Cybersecurity maturity model certification (CMMC) for the U.S. DoD supply chain
Cybersecurity vulnerabilities and intrusions pose major risks to the Department of Defense (DoD) and its supply chain which is why the DoD is requiring compliance to CMMC
The U.S. Department of Defense (DoD) supply-chain has been under attack. This year’s ransomware events such as the ones faced by a U.S. Maritime base that brought cameras, door-access control systems and critical monitoring system down for 30 hours, and defense suppliers such as CPI, EWA, Westech International, Garmin, ST Engineering, Visser, Kimchuk etc. serve as a warning to all organizations. Organizations of all types and sizes in the Defense Industrial Base (DIB) have faced cyberattacks. In fact, enterprises like DMI that provide managed IT and cybersecurity services to organizations like NASA and fortune 100 companies have also been breached. Cybersecurity vulnerabilities and intrusions pose major risks to the DoD and its supply chain in forms of business disruptions, national security and trust in the government and companies. According to IBM, cyberattacks against industrial targets doubled in 2019. These events reinforce the DoD’s decision of requiring compliance to Cybersecurity Maturity Model Certification (CMMC).
While cybersecurity requirements have been a part of the defense procurement process in form of the NIST 800-171 compliance for some time now, CMMC compliance standardizes the adherence to cybersecurity requirements with more comprehensive practices and higher degrees of maturity as highlighted in the following sections.
The NIST 800-171 requirement mandated self-assessment and self-attestation of compliance. On the other hand, CMMC requires a third party auditor to certify that an organization has met the requirements outlined for the business. The certification will be valid for three years. CMMC Accreditation Body (CMMC-AB), a non-profit organization, is chartered to develop training, audit and certification standards for the auditors. The entity is in process of releasing the provisional class of accredited auditors (C3PAO).
An organization will have to comply to one of the five levels depending on the exposure of Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI). The higher the level, the more cybersecurity practices and higher degree of maturity of those practices in the organization are required.
CMMC compliance requires institutionalization of up to 171 practices, about 55% more than NIST SP 800-171, across 17 different business areas with appropriate level of cross-functional engagement and governance. CMMC incorporates practices from NIST SP 800-171, the UK’s cyber essentials, Australia’s cybersecurity centre essential eight maturity model, the Aerospace Industries Association’s NAS9933 and others.
The maturity requirement is often not well understood by organizations. It isn’t sufficient to institutionalize a practice; the organization has to demonstrate an appropriate level of excellence at the practice. For example, level one requires that an ad-hoc use of the practice whereas level three requires an appropriate level of resources and plan in place for the practice. An organization requiring level four of compliance will have to have quantitative measures for the practices in place and frequent reviews of the performance by the management team. This requires continuous gap assessment, timely remediation, and governance in a programmatic approach.
Who needs to comply and at what level?
All organizations in the DOD direct and extended supply chain (DFARS flow-down) that are exposed to FCI and/or CUI will have to comply to CMMC. An organization that is only exposed to FCI will only need to comply at level one requirements. On the other hand, an organization that is exposed to DOD sensitive CUI will have to protect CUI and reduce risk of advanced persistent threats.
- Level 1: Basic Safeguarding of FCI
- Level 2: Transition Step to Protect CUI
- Level 3: Protecting CUI
- Level 4-5: Protecting CUI and reducing risk of Advanced Persistent Threats
All organizations can benefit from having a higher degree of process maturity in cybersecurity practices from the enterprise risk management perspective.
The CMMC requirements are expected to be in RFPs from the fall of 2020 and actual clauses to be in the contracts starting from winter/spring 2021. The estimated timeline is summarized in the following figure.
All organizations seeking certification by winter/spring of 2021 should start gap assessment process against the CMMC requirements now, remediate the gaps, and demonstrate process maturity to gain certification. Starting early would allow an organization to gain certification in a timely manner. Organizations are highly recommended to take a programmatic approach and be intimately involved in the compliance process because of the breadth and depth of the requirements. CMMC compliance will not only help an organization win new defense business but also help in enhancing overall security and risk management in the organization.