What is CMMC: Protecting the DIB and DoD supply chain

Defence procurement

The United States Department of Defense (DoD) invests significant amounts of money ($1.8Tn planned) in new weapons systems such as aircraft, ships, ground fighting vehicles and satellites and in new IT systems and capabilities to be delivered through prototypes or new procurement pathways.  In addition to the annual procurement of offensive and defensive systems for front line fighting forces such as the Air Force, Army and Navy.  These activities create, modify and manufacture existing and new technologies and Intellectual Property (IP) on many diverse digital platforms, which reside in over 300,000 suppliers across the DoDs Defence Industry Base (DIB).  Platforms which are exposed to cyber threats.

Recent cyber events have compounded the view that if this IP gets into the wrong hands it could damage the effectiveness of the offensive and defensive capabilities of the US.  It has been estimated by the Council of Economic Advisers in their 2018 report published by the Office of the President of the USA, that the cost of malicious cyber activity on the US economy in 2016 was between $56Bn and $109Bn.  Alongside which the intangible costs of cyber-attacks on the DIB will be felt through the loss, damage or destruction of IP.  Impacting US competitive advantage, having an associated economic impact to DIB contractors, effect the flow of products and services through the DoD supply chain and potentially impact front line fighting forces if US IP is used for both offensive and defensive purposes by an adversary.

This is recognised by the DoD and the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).  The department responsible for the design, development and delivery of US DoD acquisition strategy and capabilities.  Acknowledging that cybersecurity is a foundation within the acquisition process.

Defence Federal Acquisition Regulation Supplement (DFARS)

DFARS is a comprehensive suite of regulations setting out the expectations for the procurement and supply of products and services to the US military.  DFARS 48 CFR § 252.204-7012 (Safeguarding covered defense information and cyber incident reporting) is a regulation that defines the need for the implementation of NIST (SP) 800 – 171 (currently revision 2) that details a comprehensive set of cybersecurity practices for the protection of Controlled Unclassified Information (CUI).  All CUI categories are described in the US National Archives Controlled Unclassified Information (CUI) Registry.

Cybersecurity Maturity Model Certification (CMMC) – Why

Under DFARS 252.204-7012 regulations DIB contractors and their subcontractors have been expected to be complying to the NIST (SP) 800-171 practices(31.12.2017).  However DFARS 252.204-7012 was not being complied to by the DIB, highlighted by various Government Accountability Office (GAO) and DoD inspector General (DoDIG), concluding in general weapon system were both not cyber secure and the DIB was not adhering to the requirements defined in DFARS 252.204-7012.  To address this the DoD raised a formal DFARS case in 2019 – D041 ‘Strategic Assessment and Cybersecurity Certification Requirements’.  Initiating the process to implement a methodology for assessing DoD contractor’s compliance against NIST (SP) 800–171, the protection of Controlled Unclassified Information (CUI) and the reporting of cyber incidents.

CMMC Interim final ruling 2020

The CMMC interim final ruling which came into force on the 30th November 2020 (“ruling“) addresses the oversight and assurance gaps within DFARS 252.204-7012 for CUI data, and extends the scope of oversight to encompass both CUI and Federal Contract Information (FCI).  As specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21.  Which includes information provided by or generated for a Government under contracts not intended for public release.

The existing DoD cyber security program implemented under the interim final ruling that came into effect on the 30th November 2020 introduced 2 DFARS rulings, DFARS 252.204-7019 and DFARS 252.204-7020. 

  • DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) – Contractors and subcontractors must submit a basic NIST SP 800 – 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
  • DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.  Contractors must ensure that subcontractors have submitted their NIST compliance scores to the DoDs SPRS system before they award a contract.