On January 31, 2020, version 1 of the Cyber Maturity Model Certification (CMMC) program went live with the intention of improving the overall information security posture of the Defense Department’s supply chain.
Good news for our nation’s cyber security. Not-so-good news for roughly 300,000 companies in the supply chain.
Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, made some very interesting comments in the press conference introducing V 1.0:
- “CMMC is not going to happen overnight… Expect CMMC to take five years to fully roll out…”
- “DoD expects third party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023…”
- “We also are telling you security is an allowable cost now. We are working through the Office of Management and Budget to ensure we have cost realism built into our estimations for our programs and acquisitions moving forward.”
- “I doubt it will take five years because companies want to do this.”
I fielded a number of phone calls from 800-171/CMMC clients this week asking, “With the DoD’s more limited rollout, do we need to get CMMC certified this year?”
After some consideration, I don’t think that’s the right question. I think a better question to ask is “With the DoD’s more limited rollout, should we get CMMC certified this year?”
For many organizations, that answer is yes. For the remaining organizations, the answer is probably—and if you don’t get formally “certified” you should get “provably compliant.”
“The final reason I think I am right is if you are bidding on a project or own a contract that includes a DFARS 252.204-7012 clause, you still need to be NIST SP 800-171 compliant.”
To be clear, a lot of “tea leaf reading” on my part went into making the above statement. That being said, over the last week I have spoken with a number of colleagues in various roles in the CMMC arena (e.g., government employees, Prime Defense Contractors, solutions providers, subcontractors, audit firms) to get their input. I think that input correlates well with Katie Arrington’s comments, so I am fairly confident (or perhaps overconfident) that my tasseography is on the mark. Only time will tell, and you need to make a decision now… So let me explain my reasoning:
- “CMMC is not going to happen overnight… Expect CMMC to take five years to fully roll out…” Katie recognizes that you can’t turn a super-tanker in a bathtub. CMMC is a very significant program and they did a remarkable job to get it to where it is in the timeframe they did. Getting 300,000 companies through a process takes time.
- “DoD expects third party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023…” Realistically, with the accreditation body that will certify auditors only being officially launched on 1/29/20, it isn’t likely the first set of CMMC Auditors will be ready to roll before mid Q3. So that 1,500 number may even be a bit optimistic. I expect it to ramp quickly and for them to be ready to roll in 2021.
- “We also are telling you security is an allowable cost now. We are working through the Office of Management and Budget to ensure we have cost realism built into our estimations for our programs and acquisitions moving forward.” I think the 7,500 number in year 2 may be a hedge, as until the cost of the certification audits is established, it’s impossible to determine what type of allocation would be necessary to fund the program. I also think that it is a reasonable assumption that the “allowable cost” provision will be removed, which would logically accelerate the DoD’s required adoption.
- “I doubt it will take five years because companies want to do this.” Super interesting comment and it fully aligns with my conversations with both Primes and Subs. The Subs are looking at getting CMMC certified as early as possible as they believe that it will be a significant strategic advantage to winning business. One client that has 15+ different Controlled Unclassified Information (CUI) environments told me she “wants to get them all CMMC certified as soon as humanly possible.” On the Prime side, I am being told that, as they build pursuit teams on projects, being CMMC certified (or at least demonstrably 800-171/CMMC compliant) will be an important consideration for team membership.
The final reason I think I am right is if you are bidding on a project or own a contract that includes a DFARS 252.204-7012 clause, you still need to be NIST SP 800-171 compliant. As CMMC Level 3 only requires the addition of 20 more controls on top of the 110 you need to implement for 800-171, it’s not a very big lift to become CMMC Level 3 compliant.
Further, based on the increased scrutiny from Primes/Agencies, the CMMC program itself, and recent False Claims Act lawsuits against DoD subcontractors for failure to conform to SP 800-171, at a minimum you should have formal “proof” that you fully achieve 800-171. At that point, the cost to move from “provable” NIST SP 800-171 (or CMMC) compliant to CMMC Level 3 certification will be minimal, and easily cost-justifiable. I think this was something that Katie Arrington was alluding to as well.
In case you wondered, I prefer to read leaves from Gyokoru tea :>). It has high levels of theanine, a potent amino acid, and can really help you focus for a few hours. Highly recommended.