Defense Speak Interpreted: Be Prepared for CMMC

If you are a current or future Defense Department contractor or subcontractor, you need to be prepared for the next cybersecurity requirements coming online during 2020. This is the Cybersecurity Maturity Model Certification, or CMMC, in Defense speak. There will be five levels of cybersecurity requirements for various amounts of Controlled Unclassified Information (CUI) you handle, with increasing requirements from one (least) to five (most).

All of this is to protect CUI. The definition of this somewhat vague concept is, “CUI is information the government creates or possesses—or that an entity creates or possesses for or on behalf of the government—that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” While various Federal Government departments handle CUI, the CMMC regulations are being applied to the Defense Department—the first federal function to implement this procedure.

Many of you may be compliant (or working toward compliance) to NIST SP 800-171. This cybersecurity concern dates to an executive order in 2010, and NIST SP 800-171 was created to comply with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” [1]. The Executive Agent for CUI is the National Archives and Records Administration (and you thought they only kept a copy of the Constitution!).

NIST SP 800-171 was principally rolled out in 2017, with updates added up to December of 2019. Businesses could self-assess their cybersecurity by using the NIST SP 800-171 Handbook or get help from an outside certification entity. My take on NIST 800-171 is that “I have thought about my cybersecurity, audited myself, and have this plan to implement improvements.”

This somewhat voluntary effort to comply with cybersecurity requirements has not been a total success, hence the implementation of CMMC. According to one source [2], The Council of Economic Advisers, an agency within the Executive Office of the President, estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Globally, there is also an estimate that 1% of the World Gross Domestic Product is lost to cybercrime each year [3].

CMMC compliance will be a Federal Acquisition Requirement (FAR) in certain Defense requests for information (RFI) starting in June 2020, and in Defense contracts (RFPs) awarded after that information review (some months later). The CMMC structure consists of five levels of compliance, each more advanced building on the previous level of requirements (Figure 1).

Fritz_CCMC_fig1.jpg

Figure 1: CMMC practices per level [4].

As you can see, the levels are:

  1. Basic
  2. Intermediate
  3. Good
  4. Proactive
  5. Advanced/progressive

How does a company know what CMMC level is required in future contracts? That is established by the language in sections L and M of Request for Proposal (RFP) for the contract. Section L is “Instructions, Conditions, and Notices to Offeror’s” [5], and Section M is “Evaluation Factors for Award” [6].

It is anticipated that major Defense prime contractors will have to be certified to at least Level 4, if not Level 5. However, subcontractors may only be required to certify to a lower level, such as Level 3 for PCBs and assemblies. It is understood that any company contracting with Defense will have at least a Level 1 certification. One key point is that the certification is only required at the time of award, but that date is usually set in the RFP. CMMC requirements started showing up in 2020, meaning the certification level must be achieved some months later—probably in early 2021.

The DoD expects that by 2026, all contracts will have these cybersecurity requirements. Defense estimates that 1,500 companies will have some level of certification by 2021—an estimate based on 10 “pathfinder” Defense contracts in 2020, each having 150 subcontractors.

So, how do you get certified? First, visit the Office of the Under Secretary of Defense for Acquisition and Sustainment’s website for initial questions [7]. The next step is to acquaint yourself with the CMMC Accreditation Board (CMMC-AB) [8]. This is a not-for-profit organization being set up as a sort of policeman for the CMMC accreditation process. See the section on C3PAO—certified third-party assessment organizations (not a droid from “Star Wars”). An internet search lists something like 200 organizations all over the USA who are prepared to help companies get certification to CMMC. However, the CMMC-AB is rushing to finish their certification work for C3PAOs. Talk about an instantly created consulting business!

Overall, get started now. Don’t wait.

References

  1. Safeguarding Covered Defense Information and Cyber Incident Reporting,” 252.204-7012, 204.7304(c), December 2019.
  2.  “The Cost of Malicious Cyber Activity to the U.S. Economy,” The Council of Economic Advisers, February 2018.
  3. Economic Impact of Cybercrime: No Slowing Down,” Center for Strategic and International Studies (CSIS) and McAfee, February 2018.
  4. Cybersecurity Maturity Model Certification (CMMC): CMMC Model v1.0,” January 31, 2020.
  5. Proposal Development: Section L, Instructions,” AcqNotes, June 29, 2018.
  6. Proposal Development: Section M, Evaluation Factors for Award,” AcqNotes, June 29, 2018.
  7. CMMC FAQs,” The Office of the Under Secretary of Defense for Acquisition and Sustainment.
  8. CMMC Accreditation Board.”

Dennis Fritz was a 20-year direct employee of MacDermid Inc. and has just retired after 12 years as a senior engineer at (SAIC) supporting the Naval Surface Warfare Center in Crane, Indiana. He was elected to the IPC Hall of Fame in 2012.

Back

2020

Defense Speak Interpreted: Be Prepared for CMMC

03-24-2020

If you are a current or future Defense Department contractor or subcontractor, you need to be prepared for the next cybersecurity requirements coming online during 2020. This is the Cybersecurity Maturity Model Certification, or CMMC, in Defense speak. Dennis Fritz explains how there will be five levels of cybersecurity requirements for various amounts of Controlled Unclassified Information (CUI) you handle, with increasing requirements from one (least) to five (most).

View Story

Defense Speak Interpreted: The Missile Defense Agency

02-25-2020

The Missile Defense Agency (MDA) has its roots in the Strategic Defense Initiative (SDI), known as 'Star Wars' in the 1980s as proposed by President Ronald Reagan. In this column, Denny Fritz provides an overview of how the MDA operates and describes types of missiles and phases.

View Story

Defense Speak Interpreted: What in the World Is MINSEC?

01-14-2020

The Defense program designated MINSEC (Microelectronics Innovation for National Security and Economic Competitiveness) is probably one that you have never heard of but will likely gather more headlines in the future. Dennis Fritz explains.

View Story
Back

2019

Defense Speak Interpreted: The Continuing Resolution

12-10-2019

The topic of the continuing resolution (CR) has been sneaking past other hot Washington topics, such as impeachment, candidate debates, and why the Redskins are so bad. Dennis Fritz provides an update concerning a CR and the 2020 fiscal year.

View Story

Defense Speak Interpreted: Executive Agent

11-12-2019

After reading my previous column, you may have realized that electronics packaging technology development came from the Naval Surface Warfare Center in Crane, Indiana. One of its core responsibilities is the assignment of “executive agent” for PCBs and electronic interconnects. But what is this “executive agent” thing, frequently shortened to EA? Dennis Fritz explains.

View Story

Defense Speak Interpreted: PCB-related OTAs from NAVSEA Crane

10-29-2019

In my previous column, I described how Other Transaction Authority (OTA) projects were speeding up the development of new technology for the Defense Department. Much of this improvement has to do with the speed of contracting and the less restrictive selection and payment process involved. Specifically, I would like to call out projects under the National Security Technology Accelerator (NSTXL).

View Story

Defense Speak Interpreted: Other Transaction Authority

09-19-2019

DIU grants contracts under a joint OTA and a parallel process called commercial solutions opening. Most of the five DIU focus areas depend on electronics: artificial intelligence (AI), autonomy, cyber, human systems, and space. At the end of 2018, DIU had funded 104 contracts with a total value of $354 million and brought in 87 non-traditional DoD vendors, including 43 contracting with DoD for the first time.

View Story

Defense Speak Interpreted: DARPA ERI

01-29-2019

DARPA ERI stands for the Defense Advanced Research Projects Agency and the Electronics Resurgence Initiative. This tongue-twisting acronym is the latest Department of Defense (DoD) effort to catch up and surpass world semiconductor technology for the secure IC chips needed by advanced defense electronics systems.

View Story
Back

2018

Defense Speak Interpreted: PERM—Pb-free Electronics Risk Management

12-18-2018

In this column, we explore PERM—the Pb-free Electronics Risk Management Consortium. No, the group members do not all have curly hair! The name was chosen around 2008 by a group of engineers from aerospace, defense, and harsh environment (ADHE) organizations.

View Story

Defense Speak Interpreted: Defense Electronic Supply Chain Issues

10-18-2018

On October 5, 2018, the Department of Defense (DoD) highlighted issues with the release of the 146-page report “Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States” from President Donald J. Trump

View Story
Copyright © 2020 I-Connect007. All rights reserved.