The Department of Defense (DoD) is not immune to cybersecurity incidents. Given the expansive list of third-party contractors and subcontractors, it conducts business with, this should come as no surprise. Historically, the Defense Industrial Base (DIB) has complied with the NIST Special Publication (SP) 800-171, which is aimed at the protection of controlled unclassified information (CUI). Given that compliance with SP 800-171 has been based on the honor system, many contractors have fallen short of meeting the requirements, resulting in security incidents. This is now all about to change.
In May, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, gave a presentation to a small group of DoD contractors, introducing the development of the Cybersecurity Maturity Model Certification (CMMC). Designed to be a unified security standard that enhances the protection of CUI and applies to all organizations in the DIB, this new framework takes the previous requirement to the next level by featuring a verification component, among other demands.
All organizations that hold contracts, or subcontracts, tied to the DoD fall in scope of the CMMC. While the first draft of the framework was issued in September 2019, Version 1.0 of the new model is expected in January 2020. The requirements are expected to be incorporated into Requests for Information by June 2020, and into Requests for Proposals by Fall 2020.
“If you touch the Department of Defense at all, or sell to them in any way, or sell to a prime contractor that sells to the Department of Defense, you’re going to be in scope of ,” says Darren Van Booven, lead principal consultant at Trustwave and former CISO of the U.S. House of Representatives.
The deadlines to become compliant are looming, so it’s best to get ahead and work through the most important demands the CMMC requires. To give you a head start, with the help of Van Booven we’ve outlined the seven most important things to know and prepare for when it comes to the DoD’s cybersecurity framework.
1. The framework is specifically for the Department of Defense only.
Organizations that specifically work with or sell to the DoD will be in scope of the CMMC. No matter the size of the organization or type of work it conducts, it will have to be compliant, according to Van Booven.
“There are a lot of companies who may not be thought of as defense contractors in the classical sense—like the Lockheed Martins and Northrop Grummans of the world—that will be in scope,” Van Booven says. “Many of the larger organizations that are out there in the technology world that provide software or services that the DoD leverages are going to fall into this bucket.”
While the CMMC is specifically focused on third-parties holding contracts with or bidding on DoD contracts, there is language in the draft of the framework that hints toward the model taking on a broader role beyond the DoD further down the road.
2. The CMMC combines existing portions of current cybersecurity standards.
As previously mentioned, prior to introducing the CMMC, the DoD required all contractors and subcontractors to be NIST SP 800-171 compliant. Not only will this still be the case in regard to the new framework, but other portions of cybersecurity standards will be brewed into the new cybersecurity model, including NIST SP 800-53, ISO 270001 and ISO 27032. The goal for the department is to create a unified standard that “measures the maturity of a company’s institutionalization of cybersecurity practices and processes.”
3. Certifications will be determined by an auditor.
Perhaps one of the most impactful requirements of the CMMC is that the certifications will be determined by accredited and independent third-party certified organizations. These entities will rate the compliance of the contractors with the CMMC on levels that range from a one to a five, with a five being the most mature from a cybersecurity posture standpoint. Although the criteria and the accreditation for companies to be certified auditors has yet to be determined, according to the CMMC site, “higher-level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency or the Defense Counterintelligence and Security Agency.
4. Specific maturity levels will be assigned.
The results of the CMMC qualification process will be a maturity level assignment that ranges from Level 1 (“Basic Cyber Hygiene”) to Level 5 (“Advanced/Progressive”). The specific parameters around what it takes to meet each level of maturity are and what the criteria are for doing these verifications is still being defined, according to Van Booven.
“They’re going to need to pay a company to perform the verification,” he says. “Before it was more of a pass-fail model, but what the framework introduces is a decision to be made on the contractor’s part to implement new controls that allows them to reach a new level of cybersecurity maturity that will give them an advantage on a contract.”
The government will ultimately decide the maturity tier that is assigned to contracts.
5. You may not lose your certification if you’re compromised.
As we all know when it comes to security breaches, it’s not a matter of if, but when. For those contractors or subcontractors that have been certified, should a security breach take place, it will not result in the loss of their certification. However, depending on the specifics tied to the compromise, the contractor may be required to be recertified, which will inevitably involve additional costs incurred on the contractor’s behalf.
The First Two Steps to Take
It’s likely that additional changes are made in the coming weeks and months to the framework, but according to Van Booven, any organizations currently working with or planning to bid on DoD contracts should focus on the following two areas to get a step ahead in the process:
Determine If You’re in Scope
Seeing as ALL contractors, subcontractors or other organizations doing business with the DoD must be NIST SP 800-171 compliant, first determine if your business falls into this bucket. This is the first step that must be confirmed because overlooking it runs the risk of losing potential business you currently have.
“Organizations that in scope of this absolutely need to be preparing now for this in terms of understanding or looking at themselves,” Van Booven says.
Assess Your Security Program
It’s important to determine how mature your security program is. Assess how you identify and control sensitive government information. It may also be helpful to compare yourself as a company against the standard and start assessing where you are, but most importantly, where you’ll need to be to meet the requirements of the given DoD contract you’re aiming to win.
“Companies should definitely not wait until June of next year to get certified, only to find out that their cybersecurity maturity is at a level 1 when they need to be at a four,” Van Booven adds. “During that time lost they could have implemented the necessary changes.”
Meeting the requirements tied to the CMMC should not be too complex for companies, but it may require the help of a trusted security advisor that can provide a second opinion on where they think your organization is from a readiness perspective. Many organizations opt to take this route seeing as how you assess yourself is sometimes different than how you would be assessed against industry best practice or other standards. An objective third-party partner is the best way to do that.
UPDATE: Draft version 0.6 of the CMMC was released on November 7, 2019 and can be accessed here.