Introduction: Where the DoD stands on cybersecurity certification
The Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC) in an effort to secure the Defense Industrial Base (DIB). This was in response to the growing concern that DoD subcontractors cannot always adequately meet the needed cybersecurity standards and best practices for managing sensitive data, which was then becoming the weakest link in the DoD cybersecurity chain.
An attempt to assist suppliers in enhancing their cybersecurity protections has led the OUSD (A&S) (Office of the Under Secretary of Defense for Acquisition and Sustainment) to introduce the CMMC. This is in order to ensure that all defense contractors in the supply chain are able to adhere to unified standards to be eligible to work with the US government under a contract to develop or deliver a product or service.
Complying with the DoD’s CMMC
CMMC, which is built on other cybersecurity standards (specificallyNIST 800-171 andDFARS clause 252.204-7012), is designed to assess the maturity of an organization’s security practices. Maturity levels are assigned to contractors, based on the state of their cybersecurity program and the security controls in place. 1 is the lowest rating and 5 is the highest maturity rating.
All companies doing business with the DoD must be CMMC-certified whether they handle CUI (Controlled Unclassified Information) or not. In contrast with the past, when companies were able to self-certify their status and enter a contract with the promise to work towards compliance, now businesses of all sizes are audited by an independent non-profit third party that will assign them a 1 to 5 cybersecurity “maturity” level before they are under contract.
With the rollout of CMMC, all 300,000 DoD contractors will need to obtain external assessments of cybersecurity compliance. These will be conducted by third-party assessment organizations (C3PAOs) who are deemed fit for auditing after training and assessment by the CMMC AB.
The ability of a company to work with the DoD and bid on future defense work will be determined by whether it can achieve the appropriateCMMC maturity level for the contract they seek and for their role (prime contractor, subcontractor and so on). The exact level at which a company will need to be certified and be awarded a contract will be specified in the Requests For Information (RFIs) and Requests for Proposals (RFPs).
On the path to CMMC compliance
To prepare for these changes, companies will need to demonstrate compliance set forth in the comprehensiveCMMC model framework. This framework consists of 17 cybersecurity domains that are based on best practices; these comprise capabilities (43), practices (171) and processes (5), which are mapped toCMMC Levels 1 through 5. The below graphic (figure 1) explains the levels that are reached through satisfying a number of required processes and practices.
Figure 1: Image is from the OUSD (A&S) and highlights CMMC level descriptions
Table 1. Image is from the Government Contracts & Export Controls Practice Group at McCarter & English
Table 2: Image is from Cybersecurity Maturity Model Certification (CMMC) DRAFT Version 0.7 December 6, 2019, page 6
What does it take to achieve CMMC level 1–5 compliance?
Now’s it’s time to consider whether and how you can achieve compliance with the CMMC maturity levels. Be aware that each has a different focus.
Level 1: Safeguard Federal Contract Information (FCI)
This is the only level where processes will not require any documentations to be audited; the company just needs to perform the processes. The company will also be required to perform “basic cyber hygiene.”
Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI
This is where documentation of practices and policies are introduced to ensure practices are performed in a “repeatable manner.” The 72 required practices ensure “intermediate cyber hygiene” for the protection of CUI.
Level 3: Protect Controlled Unclassified Information
This requires actively managing established processes within detailed plans and demands good cyber hygiene and the implementation of all NIST 800-171 controls through 130 practices.
Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats
This includes a systematic review of past practices as well as concentrating on the protection of CUI from APTs through 156 practices at level 4. At level 5, processes are optimized for improvement and 171 advanced/proactive practices are implemented to increase cybersecurity capabilities.
Here is what businesses need to do to successfully pass the audit at each appropriate level.
A company that will be handling Federal Contract Information (FCI) only needs to certify at level 1; it will be required, basically, to meet all the safeguarding of FAR clause 52.204-21: Basic Safeguarding of Covered Contractor Information Systems.
This means that the company will have to ensure a number of actions, from safer access control by ensuring that users are given access only to the information they need for their job to the control of the information that is made publicly available, the identification and authentication of those who access the system, the protection of systems from malicious codes and the physical safety of the IT infrastructure and data support.
In progressing through these levels, bear in mind that companies will be required to act on more stringent measures.
A Level 2 will require a number of safeguards in most of the practices. It advances the actions taken in Level 1 and prepares the company to mature for Level 3.
In access control, for example, the company will now be required to lock sessions after inactivity, limit the number of login attempts, ensure users have the least possible privileges for their functions, control remote access and more. Documentation and audit logs will also be required at this level in order to trace users and their actions to hold them accountable in case of issues.
Requirements for awareness and security training are added, as well as a number of tasks in configuration management: from monitoring user-installed software to enforcing security configuration settings to analyzing any planned changes to assess their security impact.
At this level, companies also need to enforce more stringent password rules, introduce incident response procedures, backup provisions, safe rules for systems maintenance, protection of systems media containing CUI and practices related to risk management, including periodic vulnerability scanning.
To achieve system and information integrities, companies need not only to protect from malicious codes and scan all downloaded files, but also monitor inbound and outbound communication traffic and monitor all security alerts.
A company that requires access to CUI will need to achieve Level 3. At this level, all NIST 800-171 controls and 130 practices are needed. How can a business achieve the good cyber hygiene required at this level?
First of all, in access control, a separation of duties for individuals is now paramount, as well as a number of controls for employing cryptographic mechanisms and the connection of mobile devices. Asset management practices are also introduced with the need to establish procedures for the handling of CUI data. The protection of audit information and logging tools becomes necessary, as well as a number of configuration management actions like the blacklisting of unauthorized software. Awareness training at a higher level is also required for staff asked to recognize and report potential insider threats.
Also necessary are multifactor authentication for local and network access, as well as the ability to track and report incidents to authorities, testing of IR procedures, periodically performing risk assessments and ensuring that CUI are deleted from any removed equipment and a number of safeguards implemented to prevent CUI data being compromised when in transit to other sites, as well as regular physical protection measures. Data backups also need to be “complete, comprehensive and resilient.” Situational awareness becomes important with the need to monitor forums and other communication sites in order to become aware of current threats and communicate them to those who need to know. Spam filtering and email protection must be implemented.
A number of practices are introduced in the system and communications protection. Among the needed provisions are protection of CUI data needs to be ensured through FIPS-validated cryptography, controlling and monitoring VOIP and the use of mobile code, in addition to implementing DNS filtering and the separation of users and system management functionalities.
At Level 4, attention to APTs is added in the protection of CUI. Businesses will be required to control the information flow between security domains on connected systems as well as review access permissions to CUI programs. In addition, businesses will need to add the automation of audit logs to review for more prompt actions on suspicious activity and carry out periodic scans of unauthorized ports in the infrastructure as well as employ threat intelligence procedures and periodic penetration testing. Physical and logical isolation of important systems and components also need to be ensured. Implementation of a whitelist for application is also needed.
A greater focus needs to be placed on awareness training for staff. In fact, training needs to be given at least annually to prepare employees to defend themselves from social engineering attempts and the systems from advanced persistent threats (APIs) and breaches. In addition, the company needs to have a security operation center active 24/7. At the same time, it needs to be able to continuously assess how to improve its cybersecurity further and also use data from external organizations in order to stay current on the newest threat indicators and intrusion detection info.
With its 171 required practices, Level 5 encompasses all the requirements of the other levels and ensures that the company can meet the most stringent security requirements needed when handling the most sensitive projects.
Great attention is now given to wireless access points into the system. Configuration management includes verifying the integrity of essential software. In the case of a cyber-incident, the company needs to be able to respond in real time (i.e., be systematized and automated) and also do manual procedures, as well as utilize and protect forensic data. Recovery needs to be aided by ensuring information processing facilities have met organizationally-defined information security continuity, redundancy and availability requirements.
Continuous monitoring of the system and staff normal behaviors are implemented to quickly recognize any deviations and analyze individuals. All security solutions implemented must be reviewed at least annually against acquired threat intelligence.
With an increase of cyberattacks targeting the DIB supply chain, the DoD has been working towards the implementation of CMMC — a cyber maturity assessment framework — which isthe new standard that will apply to prime and subcontractors pursuing DOD contracts. CMMC replaces the self-certification of the NIST 800-171 framework and DFARS clause 252.204-7012, and now requires athird-party assessment audit. This approach will help to identify gaps and has the opportunity for growth through a self-assessment.
To ensure proper implementation and compliance of this clause, CMMC certification will become the norm. Attainment will be a competitive advantage to bid on future contracts, as those not certified will not be allowed to participate to government projects. Therefore, companies should get ready by determining early which level of CMMC its outfit believes they can meet (based on future contracts on which the establishment plans to bid or their internal business goals).
Where are you with CMMC certification and the DoD cybersecurity journey?
For more information on CMMC, and how to achieve compliance — especially from a contractor strategy perspective — view theIT Governance USA Inc. webinar (a YouTube video, 55:49 mins) and theinitial press briefing (43:25 mins) by DoD officials and members of OUSD.
CMMC, Office of the Under Secretary of Defense for Acquisition & Sustainment
CMMC Model, Office of the Under Secretary of Defense for Acquisition & Sustainment
CMMC FAQ’s, Office of the Under Secretary of Defense for Acquisition & Sustainment