In a recent Identity Theft Resource Center report, they estimate that the United States government and military faced over 80 data breaches in 2019. As a result, over 3.5 million sensitive records were exposed. With cyber threats posing more significant hazards for the defense supply chain than ever before, along with physical threats from rival nation states, now is the time to reinforce cybersecurity priorities across the board. That’s exactly what the Cybersecurity Maturity Model Certification, or CMMC, (and the current CMMC Interim Rule) aims to achieve.
With an increased foreign interest in U.S.-based resources, as well as an increasing number of foreign owners and suppliers, the CMMC means to take a head-on approach to issues like these. The U.S. government’s initial approach called for compliance with NIST SP 800-171 through DFARS 252.204-7012. Although, in order to introduce fundamental security controls into the national defense supply chain, these measures weren’t enough.
This evident through the recent thefts of confidential information related to U.S. fighter jets, an attack that was coordinated by malicious Chinese hackers. Similar problems can also be seen repeatedly throughout the years. With specific and verified threats originating from China, South Korea, Russia and more, it’s essential that the U.S. Department of Defense (DoD) contractors step up their efforts in cybersecurity via CMMC compliance.
CMMC will replace NIST SP 800-171. As a precursor to CMMC, the U.S. Department of Defense issued a CMMC interim rule [DFARS Interim Rule (252.204-7019)]. The rule establishes requirements for NIST SP 800-171 compliance scoring and remediation beginning November 30, 2020.
How Do We Get Ahead of the Problem?
Officially released on January 31, 2020, CMMC is the U.S. government’s attempt to lead the fight against industrial espionage and other cyber threats posed by rival nation states. Specifically designed for use by the DoD supply chain, CMMC is a set of protocols that standardize information protection across the Defense Industrial Base (DIB). The goal is to safeguard Controlled Unclassified Information (CUI) in the hands of the DoD’s industry partners.
The government will achieve this by incorporating CMMC into the Defense Federal Acquisition Regulation Supplement, or DFARS, and mandate that contractors are certified as a requirement for contract awards. If successful, CMMC has the potential to become the model for other countries looking to establish standardized cybersecurity measures.
The CMMC Interim Rule
CMMC addresses a possible flaw with NIST SP 800-171: self-certification. Currently, DoD contractors with access to CUI self-certify their compliance by accepting the DFARS clause 252.204-7012 within their contracts. The clause states, “the covered contractor information system shall be subject to the security requirements in [NIST] Special Publication (SP) 800-171…” Some CMMC Level 2 organizations and all of Level 3 require a sign-off from a Certified Third Party Assessor (C3PAO) in order to become compliant and keep or win contracts.
Facilitating the shift to CMMC’s certification process is the Supplier Performance Risk System (SPRS). Contractors or prospective contractors must perform self-assessments and report how many of the 110 NIST SP 800-171 security controls they have fully implemented into the SPRS system. This will allow the DoD to gain insight into contractors’ current compliance levels until all contracts require CMMC certification.
CMMC in a Nutshell
Countless IT professionals highly anticipate and support CMMC. The standard was drafted with direct input from leaders at various university-sponsored research centers and other industry professionals.
CMMC is divided into three levels that build on one another and are designed to represent the level of cybersecurity program maturity for an organization. CMMC levels include:
Level 1: Designated as “Foundational,” the first level is composed of 17 cybersecurity practices consisting of antivirus, access control and other basic safeguards. Level 1 certification is required for all companies who work with Federal Contract Information (FCI). This does not include information that is freely available to the public.
Level 2: Organizations at this level must have a total of 110 cybersecurity practices in place to achieve a designation of “Advanced.” The focus is on the protection of Controlled Unclassified Information. It’s important to note that this level mirrors the 110 security requirements specified in NIST SP 800-171.
Level 3: This is the final and most advanced level. Carrying the designation of “Expert,” this level combines the previous cybersecurity practices as well as 15 additional practices. At this level, an organization not only has an advanced cybersecurity program in place, but they have also demonstrated the capability to enhance the program’s efficiency.
The high number of required cybersecurity practices in Levels 2-3 can seem overwhelming at first. However, many companies already address most of the requirements. Since CMMC cybersecurity practices are also featured in other standards, such as those published by AIA and NAS 9933, the new regulations are not likely to involve much change for larger defense contractors. Smaller contractors may find it more challenging to meet compliance requirements, however.
Who Does CMMC Affect?
Simply put, the CMMC applies to any organization that works with Controlled Unclassified Information, which includes most data possessed or created by the U.S. government. Although it is unclassified, entities must receive permission by the DoD information owner to access it.
As one might expect, many different data types fall under the umbrella of CUI. As a result, they benefit from the strict protections offered by the CMMC. This includes information pertaining to:
- Critical infrastructure
- National defense and NATO
- Natural and cultural resources
- Immigration and international agreements
- Nuclear interests
- Law enforcement and legal
- Export control
- Proprietary business information and patents
- Data privacy
- Asset procurement and acquisition
- Federal tax
The certification process will begin in 2022. According to the CMMC Interim Rule, defense contractors will all be required to certify in the next five years according to their contract renewal schedule. CMMC certification will be required to maintain eligibility for new DoD projects as well.
Unlike the NIST SP 800-171, some CMMC Level 2 contractors, and all of Level 3, do not offer the option to self-certify. These organizations require a sign-off from a third-party auditor. Failure to meet any qualifications required by a level will result in a lower level of certification. As such, it is a good practice to perform a pre-assessment prior to a C3PAO certification assessment.
The clock is ticking, and it’s imperative that DoD contractors prepare to complete their certifications. CMMC certification will ultimately enable the DoD to safeguard CUI and further mitigate threats to our national security.
Request our CMMC self-assessment tool today to find out whether your organization is prepared to handle the online threats of today.