The technological advantage the United States military has maintained over its adversaries for decades has narrowed. Look no further than the Chinese J-31 aircraft, which bears striking similarities to America’s 5th Generation F-35 Joint Strike Fighter. It’s not that U.S. adversaries have become better technologists. Rather, they’ve become better thieves. The Chinese J-31 is largely based on unclassified data stolen from U.S. defense contractors and their suppliers. Its existence diminishes America’s military superiority.
To better protect defense contractors’ and their suppliers’ controlled unclassified information (CUI) across their multi-tiered supply chains, the Department of Defense (DoD) in early 2018 required all organizations exchanging CUI to implement the 110 security controls identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. But, despite the presence of this mandate, CUI leakage continues, placing the security of the United States at risk.
Why have existing requirements failed? First, NIST 800-171 relies on organizations to self-assess and then report their compliance. The individual controls, however, are complex and may be insufficiently understood by either the implementer or the assessor, or both. Additionally, self-assessments are not consistently performed across organizations. The conclusion: self-assessments can’t be trusted.
Second, compliance is not security. Compliance requires only achieving a threshold. Putting any lock on your door may satisfy a compliance requirement, but the type of lock and the type of door affects how safe and secure what’s inside really is, as does actually using the lock. Today, the application of NIST 800-171 requires compliance without regard to the maturity or strength of the controls as implemented, or the processes to ensure ongoing, consistent execution.
To address these shortcomings and better protect CUI – and ultimately, national security – the DoD launched a new initiative this past March – the Cybersecurity Maturity Model Certification (CMMC). The DoD envisions CMMC as a unified cybersecurity standard consistently applied to all organizations across the Defense Industrial Base (DIB), with the objective of eliminating exfiltration of CUI.
To develop this unified cybersecurity standard, the DoD teamed with Johns Hopkins University’s Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute, along with the DIB Sector Coordinating Council, the Office of Small Business Programs, and many others. This group is building the CMMC model by evaluating and bringing together cybersecurity requirements from sources including NIST 800-171, NIST 800-53, ISO 27001, the Aerospace Industries Association’s NAS 9933 standard, the SANS Institute’s CIS Critical Security Controls, subject matter experts, and inputs from the DIB.
CMMC will be comprehensive, spanning 18 domains including access control, configuration management, identification and authentication, incident response, risk assessment, and system and information integrity. Each of these domains will be comprised of capabilities, which in turn will be comprised of practices and processes. Process institutionalization (e.g., policies, plans, processes, and procedures to manage the environment where CUI resides) is a key CMMC differentiator, because it provides assurances that the practices are being implemented effectively and in a sustainable manner.
To account for the fact that not all information is equally sensitive and that not all contract participants have access to or handle the same information, CMMC will be comprised of five levels of practice and process requirements:
|1||Basic Cyber Hygiene (basic cybersecurity, achievable for all companies)||Performed (practices performed, at least ad-hoc)|
|2||Intermediate Cyber Hygiene (includes universally accepted cybersecurity best practices)||Documented (practices are documented)|
|3||Good Cyber Hygiene (coverage of all NIST SP 800-171 rev 1 controls)||Managed (processes are maintained and followed)|
|4||Proactive (advanced and sophisticated cybersecurity practices)||Reviewed (processes are reviewed, properly resourced, and improved enterprise-wide)|
|5||Advanced/Progressive (highly-advanced cybersecurity practices)||Optimized (continuous improvement across the enterprise)|
The DoD and its partners will refine and finalize which specific practices and processes are assigned to each CMMC level as they continue to develop the model, with Version 1.0 scheduled for release in January 2020. An important distinction is that the levels are cumulative. In order to qualify for Level 3, an organization must not only meet all of the requirements assigned to that level, but also to Levels 1 and 2.
CMMC will change the way the DoD conducts business. It differs from its predecessors and is more exacting because:
- CMMC will be integrated into the acquisition process. The certification level required for prime and subcontractors will be specified in RFP sections L & M in DoD contracts and will be considered a “yes/no.” Compliance will be enforced and mandatory for contract award. CMMC requirements will begin appearing in Requests for Information starting in June 2020 and in Requests for Proposals later in 2020.
- To receive CMMC certification at any level, companies will have to pass an external assessment conducted by a DoD-accredited auditor.
- Every company that does business with the DoD – regardless of whether or not they handle CUI or how many tiers away from the Government they reside in the contractor supply chain – will have to obtain at least Level 1 CMMC certification.
- Companies will have to be re-certified periodically, likely annually, against a standard that will continue to evolve and adapt to the changing cyber threat landscape.
NOW is the time for companies within the DoD ecosystem to begin preparing for CMMC. Future articles will focus on various aspects of CMMC to help organizations prepare.