The Department of Defense (DoD) recently announced the introduction of a new program called the Cybersecurity Maturity Model Certification (CMMC), which will serve as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. The current DFARS cybersecurity requirements were implemented in December 2017 to provide security protection for controlled unclassified information (CUI) as provided by the NIST SP800-171 codification. The program, which will be implemented in 2020, aims to improve CUI security by introducing a formal audit program for compliance. The Office of the Under Secretary of Defense is updating drafts of the CMMC here
Key Takeaways of the CMMC Program
- NIST CSF, NIST SP 800-171, ISO 27001-2013, CERT Resilience Management Model, DIB SCC TF WG Top 10, CIS CSC, and other existing standards and sources will provide a basis for the CMMC framework.
- The framework will associate the different practices and processes to maturity “Levels” based on their complexity and their importance.
- Any organization that wishes to do business with the Department of Defense (DoD) must meet at least all the provisions of the basic maturity level or Level 1 of the CMMC program
- Self-assessment will be replaced by auditing from qualified and accredited third-party organizations to establish the maturity level a contractor or subcontractor has achieved. Auditing will be done on all levels of data storage and movement to assess even the less risky engagements such as internal chats between employees. Compliance in Teams will be evaluated for Office 365 users.
- DoD will publicize each of their contractors’ maturity levels but will not give details regarding strengths and deficiencies or areas of weakness.
- Aims to make the certification process both smooth and affordable.
- The program develops and deploys 3rd party certifiers’ tools to conduct audits on contractors.
Levels of the CMMC
Under the proposed program, the cyber maturity of all DoD contractors will be analyzed and certified by third-party organizations accredited by the department. The framework consists of five maturity levels – Level 1 through 5 – whose cybersecurity requirements become more advanced as you go up the levels.
Several sources and data security regimes, including 800-171, CIS Critical Security Controls 7.1, and ISO, will be used to provide controls for the different CMMC levels. Level 1 or “basic cybersecurity”, is expected to entail a small subset of 800-171-based data controls and other “best practices”. Levels 2 and 3 provide a closer approximation of what is required by NIST SP 800-171 and DFARS 252.204-7012. The mid-levels will encompass all rev 1 controls under 800-171 as well as other practices outside the CUI protection scope. Level 5 of the CMMC calls for the most advanced cybersecurity practices within and beyond the perimeter of CUI protection. Additional controls may include 24/7 SOC, network segmentation, real-time asset tracking, and initial response actions.
One crucial mandate of the CMMC program is the ability to detect breaches with ease – a capability that many government contractors lack. Businesses will be required to incorporate advanced breach detection solutions into mature processes and appropriate governance to easily detect malicious devices, activities, and other indicators of breaches. Thus, to counteract this, contractors and subcontractors will need to put in place solutions that can assess all-new attack vectors and protocols to detect anomalous behavior and breaches on their networks.
It is worthwhile to note that the need for DoD contractors and subcontractors to prove security adequacy will not go away with the implementation of the CMMC program. Contractors’ CMMC Levels will be determined by the number of 800-171 controls and additional processes and practices they have implemented. The more practices a contractor has implemented, the higher their CMMC Level certification is likely to be. That being said, contractors will still need to prove that they have implemented adequate security controls to be awarded contracts by the Department of Defense. Here are examples of required specific practices for the various maturity levels:
- FAR requirements
- Ad hoc incident response
- Awareness and training
- Risk management
- Security continuity
- Compliance with all NIST SP 800-171 requirements
- Share threat information with key stakeholders
- Multi-factor authentication
- Network segmentation
- Detonation chambers
- Mobile device inclusion
- Use of DLP technologies
- Supply chain risk consideration
- Threat hunting
- 24/7 SOC operation
- Device authentication
- Cyber maneuver operations
- Organizational custom protections implementation
- Real-time asset tracking
The Certification Process
Before checking with an auditor, it is recommendable that a contractor uses the new framework to evaluate themselves. Thus, they can see the CMMC level with which they are in full compliance. Using applications such as Compliance Manager, a business can assess their information storage and sharing practices and identify trivial issues that could inhibit qualification for certain maturity levels. The process will be even easier for companies that rely on Microsoft Government Cybersecurity solutions to handle data.
Once you are done sell-assessing and making adjustments, you can request a level-specific 3PAO certificate. The 3PAO will serve as a confirmation that your business meets all the DFARS requirements for that specific level.
Once the CMMC requirements are publicized, contractors will be given a six-month window to be audited and rated. The program will be officially implemented in June, and that’s when contractors can start receiving Requests for Proposals (RFPs), showing the levels the various contracts require. Certification will be considered an allowable cost. This means contractors will be able to recover all cybersecurity-related costs into their direct or indirect costs.
As the DoD acknowledges, most of the data breaches originate from smaller businesses in the supply chain. Thus, the program will mainly target these businesses. Coincidentally, these contractors are also expected to experience difficulty complying with CMMC. Here’s why:
DoD contractors that are yet to design and implement formal security programs will not be prepared to identify, prevent, and report cyber-attacks in the supply chain. That is due to the lack of essential security processes, policies, and controls. Incident-response plans are required of all contractors and subcontractors. Indeed, the DoD looks to have intrusion events reported within 72 hours of detection.
What’s more, contractors often lack documented procedures for audits, risk assessments, and due diligence of their subcontractors.
Many smaller companies may also not understand some of the obligations that come with DoD contracts, mostly because defense contracts differ across agencies.
How Will the CMMC Program Affect Contractors?
Here are some ways CMMC will affect contractors:
- Your current contract may be canceled. If you have a contract with the DoD, CMMC may render you incompliant with the contract’s maturity level requirements and, hence, unqualified. Be sure to ask about intended CMMC requirements during RFI periods so that you can align your business with the prerequisites of a contract you are holding or eyeing.
- Subcontracting and teaming procedures will likely change. While the rules on subcontracts are still unclear, it’s likely that the CMMC level will apply to both the prime contractor and any partner.
- Compliance confusion will end. Unlike DFARS, ITAR, and other current frameworks, CMMC compliance will be easier as all businesses are certified and assigned maturity levels before applying for contracts. This means contractors will know what they are qualified for early on. Note that companies in higher levels will be more likely to be considered for contracts. Also, ITAR will remain a separate set of regulations. However, the projection is that ITAR compliance will be encompassed in a specific certification level in the new CMMC program.
The DoD acknowledges that perfect compliance for some practices is virtually impossible and will probably be overlooked. For instance, large organizations with several endpoints may not be able to keep an up-to-date asset inventory always. This means that at any point, the business could be in violation of the requirements of its level. There are no regulations yet on how the DoD will treat such cases. However, minor cases of some devices not being inventoried will likely be disregarded.
Why CMMC Matters
The CMMC program is vital to both the DoD contractors and the government. Contractors will get a fairer compliance standard that unifies conventional measures such as NIST SP800-171, NIST SP 800-53, ISO 27032, ISO 27001, and AIA NAS9933. The DoD will minimize the chance of incompliant contractors getting defense contracts. This will curb attacks on the country’s defense systems and improve national security.
While businesses may still be unaware of the level requirements needed for specific DoD contracts, controls for the new program will still be provided by DFARS and other existing control standards. Businesses can thus begin working towards compliance and accreditation as early as now by moving to GCC High, establishing security and compliance controls, and inviting auditors to determine compliance with existing frameworks.