19 Aug Criterion System’s Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Forecast Sheet
By Dan Chandler, CISO
Note: This version is has been updated 9/19/19 to represent recent developments.
DoD CMMC Introduction and Background:
This forecast sheet was developed specifically to provide information about what we currently know about the new DoD CMMC program and what can be expected as DoD continues to roll out this program. DoD has begun work on CMMC in March 2019 in partnership with several organizations including the John Hopkins University Applied Physics Laboratory (APL), Defense Industrial Base (DIB) Sector Coordinating Council, Carnegie Mellon University Software Engineering Institute (SEI), and the Office of Small Business Programs. Industry associations such as the Professional Services Council, Aerospace Industries Association and the National Defense Industrial Association also supported the effort. These efforts are concentrating on review and combining the various existing cybersecurity standards into one unified standard for cybersecurity that is the proposed DoD CMMC program. Ms. Katie Arrington, the Special Assistant for Cyber in the Office of the Assistant Secretary of Defense for Acquisition during a recent teleconference organized by the Professional Services Council stated that:
“We cannot afford not to do this” because “[The U.S. is] losing $600 billion a year to our adversaries in exfiltrations, data rights, R&D loss. If we were able to institute good cyber hygiene and we were able to reduce, let’s just say email phishing schemes by 10%, think of the amount of money that we could save to truly reinvest back into our partners in the industrial base that we need to stay on the competitive edge. And the only way that we saw fit to do this was to create this CMMC so we can ensure that we are doing everything we can do to buy down the risk of our adversaries stealing our hard work.”
In 2015, DoD published a Defense Acquisition Federal Regulation Supplement (DFARS) that mandates that private DoD contractors adopt cybersecurity standards according to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to protect the U.S. supply chain from foreign and domestic cyber threats. In summary, the DFARS 252.204-7012 contract clause allowed DoD contractors to self-attest their own compliance to the NIST standard, along with allowing the DoD contractors to determine future compliance deadlines.
In 2016, NIST released Special Publication (SP) 800-171 Rev 1, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, that lists 110 cybersecurity best practices that contractors with access to controlled unclassified information (CUI) must comply with. While compliance with NIST SP 800-171 Rev 1 is a requirement in order to win new contracts, there is still no formal auditing or certification program, and Federal government contractors can self-certify that they meet the cybersecurity requirements.
CMMC’s purpose is to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect CUI on DoD contractor systems. CUI is data that needs to be protected against release but has not been classified by the U.S. Government. CUI also includes well-known sensitive information categories such as personally identifiable information (PII) and health records for service members. Any DoD contractor information systems that interacts with CUI as part of the DoD contractor’s services or sales are in-scope. All DoD contractors will need to become DoD CMMC certified by passing a DoD CMMC audit to verify they have met the appropriate level of cybersecurity for their business. This will be a requirement for any organization that wants to hold contracts with DoD.
DoD has issued a draft version of the DoD Cybersecurity Maturity Model Certification, which sets cyber standards and practices meant to help the defense industrial base reduce exfiltration of CUI.
DoD CMMC Model and Levels:
The DoD CMMC will review and combine various existing cybersecurity standards and best practices and map these security controls and processes across several maturity levels. In its final form, the DoD CMMC intends to combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1, Rev. 2, SP 800-171A (assessment), and SP 800-171B (Draft)), NIST SP 800-53 Rev. 4/5, ISO 27001:2013, ISO 27032, AIA NAS9933, and others into one unified standard for CUI cybersecurity. NIST SP 800-171 Rev 1 is entitled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and a draft of NIST SP 800-171 Rev 2 is in development. The draft of NIST SP 800-171B is entitled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets and is out for public review and comment. In addition to cybersecurity control standards, the DoD CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
A notice from DoD’s Office of the Defense Undersecretary for Acquisition and Sustainment says the draft DoD CMMC Version 0.4 has five levels ranging from basic cyber hygiene to highly advanced practices. Each DoD CMMC level has specific practices and activities that need to be carried out by stakeholders to achieve a capability. The DoD CMMC will encompass multiple maturity levels that are as follows:
- CMMC Level 1: Basic Cyber Hygiene: In order to pass an audit for this level, the DoD contractor will need to implement 17 controls from NIST 800-171 Rev1.
- CMMC Level 2: Intermediate Cyber Hygiene: In order to pass an audit for this level, the DoD contractor will need to implement another 46 controls from NIST 800-171 Rev1.
- CMMC Level 3: Good Cyber Hygiene: In order to pass an audit for this level, the DoD contractor will need to implement the final 47 controls from NIST 800-171 Rev1.
- CMMC Level 4: Proactive: In order to pass an audit for this level, the DoD contractor will need to implement 26 controls from NIST 800-171 Rev B (Public Comments stage).
- CMMC Level 5: Advanced/Progressive: In order to pass an audit for this level, the DoD contractor will need to implement the final 4 controls in NIST 800-171 Rev B.
DoD CMMC levels 4 and 5 are targeted toward a small subset of the DIB sector that supports DoD critical programs and technologies, according to an overview of the draft DoD CMMC model. DoD’s Office of the Defense Undersecretary for Acquisition and Sustainment will accept feedback on the DoD CMMC framework through Sept. 25 with plans to release the DoD CMMC’s draft version 0.6 for public review in November.
The DoD CMMC will review and combine various cybersecurity standards and best practices and map the cybersecurity controls and processes across several maturity levels that range from basic cyber hygiene to advanced. The DoD CMMC model consists of 18 domains, including access control, asset management, configuration management, cybersecurity governance, incident response, personnel security, recovery, risk assessment and situational awareness. The information in the following table is based on the draft version of the DoD CMMC model. The number of security controls per level are expected to change in future revisions of the DoD CMMC model.
To verify that DoD contractors have met the appropriate level of cybersecurity controls, the DoD will deploy certified independent third-party organizations (i.e., much like FedRAMP and HITRUST) to conduct audits on DoD contractor information systems and inform applicable organizational risk management processes. DoD wants these assessors to be independent and unbiased, so the firms doing the certifications will not be allowed to sell other cyber services to the same companies. Each of them will be overseen by a single nonprofit entity that will manage the DoD CMMC program.
DoD contractors will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a DoD CMMC assessment. The DoD contractor will specify the level of the DoD CMMC certification requested based on the DoD contractor’s specific business requirements. The DoD CMMC program currently includes the development and deployment of a tool that third-party cybersecurity certifiers can use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain. The DoD contractor will be awarded certification at the appropriate DoD CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier. Based upon the results of this audit, the applicable DoD contractor will be awarded a DoD CMMC certification or not.
One potential problem is that the appeal process has not been defined when an organization believes they were wrongly judged. The Federal government organization will determine the appropriate tier (i.e. not all contracts require the highest level of cybersecurity) for the contracts they administer. The intent is to identify the required DoD CMMC level in Request-for-Proposal (RFP) Sections L and M; use it as a “go/no go decision” for DoD contractor selection; and make cybersecurity an “allowable cost” in DoD contracts. DoD contractors will be allowed to seek reimbursement from the Federal government for achieving their DoD CMMC certifications as an “allowable cost” in their contracts. The DoD CMMC program also will include an education and training center for cybersecurity.
DoD CMMC Process Dates and Milestones:
- Mid 2019 to Early 2020: DoD CMMC working groups meet to begin developing oversight and certifier accreditation program and processes and the creation of automated assessment tools.
- Currently: DoD contractors determine the DoD CMMC Level they want to achieve in order to be certified by the second quarter of 2020 and start planning to get an assessment to determine where they stand regarding the applicable NIST SP 800-171 controls.
- By Fourth Quarter of 2019: DoD will release the draft DoD CMMC Levels and their associated NIST SP 800-171 controls; the DoD will announce the non-profit that will oversee the certification process and will start training independent third-party certifiers; and the NIST Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements will be released.
- By January 2020: The official DoD CMMC Levels and requirements will be released, and the certifiers will be available soon thereafter to begin audits.
- By June 2020: The certification program will be tested and revised as needed, and the DoD CMMC requirements should be in Requests for Information (RFIs).
- Mid to Late 2020: Accredit third-party certifiers and certify DoD contractors to bid on RFPs.
- By Fall, 2020: Begin adding applicable DoD CMMC requirements to all new DoD RFPs.
DoD CMMC Process Steps:
- Preliminary organizational questions to ask as a starting place: Does the organization currently deal with CUI on current or future contracts? Is CUI currently stored, processed, or transmitted by organizational information systems? Is it possible to isolate CUI information to fewer organizational information systems, fewer networks, or fewer users, while still fulfilling the terms of the contract?
- Perform a risk assessment (RA) including manual and automated assessments to review the organization’s progress toward complying with the minimum requirements outlined in the appropriate NIST SP 800-171 and DoD CMMC security controls. The RA process should discover inadequate information systems setups and processes that may not meet the requirement and list the ones that are missing or deficient. The results of the RA may reveal issues including, but not limited to: how access to information systems is controlled; how managers and information system administrators are trained; how data records are stored; how security controls and measures are implemented; and how incident response plans are developed and implemented. Without a RA, it’s impossible to know what changes an organization needs to make before it meets the required DoD CMMC level.
- Develop a Systems Security Plan (SSP) to describe how the organizational information systems are secured and what policies are in place that relate to cybersecurity. Develop, manage, and track Plans of Actions and Milestones (POA&Ms) to address any missing or deficient security controls based on the findings outlined in the RA. The POA&Ms, mitigation strategies, remediation activities, and corrective action plans provide careful documentation of DoD CMMC processes that do not meet the stated NIST SP 800-171 and DoD CMMC compliance requirements.
- Configure the existing organizational environment or build a new environment to meet NIST SP 800-171 and DoD CMMC compliance requirements.
- Prepare for incident management with a high-quality incident response and management plan and train, test, and exercise it regularly.
- Conduct ongoing cybersecurity monitoring and reporting once the remediation plan is complete and the DoD contractor’s information systems and procedures are compliant with the appropriate DoD CMMC Level. The organization needs to monitor, detect, and report on cybersecurity breaches within their information systems, as required.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced cybersecurity requirements.
- Continue to follow up and make continual improvements including ensuring that organizational cybersecurity policies are realistic and up-to-date.