CMMC In Plain English

Overview

My company has been “hammered” by dozens of clients and members about “what is CMMC and what should we be doing?”

There is a dichotomy between the market updates provided by DoD, news reports, and the security industry. This contrast is to be expected. Companies that help other companies, like yours, to follow DoD regulations are businesses, just like yours. It’s how they make money. It’s how they put food on their table. Nothing wrong with this.

My intention is to provide a very basic but granular discussion on CMMC so that you can say, “Oh! Okay. That makes sense” and to provide a couple recommendations on what you can do to prepare.

If you know little about NIST 800-171 or CMMC and you read and pay attention to this article, I promise you'll have a better understanding and you'll be able to start planning.

I also want to point out that I am not a security expert. It doesn’t take a security genius to outline the basics of NIST and CMMC. You and I can read. Let’s not overcomplicate this. However, the more advanced levels of CMMC will likely require their expertise.

Successfully meeting the requirements of NIST 800-171 and CMMC are no different than other requirements. It’s like any other government control, it’s going to take education, understanding, time, and possibly money. NIST 800-171 and CMMC are to security as the Defense Contract Audit Agency (DCCA) is to accounting systems. DCAA has the primary responsibility for monitoring and auditing the accounting systems of contractors doing work for DoD.

This article is designed to help you understand what’s coming and recommendations for the controls you should put in place now. Most companies, even small businesses have many of the CMMC Level 1 controls already in place! But I’ll bet you don’t have it formalized and documented.

So, let’s simplify this discussion. Let’s start with defining NIST 800-171 and CMMC in a way that everyone can understand.

NIST 800-171 and CMMC In Layman’s Terms

The National Institute of Standards and Technology (NIST) is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal agencies on many topics (of which cybersecurity is one area).

NIST Special Publication 800-171 (NIST 800-171) provides a list of controls that explain security compliance requirements. It uses the concept of “security controls” to identify specific “activities” that a company must take to protect information.

NIST 800-171 is the foundation for Federal agencies and government contractors, that defines and protects Controlled Unclassified Information (CUI).

That’s what this is all about. These are the regulations that dictate the controls on how government contractors store, transmit, and process Controlled Unclassified Information (CUI).

NIST 800-171 applies to procurements for the Department of Defense and federal agencies. This is not new. You may not recall seeing it, but NIST 800-171 is likely in some or many of your proposals. All those “clauses” and regulations in the solicitation? NIST 800-171 may be one of them!

NIST 800-171 was born in 2010 when President Obama signed Executive Order 13556. It directed all Federal agencies to protect controlled unclassified information. However, it didn’t go into full effect until December 2017.

NIST 800-171 is a self-certification. Not only do many contracting officers not understand these security guidelines, but neither do many government contractors. So you have contracting officers embedding NIST 800-171 into solicitations, without understanding how to verify compliance AND government contractors signing their proposals and contracts, indicating compliance, without knowing what it even is.

Well, that doesn’t make any sense.

And that’s why the Cybersecurity Maturity Model Certification (CMMC) was developed.

CMMC

CMMC is the DoD's program for the Defense Industrial Base (DIB) (government contractors) to obtain a third-party assessment / certification to ensure that NIST 800-171 controls are implemented.

To clarify, both NIST and CMMC security controls apply to government contractors. 

• NIST applies to Federal agencies and DoD
• CMMC is DoD’s program to certify compliance with NIST 800-171

Yes, it is likely that CMMC will eventually be rolled into federal agency acquisitions but right now it’s purely DoD.

So, if you have contracts with a federal agency, you should already be compliant with NIST 800-171 (self-certified). If you have contracts with DoD, you should also be compliant with NIST 800-171. CMMC is going to force you to certify compliance with a third party. 

That’s the high-level summary! CMMC is DoD’s program to ensure you have implemented NIST 800-171 security controls.

CMMC uses a tiered-approach. There are five different CMMC levels. Each level expands on the previous level. There are more than a hundred and seventy (170) NIST 800-171 security controls. These controls are mapped into the five CMMC levels. For example, to certify CMMC level 1, you must prove (certify) that your company has successfully incorporated and managed 17 of these security controls.

CMMC will likely be used as a “gate” during the procurement cycle. For DoD, the plan is for every solicitation to specify which CMMC level a government contractor must have before submitting their proposal or bid. Unless a government contractor is certified at the specified CMMC level, they will be barred from bidding or subcontracting on a contract.

All Companies – Not Just Technology

If you have a contract with the government, regardless of product or service, and you have any level of Controlled Unclassified Information (CUI), you have to identify the level of CUI on your systems (includes email), and identify which NIST 800-171 controls are required.

These controls are more than just technology. It’s also physical security. It’s workflow and process. Many companies that don’t understand the requirements often send a message to their IT Director and say, “Hey! We have this CMMC ‘thingy’ coming and you need to make sure we’re in compliance.”

But it doesn’t start with the technology team. It starts with management. It starts with the owner of the company. The controls you must put in place span all units of the company, including management, operations, financial, sales, and contract management – in addition to the technology team.

Are COTS Products Exempt? – Yes (for now)

DoD has said that “[…] Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.” I’ve read this quote in half a dozen articles.

I’ll believe it when I see it. If you sell product, even if you’re just a reseller or distributor, aren’t you collecting contract data? Of course you are. When the government sends you a contract award you’re logging into government systems to confirm shipment and to invoice. That is likely Federal Contract Information (FCI). DoD has said that if you don’t have Controlled Unclassified Information (CUI) but have FCI, you have to be CMMC Level 1.

Don’t ask what specific data is included under FCI. No one, including DoD, seems to have a good answer.

So, as of the date of this article, COTS products do not require CMMC certification. But I’ll be one of the first to say, “That’s going to change.” Maybe not in 2021, but it’s coming. It’s common sense.

Therefore, my recommendation is that companies that only sell COTS products put CMMC Level 1 controls in place. Don’t worry about certification, not yet.

Understanding How NIST 800-171 Maps to CMMC

There are 14 regulatory categories for cybersecurity in NIST 800-171. There are 171 controls within these 14 categories and CMMC maps those 171 controls into five levels. The CMMC level you will need to certify under will be determined by two factors: 

• The amount and sensitive nature of the CUI you possess; and
• The CMMC level (1 to 5) that the government expects you to meet for a specific opportunity / procurement.

And there within lies a dilemma that DoD has not yet discussed or communicated. How does a DoD command identify the level a contractor should be certified under? Many contractors will be asking, “We know which Controlled Unclassified Information (CUI) we have on our systems but based on our contract, based on the type of CUI we have on our systems, how do we know which CMMC level we need to be certified under?”

This is a big deal because the higher the CMMC level, the more NIST 800-171 requirements you have to get certified. 

So….......

Which CMMC Level Should I Target For Certification?

While NIST 800-171 applies to all agencies and DoD, defining what is CUI and defining how any given agency defines CUI for any given contract… well, that’s still not formalized. Some industry security experts say this is well defined. But you have to look at this from both a security perspective and a business perspective. Many agency and DoD contracting officers can’t tell you which CMMC Level any specific company is going to need. Not yet.

In preparing this article, I spoke with various companies that specialize in security, even several that are hoping to be one of the third-party certification companies. Most folks have indicated that you will likely need to be CMMC Level 3. However, the level of CUI identified by the government will be different based on what data you have access to. So, there is no right answer to what level you should be at. Not yet.

DoD states, “[…] if a government contractor does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.”

Again, we can only guess how to define FCI data, but one thing is certain. At a minimum, you will likely need CMMC Level 1.

There are hundreds of websites that map the NIST requirements to CMMC. Some simple. Some complex. I swear that some of the very complex graphics and tables are for no other reason than to scare you to death and convince you to pay another company to do what you should already be doing. Sure, the Lockheed Martins and other large System Integrators need that level! But smaller businesses? No.

For companies that don’t work with DoD and only Federal agencies, I would still get compliant with CMMC Level 1 controls. Why? Because you’re supposed to already be compliant with NIST 800-171.

Remember, CMMC is simply the certification program to ensure DoD contractors are compliant with NIST 800-171 controls. 

UPDATE. After publishing this article, half a dozen companies contacted me to make clear that, "CMMC Level 3 is where the rubber meets the road." Based on what I've read and who I've spoken to, they are likely right. But for now, until more detail is available, my only recommendation is that everyone become CMMC Level 1 compliant. We're all going to go through this. No need to drive ourselves nuts until we have to. It's about corporate priorities. Thank you for everyone that sent me messages about CMMC Level 3 being a foundation. We'll be validating this soon!

Quickly Become CMMC Level 1 Compliant

The following 17 controls are for CMMC Level 1. These are not hard! You’re probably already doing most of these. Remember, you need to capture and document these controls in addition to implementing them. Create a physical or digital binder that outlines your processes for each of the 17 controls, a schedule, a graphical representation of your physical and digital assets, and keep it current. This will be required when you get audited and certified by a third party.

1. Passwords – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). What does this mean? Don’t disable passwords. Use strong passwords. Always log off when you step away from your computer. Have computers automatically log off after a period of inactivity.
2. Rights and Authorized Users. Limit information system access to the types of transactions and functions that authorized users are permitted to execute. What does this mean? Only employees that pay the bills should have access to account receivables. Only employees working on a government contract should have folder and file access to the data supporting that contract. Think segmentation. Think who really needs access to this information. The days of everyone having administrator access are over. This doesn’t mean you can’t give an employee access to the government data, but it could be temporary in order to accomplish a specific task.
3. Lock-Down Your Systems. Verify and control/limit connections to and use of external information systems. What does this mean? This may be a tough one for smaller companies or companies operating from home offices. You need to separate your company systems and network from your personal systems and networks. In other words, you’re buying another desktop or laptop to separate your personal data from your company data. Don’t share access to your router with friends or other companies in the building.
4. Shared and Cloud Services. Control information posted or processed on publicly accessible information systems. What does this mean? Yes, you can still use cloud services such as Dropbox and Google Drive. Just ensure that passwords are enabled. Just like your folders and files on the company network, restrict who has access to not only your cloud storage but access to specific folders and files as well.
5. Unique Accounts and Logs. Identify information system users, processes acting on behalf of users, or devices. What does this mean? Ever employee and contractor must have their own accounts on company systems. Using SharePoint? No team passwords. Everyone has their own account. Yep, this may force you to pay for additional accounts. Cloud storage? Everyone has their own account to access a shared folder. Every employee has their own email with login and password. Every computer on the network must have a login and password. You need to have a log of who logged into which system and what actions they took.
6. Changing Passwords. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. What does this mean? Every system, every computer, every cell phone, every application must require usernames and passwords. All systems should automatically lock when not used for a specified period of time. If you have systems or devices with default passwords that you never changed, you’ll need to change them. This also means changing your passwords on a regular basis. Whether you change your passwords every month or quarter, make sure you’re changing them. Also, don’t post your WI-FI password on the walls of your office. (Exception is if you have a guest network / password that doesn’t allow access to Controlled Unclassified Information (CUI) on your network.
7. Destroying Old Computers and Drives. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. What does this mean? Work with your IT folks to wipe drives before you get rid of them. Use a special software to wipe your thumb drives. Either take a hammer to your drives or use special programs to overwrite the data. Get a company shredder and shred all documents before trashing documents.
8. Physical Access. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. What does this mean? This is physical security control. If you have an office door, lock it when you leave your office. No one should be able to walk through your office and access computers or the file cabinet in your office. If your entire office is one large room, the last person to walk out must lock the door.
9. Managing Office Visitors. Escort visitors and monitor visitor activity. What does this mean? As an example, it’s just four of us in a one room office… we don’t need visitor badges, right? Wrong - you do. Create a visitor’s log at the front desk, sign folks in, and give them a visitor’s badge. Imagine for a moment that there’s a leak in a water pipe or an electrician needs to access your office on a weekend. The company you lease your office space from, per your lease agreement, is allowed to enter your office for emergencies. Well, NIST 800-171 and CMMC requires supervision. That means when the owner of the building calls to say they’re going in for repairs, you tell them to stop and you’ll have someone there in 30 minutes. Of course, if your office is flooding, it’s okay for them to enter to protect the building. No one who isn’t an employee should be escorted at all times. You can’t leave them in your office when you step out to refill your coffee. Don’t forget to have construction workers sign your log and give them a visitor badge.
10. Visitor Log. Maintain audit logs of physical access. What does this mean? Have a log at the front desk for your employees and visitors to sign in and out. Yes, even your employees. Whether you are in a leased space or a home office, get a security system with cameras! This doesn’t have to cost a fortune. There are many security companies that provide cost-effective solutions. The log combined with a camera makes this simple.
11. Employee Turnover and Physical Security. Control and manage physical access devices. What does this mean? Restrict who can turn on and off your security system. Ensure all windows and doors have locks and you use them. If you fired an employee or they left on their own, simply giving the key back is not enough. Every time you lose an employee, change the locks on all doors they had access to, even if they return the keys.
12. Use a Firewall. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. What does this mean? This is making sure that you have a firewall. Your internet router, the one connected to your modem, has firewall software. If you’ve turned it off because it’s easier, turn it back on.
13. Lock-Down Your Network. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. What does this mean? If your company has its own servers, don’t open ports to make it easier to operate. If an internal server, don’t connect it to the Internet. For smaller companies, host your website with a web-hosting company. Host your email with a service provider. For small businesses, you’re probably already doing this. 
14. Keeping Your Systems Current. Identify, report, and correct information and information system flaws in a timely manner. What does this mean? Those patches or system updates you haven’t performed for two years because you’re worried about something breaking? You can’t do that. Automatically download and install updates on all systems. This applies to not only computers, software, and applications, but also peripherals such as scanners and printers. Make sure your Windows updates are current. Make sure your router, printer, scanner, and other systems have the most current update. Make sure your website’s code and plugins are using the latest versions. Have a plan that you follow.
15. Antivirus. Provide protection from malicious code at appropriate locations within organizational information systems. What does this mean? Every computer should have an antivirus program (and it’s turned on). Does your router have active measures built into it? Does your email provider include virus detection? (most do).
16. Antivirus Definition Subscriptions. Update malicious code protection mechanisms when new releases are available. What does this mean? Some antivirus software is free. Others are paid. Some come with your computer purchase. If a server, you likely had to buy software and / or hardware for antivirus protection. Whether on your desktop or a server, you must keep current with antivirus definitions. Every system should have antivirus including those computers in the warehouse that haven’t been updated in years. These antivirus definition updates should be automatic so that systems are automatically updated every time new definitions are available (which is pretty much every day).
17. Antivirus Scanning. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. What does this mean? Your scans should be taking place without you clicking a button. Automatic daily or weekly scans. Every computer must have automatic scanning enabled.

When Is This Taking Effect?

Various articles indicate that DoD expects to have 7,500 companies certified by the end of 2021. Considering that there are between 300,000 and 350,000 companies supporting DoD, 7,500 doesn’t sound like many. However, that’s tens of thousands of contracts and all the subcontractors on these contracts must be certified as well.

If you are just a subcontractor, thinking this doesn’t affect you, imagine the following scenario: You are making $1.5 million as a sub to General Dynamics and their contract gets renewed in six months. The renewal requires CMMC Level 2 or 3. You’re going to get a call from the Prime asking, “Hey, you’re certified right? You’re level 3?” If you respond with, “CMMC? Isn’t that some new certification program?” – You probably just got replaced on the contract. At least be able to respond that you’re certified at Level 1 or 2 and that you’re ‘working on level 3’ and you’ll be certified in a couple weeks.

Let me go down the rabbit hole. Every company that is subcontracting on a DoD contract should start talking to their Primes, RIGHT NOW, about CMMC. They won’t have any updates for you. They’re waiting like everyone else for DoD to clarify direction. You need to keep talking to your Primes so that nothing surprises you.

If you subcontract on DoD contracts, start talking to your Primes, now, about CMMC. This is one of the best ways to prepare for CMMC and protect your revenue streams.

Several reports have stated that CMMC language will start being included in solicitations in the fall of 2020. That’s in just a couple months.

There are also several issues. A FedScoop article indicated that the CMMC Accreditation Body (AB) had a meeting in August with DoD. The CMMC Accreditation Body is the organization DoD is relying on to implement the standards program for CMMC. The article indicated infighting and several key individuals threatening to resign.

So… we’re going to get there, eventually. But DoD and the CMMC Accreditation Body are still working things out.

Here’s what we know as of today:

• DoD will start incorporating CMMC language into RFPs and RFQs this fall. That’s likely to be tests and pilots. No major CMMC mandates before the first of the year.
• A minimum of 7,500 companies (2.5% of the industrial base) will require certification (at some level) by end of 2021. Assume most of these are medium to large businesses with major contracts and IDIQs.

Oh Come On! How Do I Pay For This?

There’s not only a cost for certification. There’s a cost for putting these controls in place. There’s a cost to manage and maintain the processes and documentation. So how do you cover these costs?

First, I asked the following question to a dozen companies that are hoping to be third party certifiers: “Based on the level of compliance, can we surmise a cost for small businesses getting compliant? (I know that’s a hard questions to answer as every company is a bit different)”

The answers were... breathtaking. Most indicated tens of thousands of dollars for initial certification, thousands of dollars annually to maintain, and several thousand every several years for re-certification.

Lockheed Martin can afford that. Small businesses? Not so much.

Clearly, the higher the CMMC Level, the higher number of NIST 800-171 controls, the more complex the controls, and the more difficult and costly to get certified.

But, NO ONE needs to pay another company to help you put CMMC Level 1 controls in place. If you can’t figure out how to implement level 1 controls, call a colleague at another company. It’s free. Also, don't forget your local PTAC. For CMMC Level 1, in my opinion, all you should pay for is the certification.

As for Levels 2 to 5, you may have to pay someone to help you, but that’s down the road. We still don’t know what level you need.

Furthermore, as soon as small businesses start getting certified, they are likely going to start sharing what they’ve learned with their colleagues at other companies.

We also don’t know if DoD is going to cover the costs for the certifications. Many doubt it. I honestly believe it’s possible.

However, let’s assume you put all the controls in place to meet CMMC Level 3. You had to pay for additional software, additional computers. It has cost your company thousands to put Level 3 controls in place. It cost another several thousand to get certified. It’ll cost you a couple grand each year to keep those controls up to date. Then you have to pay a couple grand to recertify in several years.

If DoD doesn’t cover these costs (and if they did, it would likely only be the certification piece), then how do you recoup the money you’re spending?

The answer may be an increase to your fully burdened rates. You’ll need to take all of these costs into account when you bid. The reality is that most companies will need to do the same thing… unless they are willing to take a hit to profit in order to lower their price points on all their proposals. No right answer. Just thinking out loud.

Recommendations

The level you need to be certified at is dependent on the level and type of Controlled Unclassified Information (CUI) that you are supporting or plan to support on a given DoD contract.

If you’re a small business, you have less computers and systems than larger companies. By this very fact, putting in place the necessary controls and getting certified should be much easier.

Everyone should put CMMC Level 1 controls in place by end of year, regardless of getting certified. Worry about getting certified later. Also, we will all have a better idea of which CMMC Level you need later next year.

Start your CMMC Level 1 process by documenting and graphically mapping your physical office(s), doors, windows, devices, systems, applications… everything you use for work. Don’t forget all those cloud services. This diagram will help you create a plan for the first 17 controls in CMMC Level 1. You can find a bunch of examples online. Just Google it.

Conclusion

I hope this article provided the understanding and concepts you need while we wait for DoD to roll this out. If I left something out, please comment and let's make sure all small businesses have a strong understanding of what is to come and how they can start preparing.

This article provided the basics so you can start planning. Keep your ear to the street. Review the articles from other industry experts.

Josh

###

Joshua Frank is an award-winning business coach, professional speaker, and bestselling author. He is a nationally recognized authority on government sales and business acceleration. With 30 years in the government market, he speaks nationally on bridging government sales strategy with business strategy. Managing Partner at RSM Federal, Mr. Frank is author of the #1 bestseller An Insider's Guide To Winning Government Contracts and #1 bestseller Game Changers for Government Contractors. Mr. Frank serves as Chairman of the Board for the Midwest Veterans Advocacy Foundation (VAF). Mr. Frank also supports the SBA's Emerging Leaders Program and is a judge for Arch Grants providing startup funding for entrepreneurs. RSM Federal works with small and large businesses to accelerate revenue in the federal market with clients and members winning more than $2.7 billion in government contracts and more than $30 billion in Indefinite Delivery Contracts (IDC). Josh holds a degree in English, an MA is Management Information Systems (MIS), and an MBA.

#rsmfederal #federalaccess #gamechangers #neverstoplearning #NIST800-171 #CMMC