Cybersecurity Maturity Model Certification (CMMC) for defense contractors

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

Comply or risk being left out of $360 billion in Defense contracts

Vendors that can show robust controls will thrive in the transition to a more secure defense supply chain. New Department of Defense framework will require third-party certification of the cyber practices of vendors and their supply chains to win or renew contracts.

What's new and what's at stake

What’s new and what’s at stake?

As of 2020, enhanced security standards for defense contractors, including many in the aerospace and defense industry take effect. The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) will subject contractors to a certification process designed to bolster security and enhance visibility into the supply chain. A company’s cyber behavior — controls and practices — will receive a Level (1-5) rating, which will determine eligibility to bid on certain contracts. The CMMC replaces the existing self-certification model under Defense Federal Acquisition Regulation Supplement (DFARS).

The CMMC is designed to improve protection of controlled unclassified information (CUI) and Covered Defense Information (CDI) within the supply chain. By some estimates, more than 70% of DoD data resides on the networks of contractors.

The new requirement stems in part from ever-increasing cyber threats and exploits targeting the Defense Industrial Base (DIB) and its supply chain. According to a Navy internal review in 2019, hackers recently stole so much classified information and intellectual property from the DIB that they eroded US economic and military advantages. Nation state adversaries have exploited A&D companies and US R&D capabilities in new weapons systems. Operational plans show up in the hands of our adversaries. Not only can systems be copied, they can also be breached.

Adversaries cost the US $600 billion annually, according to DoD’s Katie Arrington. The economic impact could increase dramatically when 5G rolls out more widely — technology that allows for exponentially faster data download and upload speeds. State actors are the biggest threat to 5G security, according to an October 2019 report by the European Commission and national cybersecurity experts.

Are all DoD contractors affected by CMMC?

Every company within the DoD supply chain — not just the defense industrial base — will be required to get certified to contract with the DoD. That could affect as many as 300,000 contractors, large and small, primary and subcontractors.

In FY18, the DoD awarded nearly $360 billion in contracts, including products (e.g. military or civilian aircraft, ships, vehicles, weaponry, and electronic systems) and services (logistics, technical support and training, communications support, and engineering support). During the same period, the DoD's share of total government contracts was 65.9%.

Of the total Defense contracts, those that involve CUI and CDI will need to comply with CMMC.

Officials expect to begin adding certification standards to requests for information (RFIs) by June 2020. Beginning in fall 2020, some DoD requests for proposal (RFPs) will explicitly state which CMMC level is required for a particular contract and provide a “go / no-go” decision for an organization’s eligibility to win a contract.

Existing contracts will be up for renewal depending on which CMMC level is required by the contracting authority.

How does the certification work?

All contractors will need to become CMMC-certified by passing a third-party audit to verify they have implemented the appropriate level of cybersecurity controls.

The CMMC consists of five maturity levels ranging from Level 1 (“basic cyber hygiene”) to Level 5 (“advanced”) to determine if a contractor’s cybersecurity posture is adequate to handle controlled and classified information. CMMC requires contractors to comply with expanded controls and requirements, including asset management, cybersecurity governance, recovery, and situational awareness.

To be certified at a particular CMMC level, practices and processes must be met within that level and below. For example, to meet compliance for level 3, a contractor must also comply with the controls and practices in levels 1 and 2.

Contracts will require varying levels of CMMC certification. Projects with greater vulnerabilities or sensitivity would require a contractor to meet more stringent security standards (i.e., require a higher level certification). Vendors’ eligibility to compete for contracts will be determined by CMMC level achieved, on a contract-by-contract basis. Many civilian agencies may not award a contract to a bidder if there are contractual relationships with companies that pose geopolitical risk, most frequently driven by threats from nation state adversaries.

The DoD, with its latest update, has yet to state consequences for non-compliance with the CMMC process. But the immediate and most concerning impact will be an inability for the Defense contractor to bid on future contracts, inevitably leading to lost revenue.

How prepared are DoD contractors for the new process?

PwC expects that companies will have much work to do to bring their cybersecurity controls up to the new standard.

Only 1% of Defense Industrial Base companies have implemented all 110 National Institute of Standards and Technology (NIST) controls, according to the DoD’s Katie Arrington. These NIST controls are foundational for CMMC compliance.

More than one-fourth of defense professionals surveyed by the National Defense Industry Association (NDIA) work for organizations that have been subjected to cyber attacks. Companies in the sector do not have great confidence that they could recover from such attacks within 24 hours. Only about 30 percent of defense organizations have a full understanding of costs required to recover from a cyber attack, and nearly half of prime contractors are unable to confirm the system security plans of their subcontractors.

Small companies pose the biggest cyber risks, said Assistant Defense Secretary for Acquisition Kevin Fahey to reporters at the Pentagon. "The problem is that our adversaries don’t try to come in through the big companies, they come in through the fifth, sixth tier,” he said. “Most of our problems, that’s where they’re coming in.”

DoD contractors should view the process as a way to mature beyond ad hoc, inconsistent cybersecurity processes in their organization. The Pentagon sees the new model as setting the stage for a broader, more complex journey to better understand the defense supply chain.

What should DoD contractors do now?

As a non-certifying body, PwC helps contractors identify where to invest based on cost-benefit analysis. We take a risk-based approach in incremental controls deployment and/or system architecture changes, presenting various cost-risk options (low cost / high risk; medium cost / medium risk options; and high cost / low risk).

PwC applies a five-phased approach for efficient compliance:

1. Start with a current state assessment

Many organizations lack the resources to do a comprehensive assessment; others may be tempted to simply use prior DFARS self-assessments or existing NIST 800-171 compliance materials, or skip this current state assessment altogether. But the CMMC puts structure and an accreditation body in place, and the current state assessment is 90% of the documentation and detail required in the System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs).

A current state assessment that is accurate and complete is the right foundation for full compliance. Understand your technology and applications that process, create, or store CUI. Identify your organization’s target CMMC level. Conduct discussions with the right people in your organization to detail security requirements from NIST 800-171 and CMMC. Companies may have already invested in NIST 800-171 controls, and there could be ways to efficiently convert these to CMMC compliance. If a company has been through DIB CAC audit, there will be reciprocity in the form of credit for implementing ISO 27001 specific controls.

View more

2. Address control gaps

Review your controls documentation and processes for safeguarding CUI. Identify and address previously undiscovered control gaps, based on new evidence discovered during the assessment per CMMC requirements.

Control gaps can range from lacking the right skill sets to overlooking a policy or procedure, or failing to have a sophisticated identity and access management solution. Organizations aspiring to achieve CMMC certification levels 4 and 5 would have more advanced gaps.

Many organizations also face challenges implementing several controls from certification levels 1 through 3, such as:

  • multi-factor authentication, a technology investment that can require significant retooling, depending on the environment
  • clearly defined network architecture and data flow diagrams, fundamental to scoping and documentation of the environment
  • full audit logs at both the application and system level that are monitored and fire alerts
  • configuration Management Database (CMDB), to include all physical and logical assets with proper data classification

View more

3. Plan for remediation and compliance

Develop a plan to address deficient controls and reach the target CMMC level desired by your organization and obtain certification. Remediation can take anywhere from a few weeks, for addressing some smaller gaps, to a few years for larger technology implementation efforts. Achieving certification at Level 1 or Level 2 may take a few months, while reaching higher levels may take a year or longer, given the increase in requirements. The level of effort will vary, depending on the client, contract, environment, and the nature of the gaps. It also hinges on which CMMC levels organizations are moving to and from.

Having a gap does not mean you are not at the required level of compliance. If you have the remediation plan in place and the contracting officer’s representative at the Prime contractor above you in the supply chain and/or the contracting officer’s representative at the DoD is comfortable with the plan, you can get certified.

View more

4. Identify key stakeholders across the organization

Cyber exploits can laterally move across functions, departments, and systems. Risks breed in the gaps, silos, and hand-offs. Compliance will require stakeholders across the organization. Who should be involved from the technical, business, compliance, and executive leadership during the planning, remediation, and compliance process? Who should be involved in ongoing CMMC compliance efforts and decision making for the organization?

View more

5. Build continuous compliance capability

Conduct regular status meetings and checkpoints with remediation owners to track status and identify risks before they impact the organization’s overall CMMC compliance. Many organizations will reach this point, if they have executed the previous steps: It is a natural progression from the POAMs and is part of the standard PM practice within any organization. The added benefit: Clear updates can be included in communications with contract officers. Additionally, set the stage for continuous improvement in cybersecurity. Integrate the compliance process into your company’s existing processes within Internal Audit, IT Compliance, or other equivalent internal groups. Implement automation and technical monitoring mechanisms where possible, to ease the burden, and to ensure that the organization stays aware of security risks.

View more

Can you get R&D tax credits for expenses related to CMMC compliance?

A further incentive for raising cybersecurity standards: Many cyber expenses can qualify for the new Research and Development (R&D) Tax Credit. The credit provides up to 11% net federal cash benefit for qualified research expenses (QRE) in the United States. Potentially, as much as 50% to 75% of certain types of cybersecurity spend could qualify.

Contact us

Chad Gray

Principal, Cybersecurity and Privacy, PwC US

Donald Freese

Principal, Cybersecurity and Privacy, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide