Beyond DFARS Compliance
08.28.20 | Industry Insights
The Requirement …
By September 1, Aerospace Industries Companies must be Defense Federal Acquisition Regulation Supplement (DFARS) compliant to meet the required security level contained in a Department of Defense (DoD) solicitation. In June 2019, the DoD announced the Cybersecurity Maturity Model Certification (CMMC), which was implemented to protect the government’s sensitive, unclassified information against data exfiltration.
The Purpose of CMMC
CMMC establishes a unified cybersecurity framework to protect government information in the possession of defense contractors against cyber threats. The program reflects DoD’s focus on protecting Controlled Unclassified Information (CUI) in DoD’s supply chain from malevolent cyber activity as a matter of national and economic security.
CMMC is being introduced into new DoD contracts through 2026. Ultimately, every defense contractor (except for commercial off-the-shelf suppliers) will need to obtain a certification from a neutral third party known as a Third-Party Assessment Organization, or C3PAO.
To become CMMC certified, a defense contractor must have capabilities, processes, and practices required under DoD’s CMMC model, which establishes five levels of controls ranging from Level 1 (Basic Hygiene) to Level 5 (Advanced/Progressive). The CMMC model framework organizes processes and cybersecurity best practices into a set of 17 competency “domains.” Contractors will be required to be certified at the time they are awarded a DoD contract.
The CMMC-Accreditation Body’s (CMMC-AB) is a newly created non-governmental entity managing various aspects of CMMC. Its website sheds light on the requirements for companies to become CMMC certified. According to a timeline on the website, the certification process could take “6 months (or more)” with several steps:
- Contractors seeking certification under CMMC must first identify what CMMC Maturity Level they need to obtain among the five CMMC levels. Companies possessing Controlled Unclassified Information will have to be certified at least at Level 3.
- The DoD has commenced the ongoing implementation of its CMMC by the training and certification of third-party inspectors that will be responsible for reviewing the numerous defense contractors’ cybersecurity practices for compliance with applicable controls. Contractors will need to schedule a CMMC assessment by identifying CMMC “third-party assessment organizations” or C3PAOs using the CMMC-AB’s “marketplace” portal. The extent to which contractors will be able to essentially shop for a C3PAO (and what criteria may be used to do so) remain unclear. According to the CMMC-AB’s website, it plans to publish a list of available assessors after the training is complete and assessors have been certified.
- According to the CMMC-AB, C3PAOs are authorized to enter into contracts with companies seeking certification.
- C3PAOs will schedule an assessment of the contractor to be carried out by a Certified Assessor.
- Once the third-party assessor has performed an assessment of the company’s systems against the CMMC model, the CMMC-AB’s Quality Auditors will review the assessment. They will have up to 90 days to resolve any findings with the C3PAO.
- If the contractor’s system is deemed to satisfy the requirements in the CMMC model for the appropriate CMMC Level, a CMMC Maturity Level certification will be issued, thus enabling the contractor to bid on and obtain DoD contracts subject to that CMMC level.
- The CMMC certificate obtained by the contractor will be valid for three years.
As Companies have determined that they met the DFARS compliance, they will now need to be aware of how the DoD will verify this compliance. On June 22, 2020, the CMMC-AB proclaimed new details on its website outlining how entities can become certified to perform third-party assessments under CMMC. According to the website, certified training will begin in Winter 2020/2021 and commercial assessments under CMMC will be available starting in Winter/Spring 2021.
What to Expect
CMMC’s creation of a third-party verification regime raises new compliance issues and costs for contractors. In addition, Companies should begin preparing for the new accreditation system by ensuring compliance with the appropriate NIST SP 800-171 Rev 1 requirements, depending on the level of Controlled Unclassified Information (CUI) they expect to handle:
- Determine if your company receives federal funds from the Department of Defense either directly as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements. If so, you should be prepared to obtain at least a Level 1 or 2 certification.
- Determine whether your company currently or in the future expects to electronically process, store, or transmit Controlled Unclassified Information in the performance of its defense contracts. If so, you should be prepared to obtain at least a Level 3 certification.
- If you are a subcontractor, consider reaching out to your major higher-tier contractor customers to understand how they are preparing to implement CMMC across their supply base.
- Review your company’s current NIST SP 800-171 Rev 1 compliance level against your expected certification level requirements. If you currently have a Plan of Action and Milestones (POAM) in place or identify additional concerns, dedicate appropriate resources to ensure that progress is being made to close any gaps as quickly as possible.
Berdon LLP New York Accountants