DOD Updated its New Contractor Cybersecurity Certification Program
WHAT: The U.S. Department of Defense (DOD) updated its new contractor cybersecurity certification program, including version 0.7 of its expected model and a progress report on the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.
WHEN: December 13 and 18, 2019.
WHAT DOES IT MEAN FOR INDUSTRY: DOD continues to progress in developing the CMMC regime, which will present a significant shift in the cybersecurity compliance obligations of government contractors.
On December 13, 2019, DOD released version 0.7 of the CMMC. The primary purpose of this interim release was to detail the data security controls required to achieve the two highest levels of CMMC – levels 4 and 5. As expected, a number of these practices are derived from draft NIST SP 800-171B, though many controls are based on other information security standards or are unique to CMMC.
As contractors who have implemented NIST SP 800-171 know, many of the controls are ambiguous and open ended, leaving uncertainty as to whether a specific security practice meets the control. CMMC v0.7 has taken steps to address this for Levels 1-3 by including appendices that provide additional guidance in the form of “Clarifications” and “Examples.”
Presumably more detailed clarifications and examples for levels 4-5 will may be forthcoming in later versions of CMMC.
Still, significant questions remain about CMMC. For example, the CMMC proposals have not addressed uncertainty in the definition of Covered Defense Information or how contractors should define information system boundaries—key questions that can radically alter the steps a contractor must take to meet NIST SP 800-171. Additionally, NIST stated that it intended for NIST 800-171B to only be applicable to a very small portion of contractors, perhaps .5%. Does DOD intend the same for CMMC Levels 4 and 5? Finally, DOD has not provided further information on how it intends to implement these requirements from a contractual perspective.
DOD next intends to issue CMMC version 1.0 at the end of January 2020. Version 1.0 is expected to include tailored maturity processes for each domain, and may represent a ‘complete’ picture of CMMC.
More recently, on December 18, 2019, the working group leads for the developing CMMC Accreditation Body announced that it held a meeting to discuss recommendations for the structure, mission, membership, and constituency of the Accreditation Body. The working group leads also clarified that the Accreditation Body expects to be ready to sign a Memorandum of Understanding with DOD in January 2020. DOD had previously stated that it expected to sign the MOU by the end of the year, so this reflects a modest revision to the projected schedule. Since the Accreditation Body is charged with training and accrediting CMMC Third Party Accreditation Organizations (C3PAOs) – the entities actually tasked with certifying contractors – execution of the MOU is a critical step to making the CMMC initiative a reality. Whether DOD and the as-yet-unformed Accreditation Body can rise to the challenge of establishing a working framework for the C3PAOs is unclear, but will be monitored closely in the coming months by the contracting community.