How will the Cybersecurity Maturity Model Certification (CMMC) affect those who do business with the Department of Defense (DoD)?
Some questions have been answered, some have yet to be answered, while more questions are still ahead!
One thing is for certain:
Proof of adequate security is not going away for contractors of the DoD.
The announcement of the Cybersecurity Maturity Model Certification (CMMC) from the Office of the Under Secretary of Defense for Acquisition and Sustainment, states the OUSD recognizes:
That security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
You may be asking, “Why is the CMMC being created?”
Per the OUSD, the DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
That is a mouth full. Here are some of the key takeaways:
- The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
- The DoD is working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The CMMC must be semi-automated and, more importantly, cost effective enough so that Small Businesses can achieve the minimum CMMC level of 1.
- The CMMC model will be agile enough to adapt to emerging and evolving cyber threats to the DIB sector. A neutral 3rd party will maintain the standard for the Department.
- The CMMC will include a center for cybersecurity education and training
- The intent is for certified independent 3rd party organizations to conduct audits and inform risk.
- The CMMC will include the development and deployment of a tool that 3rd party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.
Cybersecurity Maturity Model Certification Levels: What they could look like
As more information is released about how the CMMC process might look, what has been presented thus far looks pretty straight forward.
Per the OSUD:
CMMC levels will range from basic hygiene to “State-of-the-Art” and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.
The required CMMC level (notionally between 1 – 5) for a specific contract will be contained in the RFP sections L & M, and will be a “go/no-go decision”.
As many expected, a contractor’s CMMC Level will be measured by how many NIST SP 800-171 (rev 1 and B) controls are implemented, plus additional practices and processes.
For example, the more you have implemented (with proof!), the higher your CMMC Level certification goes.
Based on what has been presented, here are what the CMMC Levels will consist of:
CMMC Level 1 | Basic Cyber Hygiene | 35 Practices
CMMC Level 2 | Intermediate Cyber Hygiene | 115 Practices
CMMC Level 3 | Good Cyber Hygiene | 91 Practices
CMMC Level 4 | Proactive | 95 Practices
CMMC Level 5 | Advanced/Progressive | 34 Practices
*Number of controls per level will change in future revisions of CMMC model – Learn more about Rev 0.4 here
*Leveling criteria is still in flux and will therefore shift controls across levels
*Rev 0.4 New Content Resources, built upon existing requirements of DFARS 252.204-7012: DIB SCC TF WG Top 10, NIST Cybersecurity Framework 1.1, ISO 27001:2013, AIA NAS 9933, CIS Critical Security Controls 7.1, CERT Resilience Management Model®, Additional DIB Inputs, Subject Matter Experts
Key takeaways here are that regardless of how the CMMC Levels look, contractors will need to prove their implementation of security controls in order to be awarded DOD contracts.
Many of these controls were supposed to be implemented by December 31, 2017. Almost two years ago!
Contractors who are able to prove their implementation plan has reached adequate security, now have a competitive advantage over other contractors.
How does the Cybersecurity Maturity Model Certification affect DFARS & NIST SP 800-171?
Before getting any further in to the Cybersecurity Maturity Model Certification, here is information for better understanding of DFARS and NIST SP 800-171.
It is clear the DoD is taking the process of securing the Defense Industrial Base (DIB) even more seriously than they already were.
Implementation can be challenging for small-to-medium size businesses. That said, it doesn’t have to be.
Subject matter expertise is not only needed, it should be embraced.
Remember what is really at stake and why DFARS and the CMMC exist:
Our national security.
Hackers with malicious intent, potentially against the United States of America, want (and are getting) data to our defense systems.
DFARS, NIST SP 800-171 and the CMMC should be prideful accomplishments by any contractor doing business with the DoD.
Collaborating with a company who has NIST subject matter expertise, validates that security controls are implemented correctly and efficiently.
Questions. Lots of Questions.
Naturally, when cybersecurity is combined with the magnitude of something like the Cybersecurity Maturity Model Certification, there will be questions.
More questions will come, while some are still not answered. For now, you can find a lengthy list of frequently asked questions on the OSUD.
We pulled out some of the more critical questions every contractor of the DoD will want the answers to.
When will the first CMMC Framework be released to the public?
Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.
What is the relationship between NIST SP 800-171 rev 1 and CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
How will CMMC be different than NIST SP 800-171?
Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
How can organizations become certified?
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
How much will CMMC certification cost?
The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested.
Will there be a self-certification?
How do I request a certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.
Who will perform the assessments?
An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
How often does my organization need to be reassessed?
The duration of a certification is still under consideration.
If my organization is certified CMMC and I am compromised, do I lose my certification?
You will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.
What if my organization cannot afford to be certified? Does that mean my organization can no longer work on DoD contracts?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
Yes. All companies conducting business with the DoD must be certified. The level of certification required depends upon the CUI a company handles or processes.
How will I know what CMMC level is required for a contract?
The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.
What to do between now and June 2020
The problem today, as we see it, is not compliance…it is implementation.
Malicious hackers do not care if you are compliant, they care if you ARE NOT implemented. That means they can more easily access your CUI!
Fortunately for contractors of the DoD (big or small), Beryllium InfoSec Collaborative has worked strategically with industry leaders in both security and information technology, to develop a solution.
Every SMB faces the same challenges with cybersecurity implementations:
- NIST and cybersecurity subject matter expertise
- Security Compliance Program Management
With CUICK TRAC, contractors can achieve Cybersecurity Maturity Model Certification Level 3 (as it is currently laid out) in as few as 14 days. No additional hardware, software or technology is required.
Regardless of where a contractor is in the process of DFARS 252.204-7012 compliance/implementation of NIST SP 800-171, CUICK TRAC is the solution to getting there faster and for less.
UPDATED 7.31.19: Here are slides that Katie Arrington and the CMMC team have been using during their recent viewing presentations.
Beryllium InfoSec Collaborative (“Beryllium” for short), is an information security and cyber security company located in Minneapolis, Minnesota. As a small business owned by veterans, Beryllium has 80-plus years of industry experience across industry & government. We are National Institute of Standards and Technology (NIST) information security experts, who know the balance of security needs and operational requirements. NIST provides the definitive compilation of guidelines that all other standards are derived from, either partially or wholly.
Beryllium is unique, in that we use strategic collaboration, education, and a holistic approach to information security & cyber security. From small to medium size businesses (SMBs), to enterprise organizations, our expertise of the NIST information security & cyber security guidance allows us to build unique, compliant & cost-effective solutions for any organization.