WIPP Works in Washington, March 2020
By Elizabeth Sullivan, WIPP's Advocacy Team
The final model for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) came out earlier this year. So, what’s next for businesses?
Let’s talk certification. Now that version 1.0 of CMMC was released – the final version– DoD is moving full steam ahead. The “accreditation body” has been formed, which is an independent, non-profit group that is responsible for developing the training and assessment standards for the certification. The next step in the certification journey for DoD is forming a Memoranda of Understanding (MOU) with the accreditation body, which will outline the roles and responsibilities of each of the parties. Finally, “accreditors” – of which there are none currently – will be responsible for evaluating businesses and assigning them a CMMC certification level. If all of this third-party stuff leaves you scratching your head, just know that DoD is outsourcing the accreditation of over 300,000 contractors with plans for substantial oversight.
Substantial questions remain for contractors. One of the biggest is the timing of the certification rollout. The Department has said that they will issue 10 “pathfinder” solicitations that require various CMMC levels, including a few that will require level 4 or 5 certifications. Since these will be substantial contracts, if you are a small business tapped to subcontract on one of these – when will you get certified? Will there be some type of cue, where the biggest companies go first? Or will it be ranked by the amount of anticipated work? This remains to be determined.
Let’s talk levels. While the CMMC levels have been refined throughout the DoD’s drafting process, it is important to know that there are five levels. Any contractor, regardless of the type of work they do that wants to do business with DoD will need at least a level one. Level one is the most basic cyber hygiene, which has some noteworthy differences from NIST 800-171. The Defense Department has said that most small businesses only need a level one. But I wouldn’t take that assessment at face value. It is important for small/midsize companies to determine the appropriate level they want to prepare for based on the work they do, or plan to do, for the DoD. For example, if your company handles any Controlled Unclassified Information (CUI) you will need at least a level three. By the way, these levels will also apply to subcontracts. Which brings me into the next section of this article – unknowns.
Let's talk unknowns. I was recently on a panel at the Women Leaders in Defense & Aerospace Law & Compliance Conference, where I shared the stage with the other two sides of the CMMC equation – a lawyer and prime. One of the things that I learned is that concerns span all business sizes—small businesses aren’t the only ones with questions. First and foremost is how the DoD will handle CMMC certification levels for subcontracted work. There has been a lot of conflicting information about this component flying around, but the latest and greatest (as of the time this is published) is that the program managers for both the DoD and prime contractor will work together to determine the appropriate CMMC levels for the components of subcontracted work.
Another unknown is how a company can dispute an assigned level by an accreditor. While the accreditation body will have some sort of mechanism to address this, DoD’s involvement in this process is unclear. This is an important question because certification levels will be assigned for a three-year period. Finally – and this is a big one – the total cost for contractors remains to be seen. DoD has not yet provided any specific information on the cost of obtaining the certification. Some good news is that something that is known (and has been for a while) is that DoD will not seek levels retroactively – meaning that no current contracts will be modified to require a certain certification level. All of this is to say, stay tuned.
Moral of the story is – as a federal contractor, it is time to pay attention if you aren’t already. WIPP recently offered a webinar on this issue, and we intend to continue to provide the most updated education on this certification roll-out. Although CMMC is only for the DoD supply chain, in the future it could impact civilian agencies as well. So, get ready – it’s moving full steam ahead, with or without you.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.