The Department of Defense (DoD) recently announced a crucial initiative that aims to protect Controlled Unclassified Information (CUI) released to government contractors. This initiative will roll out in the form of a new cybersecurity certification program called “Cybersecurity Maturity Model Certification” (CMMC). The CMMC will make a significant impact on the industry to ensure that contractors within the US Defense Industrial Base (DIB) meet an appropriate cybersecurity level.
What does this all mean for contractors?
The DoD will only accept business from contractors that obtain a CMMC. Furthermore, The CMMC will require contractors to be certified compliant by third-party organizations.
The National institute of Standards Technology (NIST) has also released two special draft publications (NIST SP 800-171, Revision 2 and NIST SP 800-171B) this past June that will be integrated into the CMMC framework. By January 2020, the CMMC standard is expected to start replacing NIST 800-171 on all DoD Contracts.
Recent Compliance Research in Security Controls
Recent compliance research conducted by the National Defense Industrial Association highlights the compliancy challenge among US defense contractors in implementing adequate security controls. According to the study, surveyed contractors failed to be fully compliant with NIST SP800-171 and on average implemented only 39% of the 110 mandatory security controls.
Research also found that less than 60% of respondents had read the cybersecurity clause and about half of those did not understand it. In addition, about 45% of respondents had not read the guidelines of NIST 800-171. The research brings to light the disconnect among contractors when it comes to understanding cybersecurity requirements. However, some respondents indicated that cost is a factor when implementing cybersecurity solutions for their company.
History of Government Compliance Certifications
In 2016, the Department of Defense introduced the Defense Federal Acquisition Regulation Supplement (DFARS) to protect government data and national security networks from cybersecurity attacks.
Under DFARS, cyber security requirements were established for all DoD contractors. By December 2016, NIST released Revision 1 – the standard requirement for compliance. Under NIST SP 800-171, DoD contractors are required to implement a minimum of 110 security controls.
After working with the contracting community over the past few years, The Department of Defense concluded that further compliance measures are essential. This decision is especially important as there will always be new and evolving cybersecurity threats. In May 2019, the DoD announced that it is collaborating with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineer Institute (SEI) to review and integrate various standards into one certification program, Cyber Maturity Model Certification.
NIST versus CMMC
The CMMC intends on establishing a unified standard for cybersecurity by integrating requirements from NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others. Furthermore, The CMMC will also set out to evaluate the company’s current cybersecurity practices and its institutionalization. In comparison to NIST SP800-171, the CMMC will include several cybersecurity levels ranging from 1-5.
NIST SP 800-171 Revision 2 and NIST SP 800-171B
On June 19, 2019, the draft NIST SP 800-171 Revision 2 was released by the National Institute of Standards and Technology (NIST). In NIST SP 800-171 Revision 2, there were no significant changes made to the 110 security requirements. A companion publication, NIST SP 800-171B, was also released with the intent to provide additional guidance for protecting CUI from an Advanced Persistent Threat (APT). This included an additional 33 enhanced security controls. These security controls will also be integrated into the CMMC along with the 110 controls in NIST SP800-171.
The enhanced requirements center around following three components:
- Penetration resistant architecture
- Damage limiting operations
- Designing for cyber resiliency and survivability.
The enhanced controls are organized within the existing security control families in NIST SP 800-171, though some families do not have associated enhanced controls. Examples of the draft enhanced controls include:
- Requiring two authorized individuals to execute certain operations
- Providing additional training focused on advanced threats
- Maintaining a cyber threat hunting capability
- Monitor supply chain risk
- Establishing a cyber incident response team that can be deployed within 24 hours.
Support for Cybersecurity Maturity Model Certification – CMMC
The Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment recognizes that:
Security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
The Department of Defense advised that the CCMC will:
- Combine Standards: Merging current cybersecurity standards and best practices.
- Build upon DFARS: Build upon existing DFARS 252.204-7012 by adding a verification component.
- Be Cost-Effective: Aims to be affordable enough so that small-to-medium businesses can achieve a level 1 certification.
- Reduce Risk: Establish differing levels of CMMC controls and processes to reduce risk against cyber threats within the DOD supply chain.
- Provide for Higher Level Assessments: These assessments are to be conducted by U.S. government agencies, such as the Defense Contract Management Agency (DCMA) and Defense Counterintelligence and Security Agency (DCSA).
The Design of CMMC
The CMMC’s design addresses any short falls missing in an organization’s current cybersecurity program. The following are a few notable changes:
- Certification Levels: A defense contractor will be awarded a contract if it obtains one of five levels of compliance. A contract bid will automatically be rejected without a specified level of compliance.
- Third-Party Certifications: All contractors will require a third-party to conduct cyber audits and risk assessments. Self-audits will no longer be accepted for NIST800-171 compliance.
- Framework: The CMMC will integrate requirements from other frameworks like NIST SP 800-171, NIST SP 800-53, AIA MAS 9933. As of today, only NIST SP 800-171 compliancy is mandatory.
The level of enforcement under the CMMC will be the biggest change for many defense contractors looking to bid for a contract.
CMMC Timeline
With the fast approaching arrival of the CMMC, contractors will find themselves hurrying to meet any required security missing in their organization. DoD contractors should expect the following CMMC timeline:
January 2020 – Version 1.0 will be released to support training requirements. Third-party audits for certification may begin.
June 2020 – CMMC requirements will be included in Requests for Information (RFI)
September 2020 – CMMC requirements will be included in Requests for Proposal (RFP)
Contractors will be putting their bid at risk if they do not obtain a CMMC certification. The Department of Defense stated that the decision will be a “go/no-go decision”.
The Maturity Levels of CMMC
The CMMC will consist of 5 maturity levels that range from “Basic Cyber Hygiene” to “Advanced/Progressive”. Each level will measure a federal contractor’s cybersecurity sophistication in addition to the institutionalization of its practices and processes. The specific level required (levels 1-5) will then be included in the DoD’s requests for proposals.
Federal contractors will be assessed based on their compliancy with NIST SP800-171 Rev 1 and NIST SP800-171B. Here’s a breakdown of the levels as it was presented in the initial CMMC draft:
Basic Cyber Hygiene | CMMCLevel 1 | 17 security controls (NIST SP 800-171 rev 1)
Intermediate Cyber Hygiene | CMMCLevel 2 | 46 security controls (NIST SP 800-171 rev 1)
Good Cyber Hygiene | CMMCLevel 3 | 47 security controls (NIST SP 800-171 rev 1)
Proactive | CMMCLevel 4 | 26 security controls (NIST SP 800-171B)
Advanced/Progressive | CMMCLevel 5 | 4 security controls (NIST SP 800-171B)
Get Certified for Cybersecurity Maturity Model Certification – CMMC
DoD contractors with a strong cybersecurity foundation will have a tremendous competitive advantage over other contractors in the industry and will ultimately need to implement the necessary security controls based on the contract’s specific CMMC level requirement.
Furthermore, DoD contractors will then need to coordinate with an accredited and independent third-party organization and schedule an CMMC assessment. The CMMC will also develop and provide a tool for third-party certifiers to “collect audits, collect metrics, and inform risk migration for the supply chain”.
A certification will be awarded to the company for attaining the appropriate CMMC level based on its cyber security maturity.
What to do until June 2020
- Evaluate your current cybersecurity program. Use this time to review your current policies and procedures before CMMC requirements appear on RFPs. Preparation is key. Identify any areas of improvement and prepare for what’s to come.
- Attend a DoD session. DoD will be hosting a series of informational sessions in major cities across the U.S. The DoD is interesting in receiving feedback and hearing from contractors regarding the CMMC roll out.
- Collaborate with your cybersecurity partners. With the DoD will no longer accepting self-certification, now will be the right time to reach out and consult with your cybersecurity partners.
- Risk Assessment ITG specializes in NIST 800-171 assessments. Our assessment reviews your companies progress toward compliance with NIST 800-171 and list all deficiencies.
Collaborating with Integration Technologies Group (ITG), who has ISO 27001 and NIST subject matter expertise, validates that you will implement security controls correct and efficient.
Cost of Cybersecurity Maturity Model Certification – CMMC
DoD has acknowledged that the cost of its ongoing compliance efforts, including the CMMC, is an issue for the contracting community, noting that the CMMC must be semi-automated and cost effective enough that small businesses can achieve the minimum CMMC Level of 1.
The total cost of Cybersecurity Maturity Model Certification will be available after the release of Version 1.0.