring that you’re implementing those controls, these new standards shouldn’t be much of a shock.
The latest draft version was just released on Dec 7th. We’ve read through it, (as well at the previous two draft versions) and there are some significant differences between this and DFARS:
- Maturity Levels
- There are 5 maturity levels, starting at Level 1, and progressing up to Level 5. Level 1 would require you to demonstrate basic cyber hygiene, whereas Level 5 would require you to demonstrate a proven ability to optimize capabilities in an effort to repel advanced persistent threats. Your business might not be required to be at a “Level 4”, because the data you’re handling might not as sensitive as other companies are handling. The higher levels would require a higher level of detail and fidelity that would not be required at a lower level.
- Certification
- There will be a certification component with CMMC. With DFARS, you could self-attest that you’re fulfilling the requirements, which created a patchwork of competitors, with an unknown level of security. In 2020, there will be approved auditors, who will go through your security controls, practices, documentation and processes to determine your CMMC level, which will determine which RFPs you can bid on.
- Additional Controls
- There will be additional controls to the standard NIST 800-171r1 (DFARS) questions that you might be familiar with. This is usually what clients want to know. As of the current draft version, in order to be “Level 3 Compliant”, you’ll have to do all of the NIST 800-171 controls, PLUS 21 Other Controls, and this isn’t final as version 1 is expected come out around the end of January 2020. The controls make a lot of sense and these are much needed changes. If you noticed in the DFARS version, there is nothing around backups and recovery. That’s a pretty important topic to get your arms around and is being addressed in CMMC.
So, what does this mean to your business? The best place to start is adhering to the controls in DFARS. If you’re already doing those things, you’re well on your way. We’re watching the standards very closely, and we’ll make sure that we’re in line to be an approved 3rd party assessor as we move through 2020, so we can help serve businesses.
The published timeline is as follows:
November 7, 2019 = Draft 0.6 Released
December 7th, 2019- Draft 0.7 Released (L4 and L5 Content)
January 2020 – Version 1.0 Releases
January – March 2020 – Auditor Training and Certification Beginning
June 2020 – CMMC Included in RFIs
Fall 2020 – CMMC Included in RFPs
It’s good to reiterate the underlying concept here is that the government wants to make security foundational and not a bolt-on to normal processes. What we don’t want to do is hurt our supply chain. The government knows this is a cultural shift, and as a country we’ve done it before with ISO, and banks have had similar regulation for years. The goal is resiliency. They don’t want to “ding” you. They’re just trying to get you to protect yourself and DoD’s work.
Check out the official CMMC website to view the FAQs and for additional information.
We'll continue to provide updates as we learn more about what the future holds for CMMC standards. If you have any questions in the meantime, please feel free to reach out today!