On December 31, 2017, compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (Revised Oct 21, 2016), Safeguarding Covered Defense Information and Cyber Incident Reporting became mandatory for all contractors (and subcontractors). Since then, the Department of Defense (DoD) has been striving to improve the security within the defense industrial base, or DIB. We’ve all read the headlines where defense contractors get breached and sensitive data is compromised. With the introduction of DFARS, each contracting firm supporting the DoD was required to comply with a set of defined controls defined within the NIST Special Publication 800-171 in order to better protect Controlled Unclassified Information, or CUI.
With a direct military or space application, CUI consists of data such as technical reports, engineering drawings, code (source code or executable), etc. While this data is not classified, it is considered very sensitive. One of the major issues regarding compliance with DFARS is that it is a self-attestation model. Vendors could state that they were compliant with DFARS and associated regulations, but they didn’t have to have a 3rd party evaluation.
As a result, there was a great deal of variation between the levels of compliance across the defense contracting firms. The DoD Cybersecurity Maturity Model Certification (CMMC) was, in part, created to address the disparity of compliance among the DoD contracting firms; the addition of the 3rd party attestation ensures that all organizations are independently assessed and no longer self-attesting to their compliance. The primary reason for the creation of the CMMC, though, is to strengthen the cybersecurity maturity of the DIB and the vendors in the DoD’s supply chain as well as bolster their ability to recover from cyber incidents.
What is Cybersecurity Maturity?
Because the DoD CMMC is designed to evaluate an organization’s cybersecurity maturity, it is important to have a basic understanding of what cybersecurity maturity is. Essentially, cybersecurity maturity is the level of sophistication an organization has achieved with regard to the implementation of cybersecurity policies and practices (to include technical implementations). Cybersecurity maturity includes a measure of both depth and breadth regarding various cybersecurity domains such as, but not limited to, the following:
- Access Control
- Identification and Authentication
- Audit and Accountability and Associated Monitoring of Audit Logs
- Incident Response
- Configuration Management (including Secure Configurations)
- Vulnerability Management
- Boundary Defense
- Malware Defense
- Data Protection
- Application Security
- Communications Protections
- System and Information Integrity
- Security Awareness Training
You can also think of cybersecurity maturity in terms of physical hygiene. Are you just brushing your teeth every day, or do you also floss, shower (with soap and shampoo), wash your hands frequently, wash your clothes, trim your nails, comb your hair, etc. From a cybersecurity perspective, do you just have auditing turned on and generating events, or do you know which events are being generated? Are the audit events prioritized? Are they reduced? Are they correlated across multiple hosts and time? Do you protect audit logs from tampering? There is a big difference between just brushing your teeth every day and practicing complete physical hygiene practices, so it is with cybersecurity.
What is the DoD Cybersecurity Maturity Model Certification?
The CMMC framework is designed to protect two specific types of data within the DoD supply chain: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is “information provided by or generated for the Government under contract not intended for public release.1” CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information…2”
Using a tiered approach, the CMMC measures cybersecurity maturity across five levels and aligns the levels with associated security processes and practices. Each of the five levels builds upon the previous level with regard to the number of required practices (or controls) and the maturity of the associated processes. There is a certification component to the CMMC which includes an independent 3rd party assessment to verify the process maturity and practice implementation for a given cybersecurity maturity level.
To achieve certification at a certain CMMC level, an organization must reliably demonstrate the firm establishment of processes and the implementation of the associated practices (controls) for the associated level. In order to achieve higher levels of certification, organizations must demonstrate compliance with all lower-level process and practice maturity levels. The CMMC levels are summarized below.
What are the CMMC Levels?
To achieve CMMC compliance at any of the five levels, organizations must demonstrate mature processes and implementation of associated security practices. As you might expect, the degree of difficulty to achieve a certain level increases as the level increases. Below is a summary of each level with regard to its focus, process maturity, and practice maturity:
- Level 1:
- Focus: Safeguard FCI
- Process maturity: Performed (practices are performed, but process maturity is not assessed)
- Practice maturity: Basic cyber hygiene (17 practices designed to protect covered contractor information systems)
- Level 2:
- Focus: Transition in cybersecurity maturity to protect CUI
- Process maturity: Documented. Organizations must document the practices that are implemented and the associated policies.
- Practice maturity: Intermediate cyber hygiene (includes 72 practices sourced from the security requirements in NIST 800-171 and other standards and references)
- Level 3:
- Focus: Protect CUI
- Process maturity: Managed. Organizations must have a plan (including how it is resourced) defining how all relevant practices are implemented.
- Practice maturity: Good cyber hygiene (includes 130 practices sourced from the security requirements in NIST 800-171 plus additional standards and references)
- Level 4:
- Focus: Protect CUI and reduce Advanced Persistent Threats (APTs)
- Process maturity: Reviewed. Organizations must regularly review and measure the effectiveness of the practices they have put in place. Corrective action is taken to remediate any deficiencies and management reporting is in place.
- Practice maturity: Proactive (includes 156 practices sourced from the security requirements in NIST 800-171, a subset of the enhanced security requirements from NIST 800-171B, additional cybersecurity best practices)
- Level 5:
- Focus: Protect CUI and reduce Advanced Persistent Threats (APTs)
- Process maturity: Optimizing. Processes are made as effective as possible.
- Practice maturity: Advanced/progressive (includes 171 practices sourced from the security requirements in NIST 800-171, a subset of the enhanced security requirements from NIST 800-171B, and additional cybersecurity best practices)
The CMMC model also consists of 17 security domains that primarily originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171 control families. The domains are identified below:
|Access Control (AC)||Asset Management (AM)||Audit and Accountability (AU)||Awareness and Training (AT)||Configuration Management (CM)|
|Identification and Authentication (IA)||Incident Response (IR)||Maintenance (MA)||Media Protection (MP)||Personnel Security (PS)|
|Physical Protection (PE)||Recovery (RE)||Risk Management (RE)||Security Assessment (CA)||Situational Awareness (SA)|
|System and Communications Protection (SC)||System and Information Integrity (SI)|
Each of the above domains is further broken down into capabilities, and each capability consists of a number of practices. Capabilities are essentially high-level action statements for each domain. Example capabilities include Conduct Security Awareness Activities, Manage Backups, Control Internal System Access, Test Incident Response, etc. Practices are essentially the set of security controls that support the capability statements. To receive CMMC certification, organizations must implement the security practices in each domain for a given certification level. They will also be assessed for process maturity.
Who Needs CMMC Certification?
The answer to this question is relatively straightforward. Any organization that supports or provides services to the DoD or is part of the DoD supply chain will be required to obtain a CMMC certification. This includes organizations that provide engineering, research, sustainment, development, etc. of DoD systems, networks, installations, etc. The number of organizations that fall into this category is over 300,000 (see CMMC v1.02, March 18, 2020). Firms that support or provide services to organizations supporting the DoD will likely be required to be assessed against the CMMC.
As noted by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition, ASD(A), for Cyber in a recent webcast, of the majority of the organizations that will be required to obtain a CMMC certification, most will be assessed at Levels 1, 2, or 3. Less than 1% of contractors will be assessed at either Level 4 or Level 5.
How Do I Get CMMC Certified?
In order to obtain a CMMC certification, organizations must be assessed by a Certified 3rd Party Assessment Organization, or C3PAO. C3PAOs are authorized by the CMMC Accreditation Body (CMMC-AB). At this point, there are no authorized C3PAOs as the pilot training program is just getting started. The pilot training program will consist of a small number of assessors who will perform the initial assessments and provide feedback to the CMMC-AB. This feedback will be rolled into the training for the larger body of assessors.
The pilot program, as well as the certified training program, will be launched in the winter of 2020/2021 with the first assessments likely beginning in the spring of 2021. Organizations should start now, if they haven’t already, to prepare for their upcoming assessment. Obtaining a CMMC certification will not be easy; it will require focused and dedicated resources to plan for certification as well as identify and close gaps in their technical control implementation.
The DoD CMMC is required for all organizations that support the DoD directly or are in the DoD’s supply chain. The CMMC framework consists of five increasingly demanding levels that organizations will be assessed against, but most organizations will be assessed at levels 1, 2, or 3. Assessments will be conducted by a C3PAO authorized by the CMMC-AB. While there are no currently authorized C3PAOs at this point in time, the pilot training program has begun, and lessons learned will be incorporated into the training courses for the wider C3PAO audiences. It is estimated that assessments will start in Q12021.
To complement our FedRAMP and other NIST assessment services, Linford and Company has registered to become an authorized C3PAO. If you have questions on how to prepare for an upcoming CMMC assessment, please contact us.
1 48 Code of Federal Regulations (CFR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, Federal Acquisition Regulation (FAR), 1 Oct 2016.
2 NIST Special Publication (SP) 800-171 Revision (Rev) 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, U.S. Department of Commerce National Institute of Standards and Technology (NIST), December 2016 (updated June 2018).
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.