In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self reporting of cyber hygiene that used to govern the DIB. The CMMC puts an end to self-assessment and requires a third party assessor to verify the cybersecurity maturity level of all contractors.
All DoD contractors must comply with the Federal Acquisition Regulation (FAR) and the Defense Acquisition Regulation Supplemental (DFARS). These regulations require companies to meet specific security standards from the National Institutes Standard of Technology. If a company connects to the Government network they must meet the NIST 800-53 standards. Companies not connected to a network were required to self certify that they met the 110 controls, actions to increase cyber hygiene as laid out in NIST 800-171.
Third party assessors, who must complete coursework and obtain a certification will then measure what maturity level a contractor has met. An organization must demonstrate the institutionalization of the process and the utilization of the practices. Furthermore the maturation model is cumulative, meaning a contractor must demonstrate they have met the practices and processes of lower levels as well
The goal is to protect two types of sensitive data, federal contract information and controlled unclassified information
What is FCI?
Authorized holders, who have a Department of Defense Contract with a 7012 clause must protect two types of sensitive data: Federal Contract Information and Controlled Unclassified Information.
FCI, or Federal Contract information is any information included in or created for a government contract not meant for public release.
You or the government can create FCI. The You must do the work on behalf of a contract that generates or uses information not for public release.
You do not need to label FCI. No classification exists. Instead you apply basic safeguards to information not meant for public release.
All of this got established by FAR Clause 52.204-21 which lays out basic protections for sensitive data. A company should not assume meeting the requirements of FAR will be easy or cheap. Yet they often reflect better business practices and provide a good starting point on your CMMC journey.
Contractors who only touch or create FCI will need to pass a level one maturity assessment
By 2025 all contractors will be assessed using the CMMC Level 1 methodology
What is CUI?
Controlled Unclassified Information requires greater protections than FCI. The government defines CUI as Information that requires safeguarding or dissemination controls required by law, regulation, or Govt-Wide Policy but not classified and nuclear data or material. These require greater protections CUI.
The CUI program got created by President Obama’s Executive Order 13556 after 9/11 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA), of the National Archives and Records Administration
is responsible for oversight of the CUI Program, monitoring its implementation by executive branch agencies.
Contractors who touch, create, receive, transmit or destroy CUI will need to pass a level three maturation assessment
By 2025(ish) all contractors will be assessed using the CMMC Level 3 methodology
History of CMMC?
The Department of Defense launched the Cybersecurity Maturity Model Certification Program in 2019.
The Software Engineering Institute built the initial versions of the CMMC in collaboration with the Johns Hopkins University Applied Physics Laboratory
Yet the effort to secure the Defense Industrial Base goes back as far as 2017 when the Department of Defense required all contractors who receive a 7012 clause to self-assess their cyber hygiene using set of controls called the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations publish by the National Institute of Standards and Technology, commonly reffered to as NIST SP-800-171, or simply 171.
NIST get empowered to set the standards for cybersecurity by the Secretary of Commerce under the Federal Information Security Modernization Act
Passed all the way back in 2002. In fact NIST became in charge of technology standards as far back as 1901n with the Organic Act. It got updated for the digital world with FISMA.
So CMMC, while beginning in 2019 has roots almost twenty years old.
FISMA empowered the Secretary of Commerce to authorize the Office of Budget and Management to team with NIST. Through NIST, the OMB, and thus the Secretary of Commerce set standards such as FIPS 199. A type of encryption authorized users must use when handling CUI. CMMC-AB, for example can’t just strip away FIPS.
The Department of Defense instead created CMMC to help speed up compliance to 171 after the F-35 got stolen by the Chine military.
The plans did not fall into Chinese hands by hacking a single computer or company. No, instead thousands of cyber attacks were launched against the networks of small government contractors who moved plans and files, such as key radar information, back and forth between emails and servers.
These efforts did not stop with the F-35. In fact according to a Government Accountability Office:
“The Department of Defense (DOD) faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”
Something had to be done.
The Interim Rules
The Department of Defense took the extraordinary approach of releasing an Interim Rule to speed up implementation of CMMC. The Interim rule introduced three new clauses, 7019,7020, and 7021.
The 7019 and 7020 clauses rely on the same approach to 171 as the past but now only the Under Secretary of Defense for Acquisition and Sustainment can assign the 7021 which has the CMMC requirements.
As of Nov 30, 2020 all contractors must continue to upload SRPS scores and self-attest under the 7019 clause.
If the DoD wants to apply a medium review the 7020 clause kicks in.
Until 2025 only the Undersecretary of A+ S can assign the 7021 clauses
The interim rule only applies to contracts after Nov 30. However when a contract or Task Orger gets modified, which is often, than the interim 7019, 7020, and 7021 clauses kick in.
The Interim rule is set to be finalized in May of 2021 which then lays out a path for all Defense contracts to have the 7021 clause by 2025-2026.
It makes sense for Defense Contractors and the Managed Support Providers, the IT companies that work with small manufacturers, start to understand and implement the CMMC model
What is the CMMC Model?
Since December 13, 2017 companies could lose DoD contracts due to lax cybersecurity. But the DoD took an extraordinary step of releasing in interim rule to DFARS.
Yet until recently DFARS requires organizations to self assess. Companies had to to provide documentation on meeting the 110 controls of NISt 800-171 by collecting artifacts into a Body of Evidence.
A Body of Evidence contained three major items. The first a Systems Security Plan describes a company’s infrastructure such as the hardware and software utilized. The Plan of Action and Milestones (POA&M) documented any shortcomings and described a remediation plan. A company would also submit their procedures and policies as part of the Body of Evidence.
DFARS required a contractors POA&M to get shared with the DoD. A major change in the CMMC is the removal of POAM and having third party rather than self assessments.
The CMMC builds off of NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third party assessors. The CMMC defines 17 domains of cyber hygiene that are comprised of 43 capabilities. These capabilities get institutionalized through 171 practices across five levels of maturation.
The Office of the Under Secretary of Defense for Acquisition and Sustainment defines maturation as, “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” The CMMC contains five levels of maturation.
Five Levels of CMMC
The CMMC model has five levels
- Level 1: Safeguard Federal Contract Information (FCI)
- Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI
- Level 3: Protect Controlled Unclassified Information (CUI)
- Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
The Cybersecurity Maturity Model Certification program has 17 total Domains across these five levels.
Almost all of the domains come from NIST 800-171 and Federal Information and Processing Standards 200
To these 14 domains, the CMMC model adds Asset Management (AM), Recovery (RE), and Situational Awareness (SA) from other Interational and Risk Management Frameworks.
Practices and Processes
Across these Domains the model has 171 practices. Yet to meet compliance on each practice you must demonstrate compliance with every single objective taken from the 171a methodology, For level three the practices in each of the Domains of CMMC require someone to meet compliance on 362 objectives.
The CMMC model also requires an assessor to establish process maturity.
- Maturity Level one allows you to demonstrate processes in an ad hoc manner and will not require poilcy in place for compliance. Hoever every company will find security impossible to meet without good policy. So while you do not have to show policy for level one complinace it will be hard to reach without it.
- Level two requires an organization to establish and document practices within a domain. This does not mean you write a process documentation for each Domain. Many of the objectives used to measure process maturity will exist across your portfolio,
- Level three maturity is required to handle CUI . An organization must establish, maintain, and resource a plan for managing cybersecurity. C activities as defined in the plan.
- Level four requires an organization to review and measure practices for effectiveness. They must look for vulnerabilities and address them when found.
- Level Five requires a company to standardize and optimize process implementation throughout the organization. Most level five organziations will be better prepared through experience handling Classified or Nuclear information.
The CMMC Model includes a lot of assumptions on the cost to implement CyberSecurity.
As Jacob Horne of DefCert notes, the Interim Rules assume Defense contractors have implemented the controls of 171.
In fact NIST-800-171 itself assumes that many of the controls required in FAR-21 just happen as part of the way we do business in the modern world. The Department of Defense knows the web has existed for 30 years or longer. They used to call it ARPANet.
Can you blame the Department of Defense for not wanting to use contractors who have done nothing to address cybersecurity in 30 years? They will not take excuses for a lack of cybersecurity, and have published some pricing guidance. Jacob warns us to understand that these prices also include the assumptions built into the CMMC model. Still even if these number represent the floor and not the ceiling, it will still cost a pretty penny for a sheen of cyber hygiene
The cost CMMC certification consists of 3 things (based off of DoD estimates (assuming you are already 171 compliant):
- The cost of the assessment itself;
- First year, non-recurring engineering costs;
- Recurring engineering costs split over five years.
Level 1 Certification: $2,999.56
- Assessment: $2,999.56
- Nonreccuring Engineering: N/A
- Recurring Engineering: N/A
Level 2 Certification: $50,755.88
- Assessment: $22,466.88
- Nonreccuring Engineering: $8,135.00
- Recurring Engineering: $100,770.00 ($20,154.00 per year x 5 years)
Level 3 Certification: $118,975.60
- Assessment: $51,095.00
- Nonreccuring Engineering: $26,214.00
- Recurring Engineering: $208,330.00 ($41,666.00 per year x 5 years