The United States Department of Defense (DoD) was created in 1947 by unifying the military branches under one department. Since then, the DoD has been protecting the nation from physical threats and, as of late, cyber threats. At the onset of the personal computer wave in the 1980s, the DoD began publishing computer security recommendations. These recommendations have since developed into the required DoD cybersecurity certifications that companies have today.
Technology increases rapidly in sophistication and capability. As a result, so do cybersecurity risks. The DoD is at the heart of national security, so it is only natural that its security standards are among the highest in the world. The DoD’s cybersecurity history may help familiarize companies with federal compliance to prepare them for future DoD contracts and help them establish strong protocols.
The Rainbow Series was an assortment of free documents released in the 1980s through the 1990s that provided security recommendations for U.S. government agencies. Each recommendation category is identifiable by the book’s cover, the colors of which coined the nickname “Rainbow.” The following are examples of some of the DoD cybersecurity documents:
- Orange Book (CSC-STD-001-83) – DOD Trusted Computer System Evaluation Criteria (TCSEC) [DOD 5200.28].
- Green Book (CSC-STD-002-85) – DOD Password Management Guidelines.
- Light Yellow Book (CSC-STD-003-85) – Guidance for Applying the DOD Trusted Computer System Evaluation Criteria in Specific Environments.
- Yellow Book II (CSC-STD-004-85) – Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements.
The DoD Information Technology Security Certification and Accreditation Process (DITSCAP) was the first accreditation and certification process that the DoD used. It was created in 1992 to show that contractor systems were safe to operate in the manner agreed upon in the contract. Later, DIACAP replaced DITSCAP.
The DoD Information Assurance Certification and Accreditation Process (DIACAP) produced a formal standard for risk management. DIACAP looked to ensure that organizations applied risk management to their information systems. To fulfill that goal, DIACAP contained processes to recognize, implement, confirm, and manage information assurance measures and services. The initial version formed in 2006, and the final version was signed in 2014.
NIST SP 800-53, RMF, CSF
NIST created SP 800-53 in 2006. The final version came in April 2013. This publication provided a framework for security and privacy controls to apply to federal computer systems. The NIST Risk Management Framework (RMF) superseded NIST SP 800-53 in 2020.
The RMF was designed to aid in the discovery and mitigation of risk in federal systems. It utilizes a process to integrate security, privacy and cyber supply chain risk management activities into the system development lifecycle. The RMF can apply to legacy technology and new technology systems.
In 2014, NIST worked with the private sector and the federal government to create the Cybersecurity Framework (CSF).
- The CSF integrates industry standards and best practices to help organizations set up and manage their DoD cybersecurity program.
- The primary objective of CSF is to address cyber threats and support business goals.
- CSF generates a common language to simplify the understanding of threats to staff at all levels within a business.
DFARS/NIST SP 800-171
The Defense Federal Acquisition Regulation Supplement (DFARS) established rules on the handling of covered defense information, including the reporting of cyber incidents. DFARS’ main objective is to protect the DoD’s unclassified information on a defense contractor’s internal information systems.
Furthermore, NIST released NIST SP 800-171 to guide standards and best practices in the handling of controlled unclassified information (CUI) within non-federal systems and organizations. Data classified as CUI does not require clearance to view but isn’t meant for public distribution. The requirements apply to all non-federal systems that handle (process, store or transmit) CUI or that provide protection for such components.
Notably, the development of the CMMC 2.0 model uses 800-171 as its base.
For a considerable time, the NIST SP 800-171 framework was the standard to guide DoD contractors and subcontractors in managing CUI. With the rapid increase in cyber threats across the globe, the Defense Industrial Base (DIB) sector especially needed an enhanced model for protection. The answer to this problem is the Cybersecurity Maturity Model Certification (CMMC).
The CMMC launched on January 31, 2020, as a unified standard for DoD cybersecurity practices. As a result, it largely replaces NIST SP 800-171 compliance as the federal government’s mechanism for protecting CUI. The CMMC has three levels at which a defense contractor can become certified in order to bid on DoD contracts. Starting with Level 1, each subsequent level requires more security controls and practices. The CMMC ensures security compliance and safety within the supply chain for DoD work.
- One key difference between CMMC and NIST SP 800-171 is the need for third-party assessments. While NIST SP 800-171 only required self-assessments, CMMC Levels 2 and 3 require an outside organization to audit remediation and certify compliance.
- As a precursor to CMMC, the DFARS Interim Rule (252.204-7019) establishes requirements for NIST SP 800-171 compliance scoring (SPRS score) and remediation.
Learn More About the DoD Cybersecurity Requirements
The DoD has a long history of setting standards to protect national security. As technology has progressed, so has the response to threats and the standard for achieving a strong security posture. Accordingly, the DoD requirements have moved from having reasonable cybersecurity measures with self-assessments to having strong cybersecurity controls.
If a company relies on DoD contracts, then it must become CMMC certified. The certification level required depends on the contract and the CUI involved. Regardless of the required level, however, the contractor still needs a professional third party that can get them to where they need to be.
InfoDefense has helped many clients achieve compliance standards to make them successful. If you are a defense contractor and need help becoming CMMC certified, contact us today for more information.