Cybersecurity Maturity Model Certification: What you need to know
Cybersecurity Maturity Model Certification (CMMC) has been in the news a lot lately. CMMC is the next phase of the U.S. Department of Defense's (DoD) efforts to fully secure the Defense Industrial Base (DIB). Its scope is enormous, as expected in any program intended to improve the security of a network comprising more than 300,000 external contractors. The overall goal is to protect sensitive information related to federal contracts and government-created or owned information that requires controls to be implemented according to government policy.
The CMMC framework, then, is intended to assess and enhance the cybersecurity posture of the many companies that contribute to the research, engineering, development, acquisition, production, delivery, sustainment and operation of DoD systems, networks, installations, capabilities and services.
The initial version of CMMC was pulled back, and the government recently retooled the entire framework. There are plenty of changes in the latest version of this compliance standard. So, what is new with CMMC 2022? How does this impact those wanting to become CMMC certified, and what are the many different levels of CMMC auditor? What types of contractors, vendors, and companies must be ready to be CMMC compliant to continue working with the DoD?
“Assumptions were made about what contractors were doing for their own cybersecurity versus what was actually happening,” said Leighton Johnson, CTO and Founder of the Information Security Forensics Management (ISFM). Johnson is also an Infosec instructor and a 40-year cybersecurity veteran.
The DoD, perhaps naively, expected the vendor community to follow the DoD acquisition regulations that have been in place since 2016. These regulations laid out the basic cybersecurity duties and responsibilities that were expected of every contractor. The DoD discovered that the commercial world was not based on requirements as is typical in government operations. The commercial world is based on cost. As a result, many of the mandated cyber requirements were never implemented.
“The DoD has always had an extremely strong viewpoint about security and cybersecurity, for its own components and its own activities,” said Johnson. “They just translated that over to the commercial world, and that’s when a big disconnect was seen.”
Time is running out
But the clock is ticking. The DoD has given contractors until roughly May of 2023 to comply with CMMC, although the exact deadline is a little indefinite. The approaching deadline applies to both prime contractors and sub-contractors. If they don't comply, they will not be able to work with the DoD until they reach compliance.
CMMC lays out two levels of certification for both assessors and instructors. Organizations will be evaluated by a qualified assessor at the level they wish to achieve. It is up to them to determine the appropriate level before scheduling an assessment.
The first level is called federal contract information (FCI). It encompasses information that is not in the public domain about contracts, such as terms, conditions, schedules, and so on. Every contractor must get to at least level one.
The second level is controlled unclassified information (CUI). It is a special criterion around whatever the contractor is building that is unique and specific to DoD and their requirements.
“I’ve seen estimates that anywhere from 40% to 75% of all contracts will have a CUI requirement,” said Johnson.
That means perhaps 120,000 contractors — and even as high as 225,000 — will need to be assessed and certified for the CUI level. With the deadline only a few months away, getting so many contractors through the process will be difficult.
CMMC is not going away
What must be understood is that CMMC is not going away. The DoD has been expecting compliance with these cybersecurity rules for about five years. They don't want to wait any longer. Their patience is wearing thin. Further, adversaries of the government continue to steal data and compromise DoD systems. The pace of cyberattacks has picked up considerably over the past year.
Those wishing to become a certified CMMC auditor should understand that assessment is based on NIST Special Publication 800-171. They should obtain a copy of NIST Special Publication 800-171 (a), an assessment guide and material and guides posted on the DoD CMMC website. That represents the source material that anybody needs to understand. It covers as many as 110 security controls.
Those guides teach you how to conduct assessments in the federal space under CMMC, the kind of mechanisms to look for, the specifications, best practices and processes that need to be in place, and the proof required to demonstrate compliance.
There are also licensed training providers for CMMC and licensed publishing partners, and Infosec is qualified for both. Such services are vital as hundreds of thousands of companies must be assessed quickly.
There is a high demand for CMMC auditors. The good news is that there is an overlap in knowledge bases with people already working in privacy, compliance, and risk management.
Johnson said certified auditors, certified security component installers and engineers or holders of various other professional certifications have the right background for a career related to CMMC. There is no need to possess a DoD security clearance as the data is not classified. But a background check is required.
To learn more about Leighton Johnson's recommendations for rapid CMMC adoption, check out the full episode of the Cyber Work podcast.