For DoD contractors who haven't started or are just starting CMMC preparations, we attended an AFCEA webinar to get a thorough update on the current status of CMMC implementation from the professionals best equipped to deliver it: Katie Arrington, CISO for the Office of the Under Secretary of Defense for Acquisition & Sustainment, and Col. Karlton Johnson, USAF (Ret.), chair, CMMC Accreditation Body (CMMC-AB) board of directors.
It was an active lunch and learn session with lots of audience questions. Here we break some of them down for you to put your best foot forward and be aware of the state of CMMC today. In describing the status of CMMC, the webinar focused on the impact of CMMC on small businesses, where defense contractors should be on their CMMC journey as well the CMMC-AB and its role in creating the CMMC certification regime over the next few years.
One of the first topics discussed was whether CMMC was still a priority due to the COVID-19 pandemic and the new Biden/Harris administration's inauguration. Although timelines have been adjusted somewhat, make no mistake: CMMC is happening and preparations take a lot longer than most defense suppliers expect.
Fortunately, due to the uncertainties in today's environment, defense contractors have more room to become CMMC compliant. Katie Arrington said the Department of Defense is determining ways to integrate the Cybersecurity Maturity Model Certification requirements into Department of Homeland Security (DHS) contracts.
"There will be a cyber requirement in every Department of Defense contract," Arrington said. "This is rolling out to other federal agencies, the next one is DHS, and we're going to…work through DHS to start implementing the CMMC on their contracts."
Ms. Arrington's department, Defense for Acquisition & Sustainment, has a close relationship with the CMMC-AB, which has over 130 trained assessors currently but aims to add enough assessors for both the prime contractors and subcontractors by the time DoD starts rolling out RFPs beginning in mid-March.
Col. Johnson, the CMMC-AB Chair, explained that the board has positions for a CEO and additional staff to help run the organization full time so the board of directors can get back to the business of governing and providing oversight while the day-to-day operational staff executes the mission.
Arrington confirmed the new administration will evaluate which of the initial contracts will be selected for assessments. Companies should begin securing certification from the CMMC-AB, which now has nearly 130 independent auditors trained and certified. Arrington indicated that by early summer, you should have a readily available practitioner certified in your geographical area and directed that if DoD contractors "wanted to go out and get a certification you could, you do not need to wait."
Ms. Arrington gave a general overview of the state of the CMMC, starting with the pilots. Recent CMMC DoD updates outline that the first pilot contract RFPs including the CMMC requirements in Q1FY21 and here we are.
She said the DoD should be done responding to public comments sometime in February, and after the Air Force releases its first RFP in mid-March, that RFPs should be released every two weeks after, Arrington said in a Jan. 26 CompTIA interview.
The DoD completed the Pathfinder portion of the CMMC rollout in 2020 and is currently still working with its first ten pilot programs and getting prepared to add five more this fiscal year. The pilots range from an approximately $650 million contract down to a $2 million contract.
"We're doing everything in between so we can vet out the challenges... and taking those RFPs that the services have we are laying them down against the new DOD 5000.90, which is the cybersecurity and new CUI rules policy," Arrington said referring to how the flow down in RFPs would look and how many aspects of a job will need a Level 3 vs. a Level 1.
It's essential to know that every contractor seeking to do business with the DoD will be required to have reached at least CMMC Level 1 by FY2026. The bulk of government contractors and subcontractors will need only a Level 1 CMMC accreditation this year, with DoD wanting 899 contractors Level 1-certified, 149 Level 2-certified, and 452 Level-3 certified.
The panel emphasized the crawl, walk, run stages of your CMMC journey and you can expect to see more on the CMMC-AB website for more definitive guidance and operating procedures.
Arrington stressed that the effort is about "getting critical thinking about cybersecurity out to the masses." During the interview, Arrington explained, "We have the crawl, walk, run with the three new default rules … but this is the start of something much bigger. And we're all in it together."
And that's one thing that rang true throughout the AFCEA Lunch and Learn web conference. Ms. Arrington and Col. Johnson agreed that the CMMC-AB's want to foster an environment of a mutual desire to keep the government's data infrastructure as secure as possible and not one where the AB is looking to find issues just to disqualify you.
Col. Johnson explains the 'crawl, walk, run' scenario this way: "At the end of the day, you've got to break up the criteria, understand it, and then test yourself against it." Once you've done the self-check, then you'll start getting ready to be postured for when C3PAOs become available and participate in the implementation of CMMC within the ecosystem.
By Fiscal Year 2022, DoD expects to have rolled out 75 contracts – requiring 7,500 unique accredited prime and sub-contractors – and 250 in Fiscal Year 2023 – needing 25,000 accredited contractors. Let's not forget, all CMMC accreditations need to be renewed every three years.
DoD plans on rolling out 15 prime contracts, including the CMMC requirement this year, scaling up gradually and topping out at 479 contracts in both Fiscal Years 2024 and 2025. Those plans take into account up to around 100 unique sub-contractors on each prime contract, meaning the plan is to have 1,500 CMMC accredited contractors by the end of Fiscal Year 2021, which ends Sept. 30.
Ms. Arrington advised that DOD contractors need to understand the risk-reduction strategies associated with CMMC to mitigate putting your company, your employees, and your IT at risk. She expanded on that to drive home how "our adversaries are working through a supply chain, they are very deliberate about it." That means we need to be deliberate about it too.
If you're a small business seeking government contracts within the next 12 months, you should allow three to six months to prepare, less if you already have a robust cybersecurity program in place. If you're a larger contractor, of course, you should start sooner.
If you are a DoD contractor and the CMMC-AB arrived onsite at your premises today, according to Johnson, the board members would want to know that you had a good understanding of CMMC in broad terms. In not-so-broad terms, they'd ask what CMMC level of certification you expect to be measured against and what you've done so far to prepare for certification. In response, they would expect to hear that you've examined and adhered to NIST 800-171 and where you fall within the guidelines. Finally, they'd want to know if you've done a cross-check per the DFAR rule and whether your self-assessment based on CMMC guidelines is in progress or optimally completed.
Not there yet? We can help. Contact us to discuss your CMMC journey.