With recent breaches of government data, such as Solargate, cybersecurity and safeguarding sensitive information has become more important than ever.
Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is the answer to ensuring the Defense Industrial Base (DIB) does not become the weak link when safeguarding sensitive information and government systems.
In this article, we will cover:
- Why does CMMC matter?
- Who Needs to be Compliant with CMMC?
- CMMC as a Maturity Model
- CMMC Domains
- CMMC Levels
- Third-Party Assessments
Why does CMMC matter?
The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.”
According to DoD, they are “migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector.
The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.
The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cyber-crime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cyber-crime – No Slowing Down” in February 2018].
Who Needs to be Compliant with CMMC?
CMMC is required for organizations with DFARS clause 252.204-7021 included in their contracts with the Department of Defense. The CMMC level required would be specified in the contract and in theory, the data which is subject to safeguarding would be identified as well.
In addition, prime contractors must flow down DFARS 7021 requirements, which means subcontractors – and in many cases, suppliers - must be CMMC certified as well.
Does CMMC apply to COTS Providers?
One of the questions that has come up routinely is whether DFARS 7021 requirements need to be flowed down to providers of commercial off the shelf services/products. The answer is: it depends.
DFARS 7021 specifically precludes acquisition of COTS items from its requirements. However, in practice, prime government contractors have been requiring their COTS providers to become compliant. In other words, the government does not require COTS providers to be compliant, but primes are by making it the cost of doing business with them.
While I am not privy to thought process of the various prime contractors, my best guess is primes are seeking to manage their risk. If you were a prime, would you want to risk a $10B contract award because one of your distributors or suppliers was not compliant with a contract clause that was supposed to be met? Probably not.
CMMC as a Maturity Model
One of the biggest differences between NIST 800-171 and CMMC is that CMMC is a maturity model.
CMMC Model v1.02 describes maturity models as, “a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline”.
CMMC Model v1.02 also describes the term institutionalization, which refers to how deeply ingrained processes are in an organization’s operations.
In other words, CMMC is not only interested in how or if you are implementing a practice, but also whether a particular practice/process is being exercised routinely as a part of your organization’s routine business practices.
Control families – as they are referred to in NIST 800-171 and 800-53 – are now referred to as “domains”. In NIST 800-171, there were fourteen (14) control families, whereas CMMC has grouped controls into seventeen (17) domains.
Future articles will describe each domain and provide additional information, but in short, here are the CMMC domains and a brief description for each one:
ACCESS CONTROL (AC)
How does your organization establish system access requirements, control internal system access, control remote system access, and limit data access to authorized users and processes?
How does your organization identify and document system assets and manage your asset inventory?
AWARENESS AND TRAINING (AT)
Does your organization conduct security awareness activities and training? Are people properly trained and experienced to carry out their roles and duties?
AUDIT AND ACCOUNTABILITY (AU)
What are your organization’s audit requirements and how does it perform auditing, identify and protect audit information, and/or review and manage audit logs?
CONFIGURATION MANAGEMENT (CM)
What are your organization’s configuration baselines and how is configuration and change management performed?
IDENTIFICATION AND AUTHENTICATION (IA)
How does your organization grant access to authenticated entities and ensure that access is limited to those with appropriate need to know/need for privileges?
INCIDENT RESPONSE (IR)
Does your organization plan incident response, detect and report events, develop and implement a response to a declared incident, perform post incident reviews, test incident response, etc.?
How does your organization manage maintenance of systems and the personnel who perform said maintenance?
MEDIA PROTECTION (MP)
Does your organization identify and mark media, protect and control media, sanitize media, protect media during transport?
PERSONNEL SECURITY (PS)
Does your organization screen personnel and protect CUI during personnel actions?
PHYSICAL PROTECTION (PE)
How does your organization limit physical access to sensitive information and systems?
How does your organization manage backups and manage information security continuity?
RISK MANAGEMENT (RM)
How does your organization identify and evaluate risk, manage risk, and manage supply chain risk?
SECURITY ASSESSMENT (CA)
Does your organization have a system security plan? Secure baseline configuration? Have a process in place for making system changes? Etc.
SITUATIONAL AWARENESS (SA)
Does your organization continuously monitor systems for threats and vulnerabilities?
SYSTEM AND COMMUNICATIONS PROTECTION (SC)
What are the system requirements for communications and how do you control them at system boundaries?
SYSTEM AND INFORMATION INTEGRITY (SI)
Does your organization identify and manage information system flaws, identify malicious content, perform network and system monitoring, and implement advanced email protections, etc.?
DoD abstracted compliance requirements and baseline security controls – referred to as “processes” and “practices” in CMMC - into five levels, with CMMC level 1 requiring the least safeguarding requirements and level 5 requiring the most.
So, what are the CMMC levels and their associated processes and practices?
Level 1 – Basic safeguarding of FCI
CMMC level 1 requires the least restrictive requirements of the five levels. It consists of the requirements found in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21, which is the baseline requirements for safeguarding FCI.
In addition, CMMC level 1 is generally understood to be implemented in a more ad-hoc manner and, “may or may not rely on documentation”. As such, process maturity is not considered or a requirement for CMMC level 1.
Level 2 – Transition step to protecting CUI
CMMC level 2 is considered a “transition step” between the safeguarding of FCI and safeguarding of CUI.
CMMC level 2 differs from level 1 not only in terms of how many practices must be implemented, but it also introduces processes as well. The processes required for level 2 are focused on the establishment and documentation of practices and policies.
Callout: “Organizations develop mature capabilities by documenting their processes and then practicing them as documented.”
That being said, DoD has stated that, “CMMC Level 2 will not be included within DoD solicitations”. What is its purpose then? That remains to be seen and clearer guidance is needed from DoD on its intent, purpose, and relevancy.
Level 3 – Protecting CUI
CMMC level 3 is the level most similar to NIST 800-171. It consists of the 110 security controls from NIST SP 800-171 rev.1, plus twenty (20) additional processes which, “support good cyber hygiene”.
Processes for CMMC level 3 include not only the CMMC level 2 processes, but also the establishment, maintenance, and resourcing of, “a plan demonstrating the management of activities for practice implementation”.
According to the CMMC model, the “plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders”.
While DoD previously suggested CMMC Level 3 will not be the norm, it seems to have become the de facto level organizations are seeking compliance with.
Levels 4 and 5 – Protecting CUI and reducing risk of APTs
CMMC levels 4 and 5 are focused on, “protection of CUI from APTs” and require the most stringent safeguarding practices and the greatest process maturity.
CMMC levels 4 and 5 require all of the practices from level 1, level 2, and level 3. In addition, levels 4 and 5 introduce an additional twenty-nine (29) to forty (40) practices, respectively.
Practices and processes for levels 4 and 5 are focused on the detection and response capabilities of organizations, as well as the depth and sophistication of cybersecurity capabilities.
Needless to say, Levels 4 and 5 are likely to only be pursued by the larger organizations, as the costs involved with achieving and maintaining compliance are significant, to say the least.
But how does the government verify an organization meets the requirements of a CMMC level?
With DFARs 7012 and 7019, organizations were required to perform a self-assessment to determine their level of compliance with NIST 800-171. These results were self-attested to and there was little to no oversight or enforcement of the contract provision.
As you can imagine, many organizations did not put much effort into meeting the requirements of NIST 800-171 and the threat of a DIBCAC audit was not enough to compel organizations to police themselves.
As such, one of the key differences with CMMC is it requires organizations to be assessed and certified by an independent third-party.
At this point, you may be left with some remaining questions.
Who performs those assessments? Who issues and manages the certifications and the associated processes? How do I become one of those people or organizations that conduct assessments? And more.
We will cover all of that and more in our next article(s), but in the meantime, please contact us with any additional questions you may have!