More than 15 years ago, through a supply chain attack against a U.S. Department of Defense (DoD) contractor, Chinese hackers breached the Pentagon’s Joint Strike Fighter project and stole data about the U.S. F-35 fighter jet. They used the data to build their own fighter, the J-31, and it was years before the DoD and the contractor, an Australian defense firm, realized which data had been stolen.
Luckily, none of the stolen data was classified, but the hackers exfiltrated sensitive data like the schematics of the F-35.
Terms like “top secret” and “confidential” are familiar to most people, but you may be less familiar with two data classification levels making headlines recently: controlled unclassified information (CUI) and federal contract information (FCI). These terms refer to information that could negatively impact national interest if misused or made public, so DoD created the Cybersecurity Maturity Model Certification (CMMC) framework in 2019 to establish standards around protecting CUI and FUI.
Hospitals and health systems often collaborate with the DoD to enhance healthcare delivery, disaster response, research, and training. From conducting research to collaborating on public health initiatives like vaccination campaigns, disease surveillance, and health promotion programs, there are many occasions in which healthcare entities bid on RFIs and RFPs for these projects. Under DoD’s CMMC framework, expected to take effect in 2024, organizations bidding to work on DoD projects must pass a CMMC assessment every three years before business can be awarded to them.
CMMC sets security standards for how organizations protect and manage CUI and FCI. DoD created the program, and the standards apply to all contractors and subcontractors bidding on or renewing DoD contracts. DoD introduced the framework in 2019, but it has yet to take effect as it revamped it with some important changes and changed the timeline. We’ll cover what’s different in CMMC 2.0 and what you can anticipate once rulemaking is finalized later in this article.
Understanding CUI and FCI
According to the Federal Acquisition Regulation (FAR) Basic Safeguarding of Contractor Information Systems, CUI is any information that, if lost, misused, modified, or has unauthorized access, could negatively impact national interest. This would be considered data that are not readily available to the public, for example:
- Personally identifiable information (PII)
- Proprietary business information
- Research and studies
- Software and source code
- Financial statements
- Contracts
- Tech reports
- Data analytics
FCI is less sensitive than CUI, but it’s also not intended for public release. FCI is generally contained in government contracts for product or service delivery, for example:
- Contract information
- Reports and charts
- Proposal responses
- Emails
- Subcontracts
CUI Regulations
Since CUI data is a bit more complex than FCI, the DoD developed a supplement to the initial FAR regulations (DFARS) 252.204-7012. The goal is safeguarding CUI when stored, processed, or submitted through a contractor or subcontractor’s information system. It also guides cyber incident reporting, mandating that all incidents are reported within 72 hours of discovery and guidance on reporting malicious software and conducting a damage assessment.
Originally, contractors and subcontractors could self-attest if they met DFARs requirements annually by submitting a Supplier Performance Risk System (SPRS) score to DoD. However, the self-attestation process had obstacles, primarily that contractors had different approaches, which could lead to inaccurate SPRS scores.
The DoD developed the Cybersecurity Maturity Model Certification (CMMC) program to validate DFARS requirements and define standard and assessment processes. Organizations that access CUI must pass a CMMC assessment every three years. Depending on the CMMC data classification level, that could be via self-assessment or it may be required to come from an authorized third party.
CMMC 2.0 Model
DoD recently reworked the original CMMC model, the most significant change being the reduction of maturity levels from the original five down to three:
- Level 1, foundational cyber hygiene: For organizations that deal with FCI. 17 practice requirements. Must self-attest through SPRS annually for compliance.
- Level 2, advanced: For organizations that handle CUI. 110 practice requirements that align with NIST SP 800-171. Must get an assessment every three years from a certified third party and submit an annual affirmation of compliance. Most organizations bidding on DoD contracts will likely be at Level 2, estimated to be nearly 300,000 organizations. Self-assessments may be possible for certain programs like non-prioritized acquisitions.
- Level 3, expert: These are generally much more sensitive and larger contracts and have the most advanced cyber controls of all levels. 134 controls aligned with NIST SP 800-171 and 172. If you’re bidding on Level 3 contracts, you must first go through the certification process at Level 2. If you pass, then you will be subject to a government-led assessment. Reassessments are every three years with an annual affirmation of compliance.
DoD is still fine-tuning CMMC 2.0 language before it releases a complete draft rule for a 60-day public comment period, which is expected to be later in 2023.
Once DoD addresses all of the comments, it will issue the final rule, which is targeted for Q1 of 2024. By the end of Q2 2024, CMMC 2.0 requirements should begin showing up in RFIs and RFPs.
CMMC Certification
The Cyber-AB oversees CMMC and is its official accreditation body. It’s responsible for building, accrediting, certifying, and managing the CMMC ecosystem for DoD. Cyber-AB created the Cybersecurity Assessor and Instructor Certification Organization (CAICO) to manage professional training and certification for assessors.
Organizations that are certified to provide CMMC assessments are known as CMMC Third Party Assessor Organizations (C3PAO). C3PAOs can conduct CMMC certification assessments for levels 1 and 2.
Organizations that aren’t ready for an assessment but want to prepare can work with a Cyber-AB registered provider organization (RPO) for CMMC consulting services.
As a C3PAO, companies like Redspin, a Clearwater division, can help you prepare for certification. The process generally includes:
- Review and feedback on your CMMC standards documentation
- Review of your security configurations to make sure they operate as designed
- A gap analysis of your cybersecurity program
- Assistance with remediation
- If there are gaps, the C3PAO will issue findings you must include in your CMMC Plan of Action & Milestones (POA&M) for remediation.
Now is the Time to Start
If you have DoD RFI’s or RFP’s in sight, now is the time to start thinking about your CMMC certification plan. The process for certification generally takes about four weeks and includes four phases:
- Phase 1, objective evidence review: Identify key stakeholders; set scope and assessment objective; collect and review evidence, artifacts, systems, security plans, policies, procedures and other documentation. This phase usually takes about a week.
- Phase 2, the interview: In Phase 2, the C3PAO will interview all key stakeholders, not just your IT and information security teams, but also stakeholders in other departments like marketing and HR. CMMC is an organization-wide certification. This process generally takes a week.
- Phase 3, report writing: Assessors analyze all evidence and artifacts and will review their assessment notes to make sure you’ve met all CMMC requirements. If you have, the C3PAO will issue an attestation letter for your CMMC certification and submit required documentation to DoD.
- Phase 4, final assessment: If your organization successfully meets Phase 3 requirements, you will not move into Phase 4. Congratulations! You’re CMMC certified; however, if you did not pass the assessment, you’ll have 180 days to remediate the issues your assessor included in your POA&M. Once you do, the assessor will come back to conduct a final assessment. If you’ve rectified everything in your POA&M and pass a final assessment, you can receive your CMMC compliance certification.
All CMMC certified organizations must maintain compliance and affirm it every year, with re-certification every three years.
If your organization’s information systems are solely cloud-based and you only have digital CUI, a C3PAO can conduct a virtual assessment online. Organizations that have CUI in a hybrid environment– for example, in an on-site data center and in the cloud — can also get a virtual assessment, but must agree to set aside a day for the assessor to come onsite and assess CMMC physical controls.
If you’re not already, consider working with a CMMC expert like Redspin, a division of Clearwater, to navigate your CMMC journey and ensure you meet all compliance objectives. As CMMC continues to evolve, your CMMC consultant can alert you to CMMC changes and shifts in timelines and, best of all, help you build confidence to ace your next CMMC assessment and become CMMC certified.