Department of Defense Requirement for Cybersecurity Maturity Model Certification
The Department of Defense (DoD)'s Cybersecurity Maturity Model Certification (CMMC) program intends to change how the DoD handles cybersecurity requirement for contractors, including research universities like UNM. CMMC will, when fully implemented between now and 2024, require every contractor's cybersecurity practices for all contracts to be audited and certified by a third-party auditor. The Cybersecurity Maturity Model prescribes five levels of cybersecurity maturity that measure cybersecurity controls and processes and ensure alignment with relevant policies.
This certification process will identify the various levels of cybersecurity controls and safeguards research institutions have in place. Using this standard model, the DOD will identify the required level of certification in solicitations. In order for researchers to apply for funding opportunities, the required level of certification will need to be met. Based on the communication from DOD, the CMMC requirements will be incorporated in funding opportunity announcements released over the next four years, with the aim of including CMMC requirements in all DoD acquisitions by 2024 no matter the sensitivity of the data or computation being handled.
Current guidance is that the initial rollout will focus on systems that handle Controlled Unclassified Information (CUI) by requiring contractors to fully document and submit the plans for securing systems that store, transmit or process CUI data to DoD. In addition, DoD has announced that it will cover the cost of implementing CMMC controls in systems for supporting CMMC contracts as an "allowable, reimbursable cost"
The UNM Office of the Vice-President for Research, UNM IT, and the UNM Health Sciences Center have established a CMMC Working Group to prepare UNM systems, processes, and staff to meet CMMC requirements. This working group also plans to develop and share the best practices, guidelines, and templates that researchers will need to continue to successfully pursue DoD funding opportunities with CMMC requirements.
Since DOD is continuing to clarify the process and expectations of this new requirement, UNM’s work is ongoing and will be documented on this website as it progresses.
A list of answers to frequently asked questions by UNM researchers is provided below. More information on CMMC requirements can also be found at the official DOD CMMC website – https://www.acq.osd.mil/cmmc/index.html
UNM Guidance for DoD CMMC FAQs
At a minimum, all subcontractors will be required to carry CMMC Level 1 Certification to continue to participate in DoD contracts. Additionally, a prime contractor may require Level 3 Certification for a contract while subcontractors may require different levels of certification. Prime contractors will work with contracting officers to determine the CMMC levels required for subcontractors. The process to determine subcontractors’ CMMC certification requirements is still evolving and more information will be added to this webpage as it becomes available.
If you receive Representation and Certification documentation from a Sponsor requiring CMMC certification, direct the request to the Office of Sponsored Projects for completion.
- What should PI's do now?
- For DOD awards prior to Nov 30, 2020, no action is needed at this time. As your DOD project develops, communicate regularly with the Office of Sponsored Projects on any changes to scope of work that include proposed requirements for handling controlled unclassified information (the DFARS 252.204-7012 clause)
- If you are planning to submit a DOD proposal in the near future, carefully review sections L and M of each DoD solicitation to determine whether any CMMC certification level is required at time of proposal submission. If so, contact the Office of Sponsored Projects as early as possible for them to put you in contact with UNM IT so the proper certification requirement is obtained for your proposal, prior to the deadline for submission.
- Who can help me understand whether my research environment meets the standards imposed by DoD CMMC level?
If you need help understanding whether your research system meets the standards imposed by the Department of Defense Cybersecurity Maturity Model Level, contact osp@unm.edu
- Who at UNM will certify my cybersecurity Measures?
Certification of Cybersecurity Measures as required by the Department of Defense must be done by an entity outside of UNM. In other words, UNM cannot “self-certify”.
- Is there a list of third-party CMMC certifiers ?
As of December 1, 2020, certifiers are still being trained; once companies that provide certifications are announced, we will provide links to that list.
- Will UNM submit my DoD proposal even if I don't have the CMMC level needed in place?
UNM will proceed to endorse and submit a proposal without the required CMMC level in place, unless the solicitation states otherwise. If certification is an eligibility criterion, the proposal is subject to rejection by the DoD sponsor.
- How do I build in the cost of getting certified as direct cost?
DoD states the cost of certification will be considered an allowable reimbursable cost. In order to integrate this into your budget, follow any budget instructions provided in the solicitation, and obtain estimates of costs that are substantiated. This may include obtaining quotes on system upgrades or using estimated cost data provided by UNM (currently being developed).
Your unit may also consider working with IT to implement necessary steps to achieve certification at the required level, so that the costs incurred, to the degree they are applicable to your specific project, can be reimbursed by the DoD sponsor. - Can UNM accept my contract if I have not had my system certified?
The DoD contract will include a new DFARS clause that will require UNM to have a certification in place upon accepting the award. The UNM cannot make this assertion and accept a DoD contract without documentation that third-party certification for the CMMC level required by DoD is in place for your project. DoD may also request a copy of the certification, which we will be obligated to provide.
- Will the DoD CMMC requirements apply to DoD grants, in addition to contracts?
At this time, CMMC requirements apply only to DoD contract funding, and only when the solicitations includes a statement requiring the CMMC level applicable to the project. The Office of Sponsored Projects is monitoring all incoming DoD agreements, including grant and cooperative agreements for language on this requirement.
- Does this apply to current DoD funding I have?
According to DoD, the CMMC requirement was effective November 1st, 2020, and only applies when the solicitation includes a statement as to the required CMMC level. However, the Office of Sponsored Projects is monitoring incoming amendments to existing active DoD contract awards to ensure this requirement is identified and addressed as it applies to the scope of work.
- Do we anticipate these cybersecurity measures will trickle down to current awards, or only to new awards?
As of December 1, 2020, we expect the DoD CMMC requirement will only apply to new contracts. However, it is possible it will be integrated into an active DOD contract, by amendment, should the DOD Contracting Officer identify that CUI is involved as projects evolve.
- Will all DOD awards/proposal applications be subject to these new requirements, or only specific awards/proposal applications?
For now, we only expect this to apply to DOD contract funding (i.e. not grants or cooperative agreements) and only when the solicitation specifies the required CMMC level.
- How will CMMC compliance be different from compliance with NIST SP 800-171 through DFARS 252.204-7012?
CMMC merges several cybersecurity control standards, including NIST SP 800-171, into a single, unified standard. It goes beyond NIST SP 800-171 to include the assessment of organizational cybersecurity practices and processes in addition to the assessment of technical systems and practices. However, CMMC compliance will not imply NIST SP 800-171 compliance. NIST SP 800-171 includes 63 non-federal organization controls that are not covered by CMMC. At this time, contractors will have to continue to comply with DFARS 252.204-7012 requirements.
- How will CMMC impact subcontractors?
Additional Resources for Principal Investigators and Research Administrators
Official DoD CMMC FAQ site, Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC.
DoD CMMC
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award. Visit the DoD CMMC website.
Controlled Unclassified Information (CUI)
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. Resources, including online training to better understand CUI can be found on National Archives website
NIST Special Publication 800-171
NIST Special Publication 800-171 general information.