DoD’s Cybersecurity Maturity Model Certification (CMMC) initiative
Introduction: High-profile data breaches are hitting Defense Industrial Base (DIB) supply chains
Government organizations are just as likely to suffer data breaches as any other business and are increasingly and specifically targeted. The U.S. Department of Defense (DoD) is a fine example, with a recent (October 4, 2018) data breach that affected at least 30,000 military and civilian contractors. The victims of such an attack saw hackers gaining access to their personal information and credit card numbers via a third-party system that maintained travel records.
This incident highlights the difficulties faced by the DoD when it comes to securing data, especially when entrusted to outside entities. Consequently, it underlines that the need to address tighter security needs has become a priority for the federal government networks anywhere covered defense information (CDI) is processed, stored or transmitted.
Though security breaches are inevitable, resilience to cyber-attacks can be improved and supply chain risks minimized. As Kevin Fahey, Assistant Secretary of Defense for Acquisition, said: “We need risk management solutions to assess, measure, and mitigate risk in real-time across multi-tier partner and supplier networks to achieve our goal of cost, schedule and performance, as they are only effective in a secure environment.”
DoD’s newest framework and standard for cybersecurity: CMMC
Coming in 2020, proof of adequate security is going to be a requirement for contractors of the DoD. In fact, every prime and subcontractor on a supply chain will be audited and certified under a Cybersecurity Maturity Model Certification (CMMC) framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). This will benefit the security of contractors and the DIB, as well as help the DOD to avoid future losses due to cyber breaches.
“The concept of a CMMC framework arose in response to a series of high-profile breaches of DoD information,” writes Susan Cassidy, Government Contracts Attorney, Covington. This new program was designed to strengthen the defense industrial base and be a relevant benchmark to secure the supply chain, she said. The framework aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI).
What is the CMMC?
CMMC is a supply chain risk management approach for the Department of Defense and its industrial base. Soon, CMMC third-party certifiers will have the tools to conduct audits and collect metrics and risk management information for the entire supply chain.
When implemented, the associated controls and processes across several maturity levels that range from basic cyberhygiene to advanced measures, will reduce risk resulting from a set of cyberthreats. This DoD effort is geared towards fortifying its cybersecurity strategy addressing an area of risk that, so far, has been harder to control: third-party systems safety and readiness.
The standard drafted and readily available this summer details five maturity levels, and the DoD will require vendors in January 2020 to be certified and evaluated against the requirements of each level through third-party assessment organizations. By June 2020, the CMMC requirements will be included in requests for information (RFIs), and in September 2020 in requests for proposals (RFPs).
As Ms. Cassidy explains: “Notably, DoD will assess which CMMC level is appropriate for a particular contract and incorporate that level into Sections L and M of the RFP as a ‘go/no go’ evaluative determination.”
This framework reflects the DoD’s first attempt at solving a long-standing issue. The model that inspired this maturity level system applied to procurement is the Cyber Security Model that the United Kingdom’s Ministry of Defense currently uses for all its contracts, but the DoD’s solution will also incorporate many of the existing requirements from NIST’s SP 800-171, which measures a contractor’s compliance with a specified set of controls. However, the CMMC will more broadly “measure the maturity of a company’s institutionalization of cybersecurity practices and processes,” and is also expected to combine relevant portions of NIST SP 800-53, ISO 270001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.
In addition to cybersecurity control standards, the CMMC is incorporating many of the existing requirements from the Federal Risk Authorization Management Program (FedRAMP) security baseline. “In other words, the goal is “one standard, one maturity model,” writes Thomas Taylor at Tripwire.
The maturity levels for NIST 800-171/CMMC compliance
The Department of Defense currently mandates that its contractors meet the requirements of NIST Special Publication 800–171 but there is no audit and accountability for protecting CUI; this shortcoming has led to the devising of the Cybersecurity Capability Model Certification (CMMC), which will require third-party audits and certification for the DoD supply chain for compliance built on the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. This requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.
Implementing cybersecurity in DoD supply chains is based on the identification of five certification tiers:
- CMMC Level 1 | Basic Cyber Hygiene | 17 security controls (NIST SP 800-171 rev 1)
- CMMC Level 2 | Intermediate Cyber Hygiene | 46 security controls (NIST SP 800-171 rev 1)
- CMMC Level 3 | Good Cyber Hygiene | 47 security controls (NIST SP 800-171 rev 1)
- CMMC Level 4 | Proactive | 26 security controls (NIST SP 800-171B)
- CMMC Level 5 | Advanced/Progressive | 4 security controls (NIST SP 800-171B)
While previous regulations like NIST’s SP 800-171 allowed for self-assessment, in order for companies to be awarded a certification at the appropriate CMMC level, they will need to demonstrate to assessors and certifiers the appropriate capabilities and organizational maturity, proper controls and processes in place to reduce the risk of specific cyberthreats.
The five levels available also recognize that not all companies will need the highest levels of controls and cybersecurity. Companies that conduct business that only requires basic levels of cyberhygiene will still be able to prepare for certification in cost-effective and affordable ways. Cybersecurity will also be an allowable and reimbursable cost in DoD contracts.
Timeline for CMMC
Katie Arrington described the following timeline for CMMC during a presentation for a group of DoD contractors on May 23, 2019 to announce the proposed program:
- Mid-2019: Working groups and creation of automated assessment tools
- Early 2020: Begin developing oversight and certifier accreditation program, processes
- Mid-2020: Test the certification program and revise it
- Mid/late-2020: Accredit third-party certifiers
- Future: Begin adding CMMC requirement to all new DoD RFPs
Note: There will be a Security Awareness Conference on Thursday, September 26th, 2019 at the Hyatt Regency Tysons Corner Center, Virginia. This conference will feature security experts from industry and government that will present a Q&A session for attendees to gain additional insight of the new contractor cybersecurity standard (CMMC) and its five-level system.
Figure 1: CMMC implementation timeline
The question remains: can third-party certifiers meet the acquisition solicitation timeline, and are there enough auditors to handle the task of the CMMC in order for businesses to continue doing business with DoD? It seems like a daunting undertaking, but the Pentagon is optimistic that they’re moving to full enforcement of compliance with the new cybersecurity certification standards for DoD contractors already quickly taking shape months before the CMMC anticipated mid-2020 launch.
What will CMMC be like: Key points
- Five levels of data security, ranging from basic cyberhygiene to state-of-the-art in order to allow implementation of reasonable security measures based on the needs of the contract. Every defense contract of contractors and subcontractors — whether they deal with sensitive information or not — will have the effectiveness of their cybersecurity practices scored on a scale of 1 to 5
- Contractors that are noncompliant with the required level will not be able to retain DoD contracts.
- Under the new certification requirements, DoD contractor information systems will be required to be certified compliant by an outside auditor. This solves an ongoing issue where some businesses have undergone self-certify compliance without fully implementing (or understanding) needed security controls
- A tool will be developed to allow third-party cybersecurity certifiers to conduct audits and collect metrics. The DoD will also measure compliance with the DFARS and NIST requirements to ensure contractors are handling sensitive unclassified information properly
- It will use a single standard across all DoD contracts (doing any kind of business)
- Cybersecurity will be an “allowable cost” in DoD contracts. Contractors will be allowed to seek reimbursement from the government for achieving their CMMC certifications
Katie Arrington, an expert for the Undersecretary of Defense’s Acquisition and Sustainment team, said the DoD is planning a “crawl, walk, run” approach that would ensure a smooth rollout of the CMMC (with an 18-month timeline). They are taking the plan on the road as part of efforts to engage with the Defense Industrial Base sector and solicit feedback with a series of nationwide “listening sessions” in eleven cities.
In an effort to increase cybersecurity and protect against threats to its supply chain, the U.S. Government and the DoD are implementing a new system that requires companies doing business with government to be CMMC-certified at a minimum of a Level 1 standard during contract performance.
The Cybersecurity Maturity Model Certification is a solution that aims to enhance the cyber-posture of companies throughout the DIB multi-tier supply chain in order to reinforce the protection of CUI residing on company networks. Third-party auditors will perform CMMC checks and evaluate companies against a maturity scale; contracting officers will decide which levels are required for all bid contracts. In essence, “the CMMC appears to be a strategic and well-thought-out solution to prioritizing DFARS enforcement, while at the same time, helping small businesses improve cyber hygiene and slowing the progress of those adversaries responsible for $600B of the government’s IT and R&D losses,” as Thomas Taylor writes.
The CMMC, a unified DoD cybersecurity standard will “serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks,” writes the team at Beryllium InfoSec Collaborative.
Although the CMMC model will be implemented at first in DoD contracts, there is no reason not to believe that, eventually, the same certification system will be applied to other agencies.
- DoD Announces the Cybersecurity Maturity Model Certification (CMMC) Initiative, Inside Government Contracts
- New DoD Cybersecurity Framework Establishes New Standard, Certification for Defense Contractors, ClearanceJobs
- How to prepare for a DoD CMMC audit and certification, Kieri Solutions LLC
- What is the Cybersecurity Maturity Model Certification (CMMC)?, Summit 7 Systems
- CMMC FAQ’s, Office of the Under Secretary of Defense for Acquisition & Sustainment
- Department of Defense Data Breach Exposes 30,000 Employees, Forbes
- Cybersecurity – The Times (and Standards) They Are Changin’ – FAST!, McCarter & English, LLP.
- DoD to debut new cyber assessment program for contractors in less than a year, Federal News Network
- DOD’s Proposed Cybersecurity Maturity Model Certification Requirements: What We Know and How to Prepare, Miles & Stockbridge
- The Cost to Comply with DoD’s Cybersecurity Requirements to Be Reimbursable, Lexology
- What is the Cybersecurity Maturity Model Certification (CMMC)?, Beryllium InfoSec Collaborative
- A Midyear Look at DOD Government Contract Law Changes, Thompson Hine
- What contractors need to know about DoD’s CMMC, Professional Services Council (PSC)
- The CMMC – A Palatable Enforcement Solution to DFARS Requirement?, Tripwire
- Why DoD’s decision to make cybersecurity an ‘allowable cost’ matters, Federal News Network