By now, you've heard all about the Cybersecurity Maturity Model Certification (CMMC) by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). It is a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data, including Controlled Unclassified Information (CUI) and Federal Contract Information. Rev 0.7 was released December 6th, 2019, and the final draft of the certification is scheduled to be released shortly thereafter.
CMMC was built on top of existing cyber frameworks including NIST 800-53, NIST SP 800-171, GDRP, ACSC, CMMI, and ISO 27001. All of these frameworks address cyber hygiene, but CMMC combines and simplifies them. Self-assessment for suppliers is no longer acceptable. Any organization intending to do business with the DoD will be subject to a mandatory audit by an authorized auditing body to obtain their level of certification before a contract can be awarded.
Let's face it – the existing process of self-verification is inadequate and has failed the DoD to this point. There have been reports of adversaries of the United States developing military equipment based on stolen design data. Examples include the Chinese J-20 and J-31 stealth fighter jets, which resemble the American F-35. According to the Pentagon, China may have accessed the F-35 design after an information breach that took place in 2009.
Additionally, compliance without accreditation doesn't guarantee absolute security. Hackers are continually devising tactics to break the existing cybersecurity measures. Therefore, organizations need to become more diligent in their cyber approach to make it more difficult for intruders to penetrate.
CMMC is one of the DoD measures to help seal the cyber vulnerabilities within the supply chain. It aims to verify that suppliers of goods and services to the DoD have appropriate cybersecurity controls in place by having levels of certification (1-5). It also aims to protect CUI residing in the networks of DoD vendors.
The Cybersecurity Maturity Model Certification will cause a stir in many industries and practices. Here is what is likely to happen:
With CMMC, cybersecurity is at the forefront of contractual evaluation, scrutiny, and oversight. Being certified at the appropriate level will be a critical factor for the DoD when obtaining goods and services from the industry supply chain.
The model will govern contractors and subcontractors who previously didn’t need to observe DoD cybersecurity standards, like companies not handling covered defense information (DFARS Clause 252.204-7012). Going forward, all DoD suppliers will be subject to CMMC level 1-5 certification to do business with the DoD.
While the CMMC policy is unforgiving, it will benefit contractors will benefit in three ways. First, it will eliminate cases of different agencies carrying out multiple security assessments on an entity at the same time.
Also, replacing government technical and contracting officers with independent third-party evaluators will harmonize security assessment standards across the board. There won't be concerns about some agencies conducting uncomprehensive or inaccurate reviews of a contractor's cybersecurity.
Finally, neutral third-parties in the CMMC model will eliminate the situations of contractors making deceiving or incorrect interpretations of their IT security. As a result, there will be fewer cases of legal rebuttal due to false claims.
Contractors will fall under five maturity categories, each with specific security obligations. Based on information sensitivity and the perceived cyber threat, the DoD will decide which maturity levels qualify for particular contracts.
Levels 1 and 2 involve basic cyber hygiene that most companies usually implement. Level 3 corresponds to the DoD cybersecurity requirements outlined in DFARS Clause 252.204-7012 which follows NIST SP 800-171 with an additional 20 controls.
According to the government, the requirements for Levels 4 and 5 match the standards of NIST SP 800-171 Rev B. Most of the controls conform with information security measures in ordinary businesses, while some are unique to the Cybersecurity Maturity Model Certification.
The DoD reassures interested parties that meeting the requisites for Levels 1 and 2 will be inexpensive. Time will tell if small businesses will be open to the IT security scrutiny associated with getting DoD certification. Companies that find it cumbersome to comply or undergo the assessment will have to stop doing business with the DoD.
The DoD will rely heavily on certified third-party auditing agencies to audit and assess contractors' CMMC qualification. A nonprofit accreditation organization will oversee C3PAOs responsible for offering CMMC credentials to businesses. There are over 300,000 companies within the DoD supply chain which will require a ramp up phase over the next 12-18 months. Since contracts run over a 5-year span, this will give suppliers and contract offices time to prepare and add the new CMMC requirements into their contract processes when contracts come up for renewal.
As a result, a new breed of information security consultants and advisors are sprouting in the market. Their role is to guide aspiring DoD contractors on how to keep their IT systems secure and compliant with CMMC guidelines. IT consulting companies that go to the CMMC direction may have to adjust their practice.
Since self-evaluation for DoD contractors has come to an end, you'll need to liaise with an accredited, independent third-party certification organization. You'll specify your company's level of cybersecurity maturity and schedule a CMMC evaluation. The CMMC-AB will have a search feature on their site that will allow you to locate an accessor near you.
Upon satisfying the security requirements for the requested tier, the assessing organization will grant you the appropriate certification. Your certification level will be available to the DoD via database, but the findings of your cybersecurity audit will remain confidential. Once you receive your certification, it is highly recommended that you DO NOT list your certification level to the public. This will open your organization up to cyber threats, as hackers will be easily able to identify your vulnerability level.
CMMC demands superior cybersecurity measures for contractors to continue doing business with the Department of Defense. The journey will undoubtedly be bumpy for some suppliers, but the DoD is keen to cut ties with uncompliant parties. If you are looking to become a DoD contractor, pursue your CMMC certification today.
If you would like to learn more about Cybersecurity Maturity Model Certification, be sure to check out our guide. It includes everything you need to know about CMMC in order to get ahead and stay ahead of your competition.