In a recent Identity Theft Resource Center report, they estimate that the United States government and military faced over 80 data breaches last year. As a result, over 3.5 million sensitive records were exposed. With cyber threats posing more significant hazards for the defense supply chain than ever before, along with physical threats from rival nation states, now is the time to reinforce cybersecurity priorities across the board. That's exactly what the Cybersecurity Maturity Model Certification, or CMMC, (and the current CMMC interim rule) is designed to achieve.
With an increased foreign interest in U.S.-based resources, as well as an increasing number of foreign owners and suppliers, the CMMC was designed to take a head-on approach to issues like these. While the U.S. government's initial approach called for compliance with NIST SP 800-171 through DFARS 252.204-7012, in order to introduce fundamental security controls into the national defense supply chain, these measures weren't enough.
Not only is this evident through the recent thefts of confidential information related to U.S. fighter jets, an attack that was coordinated by malicious Chinese hackers, but similar problems can also be seen repeatedly throughout the years. With specific and verified threats originating from China, South Korea, Russia and more, it's essential that the U.S. Department of Defense (DoD) contractors step up their efforts in cybersecurity via CMMC compliance.
CMMC will replace NIST SP 800-171. As a precursor to CMMC, the U.S. Department of Defense issued a CMMC interim rule [DFARS Interim Rule (252.204-7019)] that establishes requirements for NIST SP 800-171 compliance scoring and remediation beginning November 30, 2020.
How Do We Get Ahead of the Problem?
Officially released on January 31, 2020, CMMC is the U.S. government's attempt to lead the fight against industrial espionage and other cyber threats posed by rival nation states. Specifically designed for use by the DoD supply chain, CMMC is a set of protocols that was created to standardize information protection across the Defense Industrial Base (DIB). The goal is to safeguard Controlled Unclassified Information (CUI) in the hands of the DoD's industry partners.
The government will achieve this by incorporating CMMC into the Defense Federal Acquisition Regulation Supplement, or DFARS, and mandate that contractors are certified as a requirement for contract awards. If successful, CMMC has the potential to become the model for other countries looking to establish standardized cybersecurity measures in their regions.
The CMMC Interim Rule
CMMC addresses a possible flaw with NIST SP 800-171: self-certification. Currently, DoD contractors and subcontractors with access to CUI self-certify their compliance by accepting the DFARS clause 252.204-7012 within their contracts which states, "the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171..." CMMC requires a sign-off from a Certified Third Party Assessor (C3PAO) in order to become compliant and keep or win contracts.
Facilitating the shift to CMMC's certification process is the Supplier Performance Risk System (SPRS), in which contractors or prospective contractors under the CMMC interim rule must perform self-assessments and report how many of the 110 NIST SP 800-171 security controls the contractor has fully implemented. This will allow the DoD to gain insight into contractors' current compliance levels until all contracts require CMMC certification by a C3PAO in the coming years.
Find your current compliance score with our free self-assessment tool.
CMMC has been a highly anticipated initiative supported by countless IT professionals. The standard was drafted with direct input from leaders at various university-sponsored research centers and other industry professionals.
CMMC is divided into five maturity levels that build on one another and are designed to represent the level of cybersecurity program maturity for a certified organization. CMMC levels include:
Level 1: The first level is composed of 17 cybersecurity practices consisting of antivirus, access control and other basic cybersecurity safeguards. Level 1 certification will be required for all companies who work with Federal Contract Information (FCI). This does not include information that is freely available to the public. The major difference with this level is that process maturity is not assessed. This is due to the fact that many organizations are able to perform these practices only in a makeshift manner.
Level 2: A step up from Level 1, this level focuses on intermediate cyber hygiene and creates a maturity-based advancement for organizations to transition from the first to the third level. It consists of a subset of security practices outlined in NIST SP 800-171 as well as requirements from other standards. CMMC Level 2 includes 55 practices. Because it is more advanced, it ensures better protection of the organization's information against a greater number of cyber threats in comparison to Level 1.
Level 3: Organizations at this level must have a total of 130 cybersecurity practices in place to achieve a designation of "good cybersecurity hygiene." The focus is on the protection of Controlled Unclassified Information. It’s important to note that the first three levels collectively address all 110 security requirements specified in NIST SP 800-171 rev2, but the recent update to CMMC Level 3 now calls for compliance with 20 additional practices.
Level 4: Level 4 is for organizations that have a robust and proactive cybersecurity program in place. The organizations that qualify for this level should be able to adapt to evolving tactics, techniques and procedures (TTPs) used by threat actors. They are also expected to analyze and document all activities for effectiveness. Companies that reach Level 4 are said to have "proactive cybersecurity hygiene." With 156 separate cybersecurity practices in place, they are already in a great position to protect sensitive information.
Level 5: This is the final and most advanced level. Carrying the designation of "advanced/progressive cybersecurity hygiene," this level combines the previous cybersecurity practices as well as 15 additional practices. At this level, an organization not only has an advanced cybersecurity program in place, but they have also demonstrated the capability to enhance the program’s efficiency.
The high number of required cybersecurity practices in Levels 3-5 can seem overwhelming at first, but many companies already address most of the requirements. Since CMMC cybersecurity practices are also featured in other standards, such as those published by AIA and NAS 9933, the new regulations are not likely to involve much change for larger defense contractors. Smaller contractors may find it more challenging to meet compliance requirements, however.
Simply put, the CMMC applies to any organization that works with Controlled Unclassified Information, which includes most data that is possessed or created by the U.S. government. Although it is unclassified, entities must receive permission by the DoD information owner to access it.
As one might expect, many different data types fall under the umbrella of CUI and, as a result, benefit from the strict protections offered by the CMMC. This includes information pertaining to:
- Critical infrastructure
- National defense and NATO
- Natural and cultural resources
- Immigration and international agreements
- Nuclear interests
- Law enforcement and legal
- Export control
- Proprietary business information and patents
- Data privacy
- Asset procurement and acquisition
- Federal tax
The certification process will be live in late 2020, and certifications will begin in 2021. According to the CMMC interim rule, defense contractors will all be required to certify in the next five years according to their contract renewal schedule. CMMC certification will be required to maintain eligibility for new DoD projects as well.
Unlike the NIST SP 800-171, the CMMC does not offer the option to self-certify, as it requires a sign-off from a third-party auditor. Companies can opt for either Level 4 or Level 5 certification. However, failure to meet any qualifications required by a level will result in a lower level of certification. As such, it is a good practice to perform a pre-assessment prior to a Certified Third-party Assessor Organization (C3PAO) certification assessment.
The clock is ticking, and it’s imperative that DoD contractors prepare to complete their certifications, which will ultimately enable the Department of Defense to safeguard CUI and further mitigate threats to our national security posed by nation states and other adversaries.
Request our CMMC self-assessment tool today to find out whether your organization is prepared to handle the online threats of today.