The Department of Defense (DoD) Office of the Undersecretary of Defense Acquisition and Sustainment [OUSD(A&S)] released Version 0.6 of the Cybersecurity Maturity Model Certification last week. Some aspects have changed, and still, others seem to still be on hold. Here’s our takeaways:
Over the last few years, C3 has been tracking the contractor community’s adoption of a variety of new regulations including DFARS 252.204-7012 and NIST 800-171. Each has been met with, shall we say, less than enthusiastic adoption. While some contractors grudgingly made – and continue to make – investments to meet the requirements, still others remain in denial. CMMC has been the complete opposite. The buzz and activity around CMMC within the contractor community has been far beyond what we’ve seen with DFARS and NIST. It’s clear the community has gotten the message and is rushing to be ready for its official release in January 2020, with inclusion in RFI’s slated for June and RFP’s in September.
The CMMC team has done a good job developing and clarifying Levels 1-3. While there will still be some adjustments, there is enough information for organizations to start working towards compliance.
An important clarification in Version 0.6 appears to be what information will qualify for what level. According to this version, if your organization only holds Federal Contract Information (FCI), then you will likely be Level 1 or 2. However, if you hold Controlled Unclassified Information (CUI), then you will need Level 3 at a minimum. This affirms the current rules where FCI already requires FAR 52.204.21 and aligns with Level 1. Conversely, if you have CUI, then DFARS 252.204-7012 already applies to you which aligns with Level 3.
While the development of Levels 1-3 has been solid, at this point, Levels 4 and 5 were omitted from this version so there really isn’t anything new to report on the more advanced requirements. However, with the official release just a few weeks away, we expect upcoming versions to include significant developments. Wise contractors should watch these closely.
Beyond compliance with NIST 800-171, the DFARS 252.204-7012 also contains clauses (c) through (g). These clauses go beyond NIST and focus on the government’s ability to conduct forensics after a breach. Collecting malicious code as well as allowing government inspection of equipment are key drivers that push contractors to services like Office 365 GCC High. So far, CMMC seems to be silent as to how these clauses translate to the appropriate CMMC Level.
Data that falls under the International Traffic and Arms Regulations (ITAR) has very strict data residency and data sovereignty rules. We would assume that there will continue to be parallel requirements, but it will be also interesting to see how ITAR applies to the data Level classification. We’re expecting to see ITAR be something like minimum Level 3 or 4 plus the data residency/sovereignty requirements.
Many professional services firms provide labor as their product and generally hold little, if any, actual government data beyond their contracts. While there isn’t any formal guidance yet, these firms should be able to make a strong case that they will be Level 1 or 2 since all they hold is FCI. This will be a big driver for these organizations as they consider options for services like Office 365.
If you are holding CUI, gone are the days that you write a policy, put it in the (virtual) desk drawer and forget about it. Certification requires both documenting policies towards cybersecurity as well as aligning them to your actions. As you move from Level 1 through Level 5, the connection between these two becomes more and more integrated. In Level 1, deploying services is enough. With Level 2, you need to have a documented policy. Starting at Level 3, these two need to integrate with management and monitoring to ensure they are in alignment.
Earlier standards like NIST 800-171 were written to provide flexibility, especially for small businesses. However, that ambiguity has led to confusion about what is and is not acceptable with respect to meeting many of the controls. Appendix B in the Version 0.6 aims to provide guidance as to the meaning of each control. While it’s certainly far from perfect, it is a good start.
CMMC is quickly taking shape, and more importantly, delivering on the promises to provide a structure and framework to bring the Defense Industrial Base (DIB) into a more secure environment. There are still big hurdles ahead, particularly around classifying minimum CMMC levels within contracts and translating the requirements into assessments. However, the work to date provides both clarity and predictability. This is good for the industry and ultimately, good for our national security.