This incident highlights the difficulties faced by the DoD when it comes to securing data, especially when entrusted to outside entities. Consequently, it underlines that the need to address tighter security needs has become a priority for the federal government networks anywhere covered defense information (CDI) is processed, stored or transmitted. Though security breaches are inevitable, resilience to cyber-attacks can be improved and supply chain risks minimized. As Kevin Fahey, Assistant Secretary of Defense for Acquisition, said: “We need risk management solutions to assess, measure, and mitigate risk in real-time across multi-tier partner and supplier networks to achieve our goal of cost, schedule and performance, as they are only effective in a secure environment.”
DoD’s newest framework and standard for cybersecurity: CMMC
Coming in 2020, proof of adequate security is going to be a requirement for contractors of the DoD. In fact, every prime and subcontractor on a supply chain will be audited and certified under a Cybersecurity Maturity Model Certification (CMMC) framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). This will benefit the security of contractors and the DIB, as well as help the DOD to avoid future losses due to cyber breaches. “The concept of a CMMC framework arose in response to a series of high-profile breaches of DoD information,” writes Susan Cassidy, Government Contracts Attorney, Covington. This new program was designed to strengthen the defense industrial base and be a relevant benchmark to secure the supply chain, she said. The framework aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI).
What is the CMMC?
CMMC is a supply chain risk management approach for the Department of Defense and its industrial base. Soon, CMMC third-party certifiers will have the tools to conduct audits and collect metrics and risk management information for the entire supply chain. When implemented, the associated controls and processes across several maturity levels that range from basic cyberhygiene to advanced measures, will reduce risk resulting from a set of cyberthreats. This DoD effort is geared towards fortifying its cybersecurity strategy addressing an area of risk that, so far, has been harder to control: third-party systems safety and readiness.
The standard drafted and readily available this summer details five maturity levels, and the DoD will require vendors in January 2020 to be certified and evaluated against the requirements of each level through third-party assessment organizations. By June 2020, the CMMC requirements will be included in requests for information (RFIs), and in September 2020 in requests for proposals (RFPs). As Ms. Cassidy explains: “Notably, DoD will assess which CMMC level is appropriate for a particular contract and incorporate that level into Sections L and M of the RFP as a ‘go/no go’ evaluative determination.” This framework reflects the DoD’s first attempt at solving a long-standing issue. The model that inspired this maturity level system applied to procurement is the Cyber Security Model that the United Kingdom’s Ministry of Defense currently uses for all its contracts, but the DoD’s solution will also incorporate many of the existing requirements from NIST’s SP 800-171, which measures a contractor’s compliance with a specified set of controls. However, the CMMC will more broadly “measure the maturity of a company’s institutionalization of cybersecurity practices and processes,” and is also expected to combine relevant portions of NIST SP 800-53, ISO 270001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC is incorporating many of the existing requirements from the Federal Risk Authorization Management Program (FedRAMP) security baseline. “In other words, the goal is “one standard, one maturity model,” writes Thomas Taylor at Tripwire.
The maturity levels for NIST 800-171/CMMC compliance
The Department of Defense currently mandates that its contractors meet the requirements of NIST Special Publication 800–171 but there is no audit and accountability for protecting CUI; this shortcoming has led to the devising of the Cybersecurity Capability Model Certification (CMMC), which will require third-party audits and certification for the DoD supply chain for compliance built on the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. This requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171. Implementing cybersecurity in DoD supply chains is based on the identification of five certification tiers:
CMMC Level 1 | Basic Cyber Hygiene | 17 security controls (NIST SP 800-171 rev 1) CMMC Level 2 | Intermediate Cyber Hygiene | 46 security controls (NIST SP 800-171 rev 1) CMMC Level 3 | Good Cyber Hygiene | 47 security controls (NIST SP 800-171 rev 1) CMMC Level 4 | Proactive | 26 security controls (NIST SP 800-171B) CMMC Level 5 | Advanced/Progressive | 4 security controls (NIST SP 800-171B)
While previous regulations like NIST’s SP 800-171 allowed for self-assessment, in order for companies to be awarded a certification at the appropriate CMMC level, they will need to demonstrate to assessors and certifiers the appropriate capabilities and organizational maturity, proper controls and processes in place to reduce the risk of specific cyberthreats. The five levels available also recognize that not all companies will need the highest levels of controls and cybersecurity. Companies that conduct business that only requires basic levels of cyberhygiene will still be able to prepare for certification in cost-effective and affordable ways. Cybersecurity will also be an allowable and reimbursable cost in DoD contracts.
Timeline for CMMC
Katie Arrington described the following timeline for CMMC during a presentation for a group of DoD contractors on May 23, 2019 to announce the proposed program:
Mid-2019: Working groups and creation of automated assessment tools Early 2020: Begin developing oversight and certifier accreditation program, processes Mid-2020: Test the certification program and revise it Mid/late-2020: Accredit third-party certifiers Future: Begin adding CMMC requirement to all new DoD RFPs
Note: There will be a Security Awareness Conference on Thursday, September 26th, 2019 at the Hyatt Regency Tysons Corner Center, Virginia. This conference will feature security experts from industry and government that will present a Q&A session for attendees to gain additional insight of the new contractor cybersecurity standard (CMMC) and its five-level system.
Figure 1: CMMC implementation timeline The question remains: can third-party certifiers meet the acquisition solicitation timeline, and are there enough auditors to handle the task of the CMMC in order for businesses to continue doing business with DoD? It seems like a daunting undertaking, but the Pentagon is optimistic that they’re moving to full enforcement of compliance with the new cybersecurity certification standards for DoD contractors already quickly taking shape months before the CMMC anticipated mid-2020 launch.
What will CMMC be like: Key points
Five levels of data security, ranging from basic cyberhygiene to state-of-the-art in order to allow implementation of reasonable security measures based on the needs of the contract. Every defense contract of contractors and subcontractors — whether they deal with sensitive information or not — will have the effectiveness of their cybersecurity practices scored on a scale of 1 to 5 Contractors that are noncompliant with the required level will not be able to retain DoD contracts. Under the new certification requirements, DoD contractor information systems will be required to be certified compliant by an outside auditor. This solves an ongoing issue where some businesses have undergone self-certify compliance without fully implementing (or understanding) needed security controls A tool will be developed to allow third-party cybersecurity certifiers to conduct audits and collect metrics. The DoD will also measure compliance with the DFARS and NIST requirements to ensure contractors are handling sensitive unclassified information properly It will use a single standard across all DoD contracts (doing any kind of business) Cybersecurity will be an “allowable cost” in DoD contracts. Contractors will be allowed to seek reimbursement from the government for achieving their CMMC certifications
Katie Arrington, an expert for the Undersecretary of Defense’s Acquisition and Sustainment team, said the DoD is planning a “crawl, walk, run” approach that would ensure a smooth rollout of the CMMC (with an 18-month timeline). They are taking the plan on the road as part of efforts to engage with the Defense Industrial Base sector and solicit feedback with a series of nationwide “listening sessions” in eleven cities.
Conclusion
In an effort to increase cybersecurity and protect against threats to its supply chain, the U.S. Government and the DoD are implementing a new system that requires companies doing business with government to be CMMC-certified at a minimum of a Level 1 standard during contract performance. The Cybersecurity Maturity Model Certification is a solution that aims to enhance the cyber-posture of companies throughout the DIB multi-tier supply chain in order to reinforce the protection of CUI residing on company networks. Third-party auditors will perform CMMC checks and evaluate companies against a maturity scale; contracting officers will decide which levels are required for all bid contracts. In essence, “the CMMC appears to be a strategic and well-thought-out solution to prioritizing DFARS enforcement, while at the same time, helping small businesses improve cyber hygiene and slowing the progress of those adversaries responsible for $600B of the government’s IT and R&D losses,” as Thomas Taylor writes. The CMMC, a unified DoD cybersecurity standard will “serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks,” writes the team at Beryllium InfoSec Collaborative. Although the CMMC model will be implemented at first in DoD contracts, there is no reason not to believe that, eventually, the same certification system will be applied to other agencies.
