The Chesapeake Science and Security Corridor (CSSC)’s epicenter is Harford County, MD, home to Aberdeen Proving Ground (APG). Inside the gates of this 100+ tenant Department of Defense (DoD) Research, Development, Test & Evaluation (RDT&E) megabase are six Centers of Excellence including C5ISR, and the highest concentration of advanced degrees on a U.S. military installation. Outside its gates, more than 150 defense companies stand at the ready to support a military-critical mission in readiness and resilience. And between them now lies an impending, evolving certification compliance in cybersecurity that impacts acquisition, teaming, performance integrity and the future of doing business with the federal government. Here is how a community in northeastern Maryland is collaborating to address this requirement.
But First, What is CMMC?
Developed by the DoD, the Cybersecurity Maturity Model Certification (CMMC) is a process to protect DoD and industry- critical data and assets from exploitation often described as ‘securing the supply chain.’ However, critical data on unclassified systems are vulnerable, and Controlled Unclassified Information (CUI) such as funding, personal, export controlled, critical tech data, etc. is being exploited. “There is concern that existing self-assessment cybersecurity requirements (e.g., DFARS 252.204-7012 and NIST SP 800-171) in DoD/Industry partnerships are not adequately protecting CUI. Consequently, DoD developed the new statutory CMMC process through which companies will be required to obtain third-party assessments to certify their level of cybersecurity maturity,” says Glenn Gillis, Senior Partner with BDCS. DoD has set up the CMMC Accreditation Body (CMMC-AB) to define, develop, train, implement and oversee the accreditation process. Future DoD contracts will require CMMC at specific levels for an awardee and their entire subcontracted team. Contracts with CMMC requirements will be phased-in; near-term on selected new contracts and significant contract option execution, and by FY2026, a requirement for all new DoD contracts.
Maryland Leverages Resources for its Defense Industry Base
As the state ranked 4th in defense spending, Maryland businesses play a key role in the defense industrial base. With twice as many federal labs as any other state and over 20 military facilities including APG, it is no surprise that Maryland nationally ranks number one for STEM job concentration and for high-tech’s share of all businesses. The state is renowned for its defense RDT&E, providing the full life cycle of many critical defense technologies. With thousands of in-state defense contractors, from a two-person business operation to a corporate headquarters such as Lockheed Martin and Northrop Grumman Mission Systems, the demand for cyber compliance is high. With grant support from the DoD Office of Local Defense Community Cooperation, Maryland, for the third consecutive year, offers the Defense Cybersecurity Assistance Program (DCAP), designed to aid small to mid-sized companies in tackling this important but costly requirement. “To that end, we must all play our part in helping those further down the supply chain with less resources yet with the innovative talent that drives tomorrow’s technologies,” says Lisa Swoboda, Senior Director, Military & Federal Affairs for Maryland Commerce. In addition to compliance assessments and technical assistance offered within the DCAP, Maryland also offers the Buy Maryland Cybersecurity Tax Credit, an incentive for qualified Maryland companies to purchase cybersecurity technologies and services from a qualified Maryland cybersecurity seller. “We hope to see more companies take advantage of these programs that aim to protect our nation’s assets,” added Swoboda.
The Maryland Manufacturing Exchange Partnership (MD MEP) is partnering with the Maryland Department of Commerce to administer the DCAP. The program has helped nearly 100 companies since inception and 100 more companies are in the queue to receive assistance and support in 2021. Results show participating businesses realized more than $500M in economic impact and retained 3,000 Maryland jobs. MD MEP Executive Director Michael Kelleher stated, “In partnership with the Maryland Department of Commerce, the Department of Defense, MD MEP and most importantly industry partners, DCAP has enabled hundreds of manufacturers to improve their cybersecurity posture, comply with the often difficult and costly requirements of cybersecurity, and remain competitive in the market. We look forward to continuing the program and creating opportunities for organizations to share knowledge, resources and best practices into the future.”
Professional Organizations Educate and Facilitate
Not having the appropriate level of CMMC at time of award will impact the industrial base and DoD’s ability to meet its mission requirements. So local professional organizations are working to bring awareness and actions to the community to insure preparedness for the CMMC implementation.
“The Army Alliance has also been supporting the Maryland Cyber Security Council, established several years ago to educate and support legislation implementing security measures across state infrastructure.”
“The Aberdeen Chapter of the National Defense Industrial Association (NDIA) and several other associations actively worked with the APG-Army Contracting Command (APG-ACC) to offer a symposium with subject matter experts from Office of the Secretary of Defense (OSD) and Army to discuss the importance of CMMC; what implementation should look like; and when companies could expect to start seeing the requirement in requests for proposals (RFPs),” shared NDIA Chapter President Dave Lockhart. A point emphasized during the symposium was the fact that companies could charge cost of implementation to Government contracts as an allowable expense versus an unfunded mandate, which was a major issue prior to the government rollout of the implementation plan. NDIA, other local associations and content-specific companies are working in conjunction with ACC-APG, to educate companies, large and small, about CMMC, its benefits, costs, and implementation challenges. The symposium hosted in 2020, along with an Armed Forces Communications-Electronics Association (AFCEA) small business program session in March 2021, provided local companies with a rich source of information as they begin to consider the how, when, and why to implement CMMC. Companies in the area are being made aware that, beginning in 2024, CMMC will be included in APG-ACC managed contracts, giving both industry and government ample time to prepare and comply.
“One of the Army Alliance’s objectives is to support the growth and sustainment of mission and workforce to the Aberdeen Proving Ground community. We are partnering with local professional and academic organizations to educate the local defense and commercial community regarding application and implementation of the Cybersecurity Maturity Model,” says Army Alliance President Tony Lisuzzo.
The Army Alliance has also been supporting the Maryland Cyber Security Council, established several years ago to educate and support legislation implementing security measures across state infrastructure. This will benefit the security of State contractors, and help avoid future losses due to cyber breaches. “The concept of a CMMC framework arose in response to a series of high-profile breaches of DoD and local government information,” added Lisuzzo.
“In the case of CMMC and its attendant regulation, the DoD, USD Acquisition and Sustainment (A&S), spent a significant amount of time working with industry and interested associations to understand issues, concerns, and challenges with implementation. USD A&S in conjunction with the Services, particularly contracting offices at local posts and stations, did industry outreach to try to ensure industry understood the emerging requirement and associated timeline for implementation,” stated Lockhart.
The Implications of Doing Business
CMMC must be viewed from the perspective of internal implementation in a particular company and external implementation as part of a Government-contracted effort. “Each company will have to look at its processes and practices for protecting specified information and make adjustments as necessary – the internal implementation will be similar for companies large and small, with the difference in cost and complexity, a function of size and organizational structure. However, most contracts are not performed by a single company; in most cases a company will provide a solution to a U.S. government problem with a series of partners,” says Lockhart. The CMMC guidelines place an additional requirement on the Prime to ensure that it and its subcontractors are CMMC-compliant. For a company with a few subcontractors, there is one level of complexity; for a company with thousands of subcontractors, CMMC compliance verification gets to be infinitely more complex and costly. Large companies will have to figure out how to implement both CMMC and a process of ensuring the certification of one-to-many subcontractors. The greater the number of subcontractors, the greater the complexity to CMMC implementation and cost to the Prime Contractor. This leads to higher contract costs to the company and potential delays to contract award as the Prime works to get subcontractors compliant.
The Cost Factor
Final accreditation guidelines are still under development with certification costs comprised of four components: non-recurring engineering costs, recurring engineering costs, contractor support, and C3PAO assessment. Even for small entities, these projected costs are impactful.
There are potentially substantial costs devoted to creating organizational readiness for companies seeking CMMC certification as well as those offering CMMC readiness services. “Organizationally, businesses will devote staff resources towards internal analysis and remediation,” says Toby Muser, CEO MNS Group. “As an example, organizations that need to certify at CMMC Level 3 due to CUI and are currently using Microsoft Business Accounts like Office 365 will need to migrate on GCC or GCC High, an increase per license of 200-400% over Office 365,” he added.
After an internal review, a third-party review from a Registered Provider Organization (RPO) can provide a Gap Analysis or Pre-Assessment to facilitate a successful CMMC Assessment from a Certified Third-Party Assessor Organization (C3PAO.) Costs start at $6,000 and increase determined by the number of locations and complexity of the organization. Assessors will study and test the company’s procedures and policy, and verify they are repeatable and being followed by the company.
Technology companies that register as a RPO will invest $5,000 yearly to be on the CMMC-AB Marketplace: $1,000 to apply, and at application approval, a Year-One Certification fee of $4,000. Annual maintenance is $5,000. The training and test cost for each Registered Practitioner (RP) is $500 per employee, valid for one year. Organizations that apply for C3PAO pay a $1,000 application fee, with a $2,000 activation fee. Annual maintenance fees are $2,000. CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) have fees associated with training through certified CMMC Licensed Training Provider (LTP), with annual fees depending on level of certification. C3PAO’s must also pass an assessment of their own network equivalent to the level of assessment they wish to perform on Organization Seeking Certification (OSC).
Insights for the Contractor & Provider
Regarding CUI, subcontractors should look to their Prime for insight. There may also be clauses in a contract that dictate further controls and restrictions on data such as ITAR or NOFORN. A good starting point for OSC’s is the DoD Mandatory CUI Training. This training details how to identify CUI, how to properly handle it, and how to mark CUI yourself.
“In CMMC, the security practice domains are met and the OSC passes or the security practice domains are unmet and the OSC fails.”
The greatest impact for companies will be when to make the investment or when to allocate funds to become CMMC compliant. There are infinite resources, and the challenge is when and to what extent a company implements CMMC, understanding that the resources – funding and people – will not be available for some other opportunity, thus becoming an opportunity cost issue. While the Government has provided interest with lead time before compliance becomes mandatory on all Government contracts and, most importantly, has determined that the cost of compliance can be charged as an allowable cost, there are many companies who may be engaging with the government for the first time. The question becomes when do they implement: In advance of a contract or after winning? “This is going to be a dilemma for many companies, particularly those who do not do the majority of their business with the U.S. Government,” added Lockhart.
“There’s a theory… going around that says network security and cybersecurity can be treated like boxes to check off and then never thought about again. But that is far from the truth,” says Musser. “The vigilance required to keep your data, systems, and networks secure is an ongoing concern.”
CMMC is not a score; it is a pass/fail. This is a departure from other frameworks where Plans of Action and Milestones were used. In CMMC, the security practice domains are met and the OSC passes or the security practice domains are unmet and the OSC fails. If the CMMC Certified Assessor determines the security practices were unmet, the OSC will need to remediate those areas within a specific time period. It is at the Lead Assessor’s discretion whether to allow the OSC to remediate any deficiencies. “There may not be a way to remediate AND show maturity. In the case that remediation is indicated, CMMC-AB has allowed 90 days” says Musser.
“When it comes to Cybersecurity Maturity Model Certification (CMMC), many companies only have one Registered Practitioner (RP). However, by the end of February, MNS Group had 8 RPs in place. We’re extremely proud of this accomplishment and what it means not only for our business but also for the increased safety, security, and integrity of the client partners undergoing this certification,” stated Musser. The RPO certification signals that a consulting firm is invested in the CMMC space and has committed to cybersecurity best practices.
“Even the most cyber-sophisticated company, the journey towards CMMC certification can be a long and complicated one. Fact is CMMC certification is a heavy lift. RPOs are experts in the CMMC framework and play a vital role in ensuring contractors meet and maintain their desired CMMC level,” said Kernan Kelly, IT Solutions Consultant with MNS Group.
“Once client partners understand that truth, we see an increased investment in funding, people, and efforts to maintain that level of protection. It means organizations are being truly proactive, taking steps to ensure the integrity of their data,” Musser noted.
Determining Compliance Level: Company vs Product?
Enclaves can be made for departments that create or possess CUI as part of their work on a DoD contract. It is important to note that CMMC evaluates an OSC at the company level. Proper processes and controls need to be in place to ensure proper CUI flow within the organization. During the CMMC Assessment process, the lead assessor will work with the organization to determine the scope of the assessment. If the lead assessor agrees that the OSC is protecting CUI flow within the organization and enclaves, the assessment may proceed.
Understanding the Impact of DoD Mission Success
The greater defense community understands and values APG as the center of gravity for Army C5ISR and that industry is deeply embedded in those efforts. It requires a collaborative community —government, industry, and academia— to be in-sync to achieve the necessary level of compliance. Academia will play a key role in developing and enhancing the workforce to address and maintain compliance; DoD organizations must promote and ensure institutions have the accredited resources needed.
At Harford Community College (HCC), the County’s hub for cybersecurity education and training, information technology staff is being introduced to the CMMC concepts. As an academic institution doing business with Aberdeen Proving Ground, they are already positioning themselves to meet cyber quality standards. “We look forward to moving into the second phase of assisting local defense contractors in their efforts to be certified in CMMC,” remarked Dr. Theresa B. Felder, HCC President.
Under the CMMC-AB construct, there will be several distinct roles for organizations and individuals: developing CMMC curriculum, providing CMMC training, conducting accreditations, and selling CMMC support ‘tools.’ The DoD’s CMMC approach is being looked at as a model for adoption by other Federal organizations.
A significant amount of work over a limited period of time needs to be invested by companies and organizations in order to prepare for an assessment and accreditation. A holistic approach among government, industry, and academia is a strong first step and collaboration is key. In the spirit of the African proverb, “It takes a village to raise a child” … it takes a defense community to meet DoD cybersecurity compliance!