CMMC stands for Cybersecurity Maturity Model Certification. But first, lets back up a little.
Nation-states don’t just attack our military to steal information. Significant losses of intel have come from contractors, and much of it was unclassified data.
The Department of Defense (DoD) has responded to this problem with cybersecurity requirements such as DFARS 252-204-7012 and NIST 800-171 for contractors to secure their information systems. However, after several years of effort, it is clear there is a major flaw in the process. Adherence is a self-attestation. Contractors are not required to provide a third-party certification on the completeness of their implemented security controls and therefore may not be as secure as they state. The other challenge in the existing engagement model is contractors are not always aware to what extent they must implement security controls.
So, while there are some basic contractual requirements for contractors to adhere to, the justification and execution of meeting these controls have become widely varied and unacceptable. The DoD is listening to these concerns, and is implementing a plan to clearly inform contractors of the level of security required for a particular engagement, as well as a method to clearly demonstrate compliance with the security requirements.
The CMMC introduces 5 levels of security requirements with level 1 having the least restrictive requirements which the DoD frequently refers to as ‘ad hoc’. These level 1 requirements are intended for those who have less sensitive or no DoD data. Conversely, level 5 will apply to the most sensitive unclassified data, such as export controlled (ITAR) technical data.
On September 4, Version 0.4 of the CMMC was released for comment. While the industry pours over the particulars and submits comments to the DoD, I am going to highlight the primary takeaways.
The new version effectively doubles the number of practices. The DoD knows the current version has too many requirements and actively wants to narrow the model. They have made this desire to narrow the model abundantly clear as the 0.4 version release is significantly more stringent than previously reviewed versions.
The 17 practices listed in the FAR are the basis for level 1 compliance. In the most recent release of the CMMC level 1 security still requires the 17 FAR practices and adds an additional 18 for a total of 35 practices. The FAR practices are included in every level of the CMMC and increase in granularity and maturity as the CMMC levels progress. Good thing is, you are already compliant with the FAR, right? (hint: if you have a government contract, you’ve already committed to meeting these).
One could go as far as to say level 3 of the CMMC is roughly NIST 800-171. I say roughly as 800-171 has 110 controls compared to the 91 controls in level 3 of the current release of the CMMC. Level 3 currently is adding to the 800-171 framework an Information Security Continuity Plan as well as a requirement to communicate threat information to key stakeholders. With that said, if you are compliant with NIST 800-171 your organization will likely be very close to compliant with level 3 of the CMMC.
There is no mincing of words: the DoD is serious about security at the top level. They have already required advanced threat hunting, including fully automated machine-based remediation which removes the human factor from the process of remediating threats. While this is not a new concept, it is at the forefront of cybersecurity.
This is a pre-release version; it is by no means final. The CMMC will go through two more versions before its release in January of 2020. The current version is open for public comment and the DoD wants responses from the community. Once released, the CMMC will be in effect for new RFI’s in June of 2020, and RFP’s in September of 2020. This means you have some time to get into compliance. However, while a few details will be ironed out, don’t expect significant reductions in what is required at each level.
Just because you have time, doesn’t mean you should waste it. CMMC will be a go/no-go qualifier for contracts and requires a third-party audit. Considering the time and investment required to meet your target level of certification, along with what will surely be a bottleneck in the audit process, you need to start executing now.
A year may seem like a long time, but now is the time to take a long, serious, sober look as to where you are today relative to your current requirements. For example, if you currently have DFARS-7012 in your contract, start there and get serious about meeting the requirements.
As always, we can help. C3 provides a mix of technology solutions to meet most of the controls within these standards. For more information, contact us at email@example.com.
Like this article? You’ll like these too…
Scott Whitehouse is a Senior Systems Consultant at C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Scott is part of C3’s Projects Team and focuses on Microsoft Office 365 Engineering, including Intune, EM+S, and Compliance.