CMMC: Securing the Defense Industrial Base against supply chain attacks is critical
The Department of Defense (DoD) invests almost $2 trillion each year in new systems, including aircraft, ships, land vehicles and space systems — along with the IT systems to enable these capabilities. This investment is through a combination of research, prototyping and other procurement paths within the Defense Industrial Base (DIB).
These investments create and produce new and improved technologies and intellectual property (IP) entrusted with over 300,000 DoD contractors across the DIB.
DoD contractors targeted by adversaries
Adversaries continue to target the confidentiality, integrity and availability of sensitive government data throughout the entire defense supply chain, causing significant damage to the DoD’s offensive and defensive capabilities. The adversaries are active, and they are succeeding.
Here are some high-profile examples from the past few years:
- In March 2021, the U.S. issued an emergency warning after Microsoft caught China hacking into its email and calendar server program (Microsoft Exchange). Microsoft Vice President Tom Burt stated that hackers have spied on a wide range of U.S. targets, including disease researchers, law firms and defense contractors.
- Between September and December 2019, cyberespionage actors compromised the emails and LinkedIn accounts of DoD contractors.
- In January and February 2018, China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare.
The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security.
Enter Cybersecurity Maturity Model Certification
As a result, every DoD prime and subcontractor will require a cybersecurity certification from an independent, certified Cybersecurity Maturity Model Certification (CMMC) assessor. Requiring certification benefits the security of contractors and the DIB, along with aiding the DoD to avoid future losses due to cyber breaches.
The CMMC Model is designed to combat the threat against a target-rich environment within the defense supply chain.
Before CMMC was developed, DoD contractors were required to self-attest that they were compliant with government regulatory standards. However, self-attestation proved to be ineffective.
As a result, the DoD developed the CMMC Model to verify that proper cybersecurity practices and processes are in place to adequately protect sensitive government data, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within DIB networks.
Most importantly, CMMC certification, based on a third-party assessment of the contractor’s cybersecurity hygiene and maturity, allows for an independent, impartial review before the contract award. CMMC Third-Party Assessor Organizations (C3PAOs) are credentialed to conduct CMMC assessments of current and potential DoD contractors to evaluate their readiness to protect sensitive data within the defense supply chain.
What is the CMMC Model?
The CMMC Model combines various cybersecurity standards and best practices mapped to maturity levels ranging from basic to advanced cyber hygiene.
The CMMC Model has four major components: domains, capabilities, practices and processes.
- Domains are sets of capabilities based on cybersecurity best practices. There are 17 domains within the CMMC Model, and each domain is assessed for practice conformity and process maturity across 5 Maturity Levels.
- Capabilities are achievements to ensure cybersecurity within each domain. There are 43 capabilities, which are met through the employment of practices and processes.
- Practices are activities that an organization does. In some respects, these can be thought of as security controls used to manage operational resilience.
- Processes are activities that make the practices “stick.” The intent is to ensure that practices are repeatable and lasting, even when an organization is under stress. They also demonstrate the maturity of the contractor’s cybersecurity program.
What does it mean for the contractor?
The success of a compliance model, such as the CMMC Model, depends on the defense contractor’s understanding and ability to protect sensitive government data while stored, processed or transmitted within a controlled environment.
The bottom line is that the organization must understand the data that must be protected. The contractor must be able to control the flow of that data. Allowing adversaries to continue to target this data hinders the nation’s ability to maintain its strategic advantage.
Learn more about CMMC
For more information about CMMC — from free CMMC ebooks and webinars to boot camps to prepare you to become a Certified CMMC Professional or Certified CMMC Assessor — check out the Infosec CMMC resource page.
You can also explore the CMMC hub on Infosec Resources for the latest articles on topics such as:
- How to become an RPO and C3PAO
- How to get your organization certified
- CMMC career paths, including RPs, CCPs and CCAs
- Understanding the CMMC Marketplace
- What to expect during your CMMC assessment
- Additional CMMC resources
- US issues warning after Microsoft says China hacked its mail server program, NBC News
- Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies, WeLiveSecurity
- China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare, Washington Post