Search

REQUIREMENTS AND IMPACTS ON DoD SUPPLIERS & VENDORS

The US Department of Defense (DoD) is taking steps to limit the threat of supply chain exposure to cyber-crime with a new certification program for its vendors and suppliers.

The Cybersecurity Maturity Model Certification (CMMC), to be introduced this year, will measure the maturity level of all Defense Industrial Base (DIB) / DoD suppliers’ cybersecurity programs. The CMMC has five levels of maturity that align with DoD contract requirements, and suppliers wishing to participate in the DoD contracting process must achieve maturity levels that align with those individual contract requirements.  

The CMMC will be rolled out into contracts in phases from fiscal year 2021 through fiscal year 2025, and the final CMMC rule definitions are expected in the first quarter of 2021. However, the DoD issued an Interim Rule, effective November 30, 2020, to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the CMMC framework. This interim rule includes new DFARS clause 252.204.7021, which specifies CMMC requirements.

HKA provides an easy way to get started. Our FREE CMMC Online Assessment Questionnaire provides a helpful baseline of information on your CMMC obligations, and helps you chart a course that best meets your needs.

The interim rule also enables the DoD to verify the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CFI) within the unclassified networks of DIB companies using the National Institute of Standards and Technologies (NIST) 800-171 framework and assessment methodology.

The interim rule became effective on 30 November 2020.

BACKGROUND

Cyber-crime is one of the fastest growing criminal activities globally, and government agencies are prime targets.

The modern-day battlefield has moved to cyberspace, and nation-state attackers are trying to gather intelligence on their adversaries by any means possible. Emerging technologies and the expanding universe of the “Internet-of-Things” have increased the threat of exposure for both government agencies and their suppliers.

The cyber-theft of intellectual property and sensitive information, along with the compromise of systems in every US industrial sector threatens our national defence and economic security. According to a 2018 report from The US Council of Economic Advisors, malicious cyber activity cost the US economy between USD$57 billion and USD$109 billion in 2016, and these figures have likely increased exponentially since then. Extrapolated over a ten-year period, these figures equate to USD$570 billion to USD$1.09 trillion in damages.

CMMC FAQs

How does an organisation get certified?

The DoD has committed to working with a volunteer, third-party accreditation body—the CMMC-AB. The CMMC-AB is authorised by the DoD to be the sole authoritative source for the operationalisation of CMMC Assessments and Certifications.

Who will perform the CMMC assessments?

The CMMC-AB will train organisations to become CMMC Third Party Assessor Organisations (C3PAO), which will be delegated to assess DoD suppliers’ cybersecurity programs and certify that they have achieved a designated level of maturity. Additionally, the CMMC-AB has established a “CMMC Marketplace” on its website. Firms can register there to become a CMMC-AB Registered Provider Organisation (RPO) and will be listed in the marketplace. Individuals also can receive training to become CMMC-AB Registered Practitioners (RP).

What happens with my assessment results?

The DoD will have access to all CMMC certificates of DIB companies, which will be posted in both the CMMC Enterprise Mission Assurance Support Services (eMASS) database and the Supplier Performance Risk System (SPRS) database. Specific results of the CMMC assessment and the specific level of certification will not be made public; only the fact that the DIB has achieved certification will be made public.

Is there a cost to obtain a CMMC?

There are many factors that determine total certification cost. The biggest factor is the current state and maturity level of an organisation’s cybersecurity program, compared to the CMMC level that needs to be achieved. Organisations will fare best if they have mature and robust cybersecurity programs that are well documented and subject to formalised policies and procedures, and have internal processes to validate their control compliance.
Organisations with large gaps between their current maturity levels and those required by the CMMC will need to apply more resources to close those gaps, including controls to maintain compliance as well as regular testing to assess the effectiveness of those controls.
There also is a cost for the CMMC-AB C3PAO services. The cost for these services will be considered allowable and may be included in the contract bid price. In some cases, the costs to implement CMMC requirements also may be included in the contract bid price, an exception that will be determined by the DoD and on a contract-by-contract basis.

How will a DLB contractor know what level of CMMC certification is required for a specific contract?

The DoD will specify the required CMMC level certification in Requests for Information (RFIs) and Requests for Proposals (RFPs).

How can HKA help?

HKA is a CMMC-AB Registered Provider Organisation. Our CMMC-AB Registered Practitioners have significant experience assisting DIB contractors and subcontractors with cybersecurity and data privacy regulatory requirements and are well-versed in the CMMC requirements. HKA has helped many firms assess their current cybersecurity programs against CMMC requirements, identify gaps and areas for improvement, and develop and implement proven strategies for compliance. HKA also provides CMMC training for Executive and Senior Leaders; Cybersecurity and IT Professionals; Compliance, Risk, and Internal Audit Teams; and Contract Administration Teams

HKA CMMC Training Courses

Introduction to the DOD Cybersecurity Maturity Model Certification (CMMC)

Course Summary

An overview of the CMMC model and its foundations in FAR/DFAR requirements and NIST 800-171 specifications. The session will explore what organisations will need to have in place to achieve various levels of certification, along with best practices for getting started.

Developing a CMMC Plan & Strategy for Your Organisation

Course Summary

An interactive session to help organisations develop an approach and working level plan to get certified under CMMC. The session will focus on ways to prioritise and organise efforts tailored to your specific organisation.  Course materials will include planning templates to help organisations understand their specific scope of efforts and how balance costs, timelines, and levels of effort.

Understanding CMMC Maturity Levels

Course Summary

Exploration of CMMC Maturity Level regulatory and specification basis and cybersecurity objectives and how these will impact how an organisation operates on range of levels.

CMMC Domains & Capabilities

Course Summary

Review of the Model’s Domain and Capability organisation of cybersecurity Practices and applicability to Processes across Maturity Levels and approaches to best plan efforts for a specific organisation’s operations.

CMMC Practices

Course Summary

Dive into the details of the different CMMC Practices and look at technical options, examples, and considerations for implementation and operations. Review model examples and reference details to better understand Model expectations.

CMMC Processes

Course Summary

Exploration of the CMMC Process models and their applications across Domains and Maturity Levels. Gain an understanding of the CERT Management Model process improvement approach that is the basis for the CMMC Processes.

CMMC Certification Preparation

Course Summary

Ensure your team is ready for a certification review with this walk through of preparation steps and activities that can help set your entire team up for success. Explore best practices around organisation of materials and conducting exercises with key personnel, as well as common mistakes to look out for.

Other Government Contracts

  • Compliance Review and Audit Services
  • Government Contracts Practice Services
  • Government Contractor Support