With recent breaches of government data, such as Solargate, cybersecurity and safeguarding sensitive information has become more important than ever.
Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is the answer to ensuring the Defense Industrial Base (DIB) does not become the weak link when safeguarding sensitive information and government systems.
In this article, we will cover:
- What is CMMC and Why Does it Matter?
- Who Needs to be Compliant with CMMC?
- What is a Maturity Model?
- CMMC Domains
- CMMC Levels
- Third-Party Assessments
- CMMC Accreditation Body
- Certified Third Party Assessment Organizations (C3PAOs)
- Certified Assessors
- CMMC Market Place
- How is Compliance Assessed?
- Examine, Interview, and Test
What is CMMC and Why Does it Matter?
The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.”
According to DoD, they are “migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector.
The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.
The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cyber-crime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cyber-crime – No Slowing Down” in February 2018].
Who Needs to be Compliant with CMMC?
CMMC certification is required for organizations with DFARS clause 252.204-7021 included in their contracts with the Department of Defense. The CMMC certification level required would be specified in the contract and in theory, the data which is subject to safeguarding would be identified as well.
In addition, prime contractors must flow down DFARS 7021 requirements, which means subcontractors – and in many cases, suppliers - must be CMMC certified as well.
Does CMMC apply to COTS Providers?
One of the questions that has come up routinely is whether DFARS 7021 requirements need to be flowed down to providers of commercial off the shelf services/products. The answer is: it depends.
DFARS 7021 specifically precludes acquisition of COTS items from its requirements. However, in practice, prime government contractors have been requiring their COTS providers to become compliant. In other words, the government does not require COTS providers to be compliant, but primes are by making it the cost of doing business with them.
While I am not privy to thought process of the various prime contractors, my best guess is primes are seeking to manage their risk. If you were a prime, would you want to risk a $10B contract award because one of your distributors or suppliers was not compliant with a contract clause that was supposed to be met? Probably not.
What is a Maturity Model?
CMMC Model v1.02 describes maturity models as, “a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline”. It further describes the term institutionalization, which refers to how deeply ingrained processes are in an organization’s operations.
In other words, CMMC is not only interested in how or if you are implementing a practice, but also whether a particular practice/process is being exercised routinely as a part of your organization’s routine business practices.
Control families – as they are referred to in NIST SP 800-171 and 800-53 – are now referred to as “domains”. In NIST SP 800-171, there were fourteen (14) control families, whereas CMMC has grouped controls into seventeen (17) domains.
Future articles will describe each domain and provide additional information, but in short, here are the CMMC domains and a brief description for each one:
ACCESS CONTROL (AC)
How does your organization establish system access requirements, control internal system access, control remote system access, and limit data access to authorized users and processes?
ASSET MANAGEMENT (AM)
How does your organization identify and document system assets and manage your asset inventory?
AWARENESS AND TRAINING (AT)
Does your organization conduct security awareness activities and training? Are people properly trained and experienced to carry out their roles and duties?
AUDIT AND ACCOUNTABILITY (AU)
What are your organization’s audit requirements and how does it perform auditing, identify and protect audit information, and/or review and manage audit logs?
CONFIGURATION MANAGEMENT (CM)
What are your organization’s configuration baselines and how is configuration and change management performed?
IDENTIFICATION AND AUTHENTICATION (IA)
How does your organization grant access to authenticated entities and ensure that access is limited to those with appropriate need to know/need for privileges?
INCIDENT RESPONSE (IR)
Does your organization plan incident response, detect and report events, develop and implement a response to a declared incident, perform post incident reviews, test incident response, etc.?
How does your organization manage maintenance of systems and the personnel who perform said maintenance?
MEDIA PROTECTION (MP)
Does your organization identify and mark media, protect and control media, sanitize media, protect media during transport?
PERSONNEL SECURITY (PS)
Does your organization screen personnel and protect CUI during personnel actions?
PHYSICAL PROTECTION (PE)
How does your organization limit physical access to sensitive information and systems?
How does your organization manage backups and manage information security continuity?
RISK MANAGEMENT (RM)
How does your organization identify and evaluate risk, manage risk, and manage supply chain risk?
SECURITY ASSESSMENT (CA)
Does your organization have a system security plan? Secure baseline configuration? Have a process in place for making system changes? Etc.
SITUATIONAL AWARENESS (SA)
Does your organization continuously monitor systems for threats and vulnerabilities?
SYSTEM AND COMMUNICATIONS PROTECTION (SC)
What are the system requirements for communications and how do you control them at system boundaries?
SYSTEM AND INFORMATION INTEGRITY (SI)
Does your organization identify and manage information system flaws, identify malicious content, perform network and system monitoring, and implement advanced email protections, etc.?
DoD abstracted compliance requirements and baseline security controls – referred to as “processes” and “practices” in CMMC - into five levels, with level 1 requiring the least safeguarding requirements and level 5 requiring the most.
So, what are the different levels and their associated processes and practices?
Level 1 – Basic safeguarding of FCI
Level 1 requires the least restrictive requirements of the five levels. It consists of the requirements found in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21, which is the baseline requirements for safeguarding FCI.
In addition, CMMC level 1 is generally understood to be implemented in a more ad-hoc manner and, “may or may not rely on documentation”. As such, process maturity is not considered or a requirement for CMMC level 1.
Level 2 – Transition step to protecting CUI
Level 2 is considered a “transition step” between the safeguarding of FCI and safeguarding of CUI.
Level 2 differs from level 1 not only in terms of how many practices must be implemented, but it also introduces processes as well. The processes required for level 2 are focused on the establishment and documentation of practices and policies.
Callout: “Organizations develop mature capabilities by documenting their processes and then practicing them as documented.”
That being said, DoD has stated that, “CMMC Level 2 will not be included within DoD solicitations”. What is its purpose then? That remains to be seen and clearer guidance is needed from DoD on its intent, purpose, and relevancy.
Level 3 – Protecting CUI
CMMC level 3 is the level most similar to NIST 800-171. It consists of the 110 security controls from NIST SP 800-171 rev.1, plus twenty (20) additional processes which, “support good cyber hygiene”.
Processes for CMMC level 3 include not only the CMMC level 2 processes, but also the establishment, maintenance, and resourcing of, “a plan demonstrating the management of activities for practice implementation”.
According to the CMMC model, the “plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders”.
While DoD previously suggested CMMC Level 3 will not be the norm, it seems to have become the de facto level organizations are seeking compliance with.
Levels 4 and 5 – Protecting CUI and reducing risk of APTs
CMMC levels 4 and 5 are focused on, “protection of CUI from APTs” and require the most stringent safeguarding practices and the greatest process maturity.
CMMC levels 4 and 5 require all of the practices from level 1, level 2, and level 3. In addition, levels 4 and 5 introduce an additional twenty-nine (29) to forty (40) practices, respectively.
Practices and processes for levels 4 and 5 are focused on the detection and response capabilities of organizations, as well as the depth and sophistication of cybersecurity capabilities.
Needless to say, Levels 4 and 5 are likely to only be pursued by the larger organizations, as the costs involved with achieving and maintaining compliance are significant, to say the least.
But how does the government verify an organization meets the requirements of a CMMC level?
With DFARs 7012 and 7019, organizations were required to perform a self-assessment to determine their level of compliance with NIST 800-171. These results were self-attested to and there was little to no oversight or enforcement of the contract provision.
As you can imagine, many organizations did not put much effort into meeting the requirements of NIST 800-171 and the threat of a DIBCAC audit was not enough to compel organizations to police themselves.
As such, one of the key differences with CMMC is it requires organizations to be assessed and certified by an independent third-party.
The independent third-parties are known as Certified Third Party Assessment Organizations (C3PAOs) and are overseen by the CMMC Accreditation Body (CMMC-AB).
CMMC Accreditation Body
The Cybersecurity Maturity Model Certification Accreditation Body, or CMMC-AB, "establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program”.
The CMMC-AB has a no-cost contract with the Department of Defense and are the exclusive accreditation body tasked to, “support the execution of CMMC in accordance with DoD policies and requirements”.
DoD requires the CMMC-AB to:
- Develop, maintain, and provide provisional training, including curricula and testing, for instructors and individual assessors
- Ensure the quality control of all training products, instruction, and testing
- Develop, maintain, and manage database(s) to track the status of all authorized and accredited C3PAOs, provisional assessors, trainers, and instructors
- Develop and maintain a quality assurance program that conforms to ISO/IEC 17011
- Establish, maintain, and manage an up-to-date list of authorized and accredited C3PAOs on a publicly accessible CMMC “Marketplace”
In addition to supporting DoD’s requirements, the CMMC-AB manages their own certification-construct, which consists of Registered Provider Organizations (RPOs) and Registered Practitioners (RPs).
While the RPO and RP designations are not meaningless, they are not necessary for conducting CMMC related consulting services, nor are does the designation necessarily mean a provider is qualified to provide said services.
Certified Third Party Assessment Organizations (C3PAOs)
C3PAOs employ certified assessors who conduct the actual inspection and assessment of OSC, with the assessors being specifically trained, certified, and authorized to conduct said assessments.
C3PAOs must meet requirements defined by DoD and the CMMC-AB's contractual agreements with C3PAOs. These requirements include, but are not limited to:
- They must successfully pass a CMMC Level 3 assessment, performed by the DIBCAC
- They must be ISO 17020 accredited within twenty-seven (27) months of registration as a C3PAO
- Adhere to a code of professional conduct
- Be subjected to quality assurance reviews
In addition to the above, C3PAOs and certified assessors may not conduct assessments leading to certification if they also provided consulting services to an OSC.
Certified CMMC assessors conduct the assessments on behalf of the C3PAOs and the CMMC AB. As of the writing of this article, there are no certified assessors, however, there are one hundred (100) provisional assessors.
Provisional assessors are akin to deputized assessors and have not gone through the formal training and certification process that will be required of all assessors once the training and certification process has been implemented.
Certified assessors are authorized to conduct assessments at different levels, depending on their level of training, experience, and passing of examinations. The levels of assessors are:
- Certified CMMC Professional (CP) - These individuals are authorized to participate on assessment teams at any level, but must be supervised.
- Certified CMMC CCA-1 Assessor - Authorized to conduct level 1 assessments and supervise certified professionals during said assessments.
- Certified CMMC CCA-3 Assessor - Authorized to conduct level 3 assessments and supervise certified professionals and level 1 assessors during said assessments.
- Certified CMMC CCA-5 Assessor - Authorized to conduct level 5 assessments and supervise certified professionals, level 1, and level 3 assessors during said assessments.
Certified assessors must also meet certain requirements, to include completion of a certain number of assessments to be eligible for a higher level. For example, if a CMMC level 3 assessor would like to conduct level 5 assessments, they must conduct 15 assessments to be eligible.
Certified assessors must also undergo a a national agency check, which is also commonly known/referred to as a suitability and fitness determination by the Government. In addition, for level 1 and higher assessments, certified assessors must be U.S. persons.
For additional information on certified assessors, check out the CMMC-AB website.
CMMC Market Place
Now that we have covered the key roles involved with independent CMMC certification assessments, where can you go to find these providers?
The CMMC-AB is responsible for developing and maintaining a publicly accessible listing of organizations and other entities qualified to carry out the key CMMC certification assessment roles. To fulfil this requirement the CMMC-AB developed a marketplace to list C3PAOs, RPOs, CPs/CAs, and RPs.
How is Compliance Assessed?
While guidance is still needed to fully understand the assessment objectives and how the assessments will take place, DoD/A&S has published assessment guides for Levels 1 and 3. These guides are similar to NIST 800-171A and NIST 800-53A, containing a plethora of information on how assessments will be conducted and objectives that need to be met by systems.
These guides can be found on the DoD/A&S website at the following locations:
These guides include details on assessment objectives for each security control, discussion related to the objectives/control, and examples of where the documentation/evidence may exist to support implementation of said control.
One significant gap within the existing assessment guides is guidance related to scoping. Scoping guidance should be coming in future revisions, but for now, it is a bit of a guessing game by the industry.
Examine, Interview, and Test
In addition to the above, there are three methods used to verify implementation of a security control. These methods are referred to as Examine, Interview, and Test. Definitions for these methods are actually found in NIST 800-171A, Appendix D and are defined as:
- Examine - "The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time."
- Interview - "The process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time."
- Test - "The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time."
At this point, you may be left with some remaining questions. Who performs those assessments? Who issues and manages the certifications and the associated processes? How do I become one of those people or organizations that conduct assessments? And more.
We will cover all of that and more in our next article(s), but in the meantime, please contact us with any additional questions you may have!