CMMC Requirements for Small Business: The ABC's for SMB's

Table of Contents

Safeguarding Sensitive Information

In March 2016, a Chinese national admitted to hacking Department of Defense (DoD) contractors. As a result, China was able to steal technical data related to transport and fighter jets. Just nine months after the hack, China introduced its fifth-generation fighter FC-31. Many analysts believe the FC-31 mimics the USAF F-35 as a result of their cyber-espionage.

Federal Acquisition Regulations (FAR) require all defense contractors to safeguard sensitive information. The current measures have been unable to stop the leakage of sensitive information from the Defense Supply Chain (DSC). 

CMMCforSmallBusiness_1_821

Classified information isn’t the only sensitive information sought by our adversaries. The DoD and DSC exchange a wide range of information. Each piece helps bring DoD’s activities into better view. Let’s take a look at the different types of sensitive information the DoD has focused on:

  • Federal Contract Information (FCI) - Information provided by or generated from the government under contacts not intended for public release.

  • Controlled Unclassified Information (CUI) - information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.

It’s important to note that the government isn’t always the source of either FCI or CUI.  The contractor may be developing sensitive information during the performance of a contract.

Members of the defense industrial base should understand what sensitive information they have. A contractor should ensure safeguards for sensitive information also flow down to subcontractors.

Let’s take a look at some of the safeguarding legal obligations for DoD contractors.

FAR 52.204-21 defines 15 specific safeguarding requirements to protect FCI.

The Defense FAR Supplement (DFARS) 252.204-7012 lists the safeguarding requirements to protect CUI. These 110 requirements come from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

CMMCRequirementsforSmall Business_2_821

These requirements have been in place since 2016 and 2018. Contractors have been self-certifying compliance by participating in a contract or self-attesting. Yet, a 2019 DoD audit found many contractors weren’t implementing important cybersecurity controls.

Introduced in September 2020, Interim DFARS rule 2019-D041 imposed new requirements.  Contractors working with CUI must now conduct an assessment based on NIST 800-171. 

Contractors must upload their assessment scores into the Supplier Performance Risk System (SPRS). Before making an award, contracting officers now have to verify the SPRS score is not more than 3 years old.

There are three levels of the assessment based on the depth of the assessment performed...

  • Basic is a self-assessment completed by the contractor

  • Medium assessment is the government review of a System Security Plan (SSP)

  • High assessment is the government review of evidence and or demonstration

The contractor must have an SSP for all covered systems. For each control not met, the contractor must have a plan of action and milestones (POA&M).

To score the assessment, each NIST 800-171 control has a score of either 1, 3, or 5.  Starting from a score of 110, subtract each control that is not implemented. A perfect score is 110 and the worst possible score is -203.

The DoD wants to see how many contractors are relying on POA&Ms to get a true understanding of the industry's compliance posture. 

Upcoming Cybersecurity Maturity Model Certification (CMMC)

CMMC will be the next iteration of cybersecurity compliance. The industry expects rule-making by DoD to occur in September 2021. This change will entail assessing compliance by certified third-party assessors (C3PAOs).

Even after rule-making, the CMMC roll-out approach will be a crawl, walk, run. As few as 15 contracts will contain CMMC requirements in fiscal year (FY) 2021. More and more solicitations over the next five years will contain CMMC requirements.

All solicitations will have CMMC requirements by FY 2025.

That doesn’t mean that you should wait until 2025 to begin the process of becoming certified. Some solicitations may ask about certification plans. Preparation will vary based on the types of projects the contractor wants to handle.

CMMCRequirementsforSmall Business_3_821

Maturity Level 1 will be enough for contractors dealing only with FCI. This level corresponds to the current requirements in FAR 52.204-21. The DoD expects that contractors receiving FCI are already adherent to Maturity Level 1 requirements.

CUI requires contractors to achieve Maturity Level 3 certification. Maturity Level 3 corresponds to the current requirements in NIST 800-171 plus 20 new practices.

Since there’s significant effort moving from Maturity Level 1 to 3, Maturity Level 2 is an interim step. Certification at Maturity Level 2 demonstrates the intent to move from contracts containing CUI.  

Maturity Level 4 includes 26 new practices and process reviews to ensure their effectiveness. At Maturity Level 5, the total number of practices reaches 171 and process optimization.

There are approximately 300,000 contractors within the defense industrial base (DIB).  Commercial off-the-shelf (COTS) providers are exempt from CMMC. DoD expects 80 percent of DIB to only need Maturity Level 1. Less than 1 percent need a certification beyond Maturity Level 3. That leaves roughly 50,000 contractors and subcontractors in need of Maturity Level 3 certification.

In other words, most small businesses will land at Level 1 or Level 3.

Understanding CMMC Levels and Assessments

If you provide COTS products or services to the DoD and do not receive or produce FCI, then CMMC will not apply to you. COTS products and services cannot deviate from what is available to non-government customers.

If you receive FCI then you should plan to receive a Maturity Level 1 certification. Likewise, if you receive CUI, then you should plan to receive a Maturity Level 3 certification.

Maturity Level 1 requires you to show adherence to FAR 52.204-21. You must be able to show you are performing 17 practices from 6 different domains. Assessors will look at two of three potential forms of evidence: 

  • Examine:  reviewing assessment objects (specifications, activities, etc.)

  • Interview: discussions with individuals responsible for that practice

  • Test: exercising assessment objects (activities, mechanisms)

CMMCRequirementsforSmallBusiness_4_821

Documentation for processes and policies is not required at Maturity Level 1. Maturity Level 3 includes 130 practices and written processes for each of the 17 domains. Assessment of practices will result in one of three possible findings:

  • Met: the evidence confirms the assessment goal

  • Not Met: the evidence does not confirm the assessment goal

  • Not Applicable: the process or practice does not apply

A contractor can inherit a practice or process from a third party. Evidence should show how the vendor meets the assessment goals for those practices. Many small businesses are reliant on managed services providers (MSPs). If your MSP has logical access to your network that contains FCI, the MSP will be within the scope of the assessment.

Most organizations will not need more than one certification. The certification level indicates the kinds of information that an organization can receive. The more mature the organization, the more sensitive information they can receive. Certifications will be valid for three years.

The Benefits of Using a Network Enclave

Many small businesses have flat network architectures. This means all devices can access each other. If sensitive information exists within a flat network, then all devices have access. This would mean all devices are within the scope of the NIST 800-171 controls or CMMC.

Most small businesses worry about the investment required for certifying their whole network. The potential solution to consider is segmenting the network. By separating the network, you can reduce the number of devices with access to data. The fewer devices with access, the smaller the scope of the assessment.

Creating a local enclave keeps the sensitive data within your network. An alternative would be to use a cloud service provider (CSP). The CSP would need to have the appropriate Maturity Level based on the sensitive data stored. For example, data containing CUI requires a Maturity Level 3 certification. 

CMMCRequirementsforSmall Business_4_821

The contractor may still need their certification even when using a CSP enclave. If the contractor is uploading CUI into the CSP enclave, then they have received CUI. To receive or create CUI requires a Maturity Level 3 certification.

There are two known exceptions. Receiving CUI involves bringing it into an information system. It’s possible to access CUI without receiving it.

In the first example, a prime could create an enclave that allows a sub to access CUI. The sub would not need a Maturity Level 3 certification to access the CUI as long as they don't receive it.

In the second example, a CSP could act as the enclave storing CUI. The CSP could make it accessible to any sub or prime with a Maturity Level 3 certification. If the sub or prime did not have a Maturity Level 3 certification, they may still have access to the CUI.

Start Preparing Now

Most contractors are already certifying that they comply with the FAR requirements. They should be able to achieve Maturity Level 1 without significant expense. They need to show habitual behavior that the practices are being performed. It must be clear that the practices have been in place for a significant amount of time (six months).

Documentation isn’t required at Maturity Level 1. Having documentation would serve to show the practices are habitual. The assessment guide indicates what documents would show compliance for each practice.  

Start preparation by going through the 17 practice requirements and gathering relevant documents. There are more than 50 objectives contained within the 17 practices. You can hire a service provider organization from the CMMC-AB marketplace to check if the evidence gathered is good enough.

Organizations seeking a Maturity Level 3 certification have a much heavier lift. 130 practices that contain almost 400 objectives. A written policy for each of the 17 domains should outline the process of each practice. 

For organizations currently handling CUI, start with the SPRS assessment. This will cover the 110 NIST 800-171 practices. The delta 20 practices within CMMC include about 50 new objectives. Documenting evidence and policies will likely be a long journey.  

Again, you can hire a service provider organization from the CMMC-AB marketplace.  Registered practitioners and certified professionals can help identify and reduce the assessment scope. CSPs and MSPs can help create an enclave. Tool providers can help organize documented evidence.

CMMC requirements will not enter into most contracts this year or next. Still, the majority of them already exist today. Preparing now will help show the habitual nature of the practices performed.