Cybersecurity Certification on the Way for Defense Industry Contractors

CPAs with clients who work for or with defense contractors need to understand the Cybersecurity Maturity Model Certification (CMMC). Matthew Schiavone, CPA, CISSP, CISA, explains the CMMC and offers a word of caution as to how it could affect the costs and resources of the contractor and how CPAs may be called on to be compliance assessors.

by Matthew Schiavone, CPA, CISSP, CISA Dec 18, 2023, 13:27 PM

A checkmark badge next to a women in lab coat carrying laptopThe U.S. Department of Defense (DoD) is a huge enterprise, and it can be mind-boggling when you include all the contractors and subcontractors that serve it. And each contractor is a potential weak link in the department’s security network. Enter the DoD’s Cybersecurity Maturity Model Certification (CMMC). The initiative, nearing implementation, is intended to secure the defense industrial base by requiring defense contractors to demonstrate compliance with National Institute of Standards and Technology (NIST) SP 800-171 and achieve CMMC.

Contractors will encounter a bevy of requirements to meet these challenges as well as considerable investments. CPAs with clients in, or who work for, defense contractors must understand how the CMMC will both affect the costs and resources of the contractor and how CPAs may be called on to be assessors of the new regime.

What Is CMMC?

The CMMC is a unified cybersecurity standard for DoD acquisitions that is aimed at securing the defense industrial base supply chain. This framework was updated in 2021 (CMMC 2.0), and the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204.7021 (the CMMC Clause) is under regulatory review and awaiting publication so it can be included in government contracts and enforceable.

This clause and other CMMC 2.0 requirements are expected to be rolled into contracts no later than the first quarter of 2025. This gives organizations a little more than a year to achieve compliance and undergo an assessment if they want to support applicable contracts. These requirements (and certification) must be fulfilled prior to bidding on a contract, and the timeline for preparedness can take between 12 to 18 months. As such, preparations should begin immediately.

CMMC implementation brings several challenges for those within the sphere of the defense industrial base:

  • Compliance – Organizations must align their cybersecurity practices with the relevant CMMC level and undergo assessments to obtain certification.
  • Investment – Meeting the requirements of higher CMMC levels may require substantial investments in cybersecurity infrastructure and training.
  • Continuous improvement – CMMC emphasizes continuous improvement in cybersecurity practices, ensuring that organizations stay resilient against emerging threats.
  • Competitive advantage – CMMC certification can be a competitive advantage when bidding for DoD contracts, as it demonstrates a commitment to cybersecurity. In many instances, it will be a requirement.

Must I Comply with CMMC?

When CMMC is required, contracts will include the CMMC Clause. But note, its requirements may “flow down” from the prime contractor or subcontractors, depending on the flow of controlled unclassified information (CUI) and federal contract information (FCI). CUI and FCI are types of data that are collected, created, transmitted, or received as a requirement of fulfilling the obligations of the contract to develop or deliver a product or service.

FCI is defined as information – not intended for public release – that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but does not include information provided by the government to the public (such as that on public websites) or simple transactional information (such as that necessary to process payments).1

CUI is information the government creates or possesses, or that an entity creates or possesses, for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.2

The government’s CUI Registry provides guidance for CUI, including policies and practices. This can help determine and assess the CUI for which contractors are responsible. The contracting officers and prime contractors, however, remain the best source for determining the types of CUI and the responsibilities.

What Are the Requirements?

CMMC 2.0 defines three levels of certification (a reduction from five levels in CMMC 1.0):

  • Level 1 – Basic safeguarding of FCI.
  • Level 2 – Protecting CUI (previous CMMC 1.0 Level 3).
  • Level 3 – Protecting CUI and reducing risk of advanced persistent threats (previous CMMC 1.0 Levels 4 and 5).

Level 1 is applicable when organizations are exposed to only FCI. As such, contractors must self-attest to complying with 17 requirements from NIST 800-171. However, contractors who process, transmit, or retain CUI will find themselves facing Level 2, and potentially Level 3, requirements.

Level 2 requires contractors to implement all 110 of the NIST 800-171 requirements and undergo an independent third-party certification by a CMMC third-party assessment organization (C3PAO) once every three years. Likewise, Level 3 requires triennial certification led by a government team. Note, Level 3 requirements have yet to be fully determined, but will include the 110 NIST 800-171 requirements in addition to a subset of NIST 800-172.

When pursuing these certifications, a contractor must first achieve Level 2 before pursuing Level 3. However, a contractor can elect to skip Level 1 and move straight to Level 2.

An overarching requirement of each level (and the CMMC Clause) is a system security plan (SSP). The SSP is a formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. It describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems.3

Is Compliance an Allowable Cost?

There has been guidance and communication from the government that CMMC-related costs will be treated as allowable costs that are recoverable by federal contractors. Contractors should work to budget and cost CMMC-related expenses accurately and capture them appropriately in the correct rate pool. Costs should be allocated to costs similar in nature and applied to cost objectives to be reimbursed for CMMC compliance.

CMMC is a vital step in enhancing the cybersecurity posture of the defense industrial base. By standardizing cybersecurity practices and certifications, it helps protect sensitive information, mitigate evolving cyber threats, and secure national interests. Organizations operating within the defense industrial base must adapt to these changes and invest in cybersecurity to remain competitive and contribute to national security. 

1 www.acquisition.gov/far/subpart-4.19
2 Ibid.
3 https://csrc.nist.gov/glossary/term/information_system_security_plan

Matthew Schiavone, CPA, CISSP, CISA, is managing director, risk assurance and advisory, at Cherry Bekaert Advisory LLC in Pittsburgh and is a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at matt.schiavone@cbh.com.

Leave a comment

Order by

Newest on top Oldest on top
Load more comments
New code
Comment by from
Pennsylvania Institute Of Certified Public Accountants
Phone: (215) 496-9272
Webcast/Webinar Hotline: (267) 705-4450
Email: info@picpa.org
My Account

Subscribe to PICPA's personalized e-newsletter to receive news and events that interest you.

Subscribe

Copyright © 1998-2023 PICPA. All rights reserved. Privacy Policy | Terms and Conditions