Last Updated on June 29, 2021
The Cybersecurity Maturity Model Certification (CMMC) standard from the US Department of Defense (DoD) will impact hundreds of thousands of organizations over the next few years—not just within the defense industrial base (DIB), but across a big slice of the US government supply chain, including the IT and Human Resources sectors.
CMMC defines five levels of cyber maturity, and different businesses will need to achieve certification against different maturity levels. CMMC Level 1, referred to as “Basic Cyber Hygiene,” describes the minimum set of information security controls (17 in all) required to protect Federal Contract Information (FCI).
Since every company that has a federal contract by definition has FCI, CMMC Level 1 or above will apply to nearly every company doing business with the government. By all accounts, more than 50% of those hundreds of thousands of companies will be held to CMMC Level 1, versus one of the higher CMMC levels.
Is your company in that camp?
On a recent special edition of The Virtual CISO Podcast, Pivot Point Security’s CISO and Managing Partner, John Verry, explains how to know if you should be concerned about CMMC Level 1 certification. Here are the three top ways:
One: It’s in your contract
“How will you know if CMMC Level 1 applies to you?” asks John. “First off, someone will probably tell you, ‘Hey, in order to continue doing business with us, you need to be CMMC Level 1 certified.’ That will be obligated by language in a contract.”
Is there a good way to predict whether a CMMC Level 1 certification requirement is likely forthcoming in a new contract or contract modification?
“Check whether you have the FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in any of your existing contracts,” recommends John.
This FAR clause 52.204-21 contract language, and the InfoSec requirements it specifies, are the forerunner and the template for CMMC Level 1. The big difference is that a third-party auditor will certify your CMMC Level 1 compliance—it won’t be just a self-attestation.
Two: Your prime contractor “flows down” the requirement
“If you have a contract through a DoD agency or through a DoD prime contractor like Boeing, Huntington Ingalls or Raytheon, minimally you’ll need to hit a CMMC Level 1,” John states.
The reason is the dreaded (and misunderstood) concept of “flowdown.”
“We expect there to be extensive flowdown within the CMMC program,” John notes. “I haven’t seen clarification on the Level 1 flowdown specifically yet. But if we look at the CMMC Level 3 flowdown … there is a clear requirement that if you are subject to [CMMC Level 3] that you have an obligation to ensure that the people you subcontract to are conforming with the same level of controls.”
Prior to CMMC, the DoD’s flowdown requirements were somewhat vague. The longstanding DFARS 7012 clause has mandated (in its famous “Clause M”) that impacted companies needed to ensure that their vendors were also compliant. But few followed through and even fewer were held to account.
But with the new DFARS 7021 clause coming into effect in new and modified contracts, there’s an unambiguous flowdown requirement.
“So should companies that are providing services to subcontractors of subcontractors of subcontractors be thinking about Level 1 as well?” posits John. “If they know their business relies on companies upstream from them getting DoD work…”
The writing is basically on the wall. Pretty soon you won’t get far in the DoD supply chain without at least CMMC Level 1.
Three: You’re a supplier to another US government agency that starts using CMMC
All along with CMMC there have been predictions that other major government agencies would eventually adopt it. But “eventually” is turning out to be closer to “immediately.”
As John points out, “We had an expectation that we would see CMMC grow beyond the DIB. We thought it would happen perhaps in late 2021 or probably 2022 or 2023. But it’s happening at lightning speed.”
For example, the General Services Administration (GSA) has already included CMMC compliance requirements in its $50 billion STARS III and Polaris government-wide acquisition contracts (GWACS) targeting SMB IT service providers. The Department of Homeland Security is another agency that is already mandating CMMC in upcoming contracts.
“This is going to be applicable much more broadly… to a lot of people who might be listening,” underscores John.
Need a playbook to get your business to CMMC Level 1 certification?
Start by tuning into our special episode of The Virtual CISO Podcast on CMMC Level 1, available here. If you don’t use Apple Podcasts, you’ll find all our information security podcasts, including a number about CMMC, here.
For more information:
- A discussion on CMMC with Katie Arrington, the DoD’s point person for CMMC
- A chat about the finer points of CMMC compliance with Corbin Evans from the National Defense Industrial Association
- A talk on CMMC Assessments and the CMMC rollout with Ben Tchoubineh, CMMC-AB board member
- Wherever You Do Business, CMMC is Coming
- This is Why DoD Suppliers Need to Move Soon to CMMC Readiness