We use history to determine our future and as President Biden’s Executive Order on supply chain risk management unfolds we wonder how will the Cybersecurity Maturity Model Certification program change to adapt to emerging threats and federal regulations. So before we can determine the influence of CMMC on supply chain risk management we must consider the history of CMMC.
Federal Information Security Act
When you hop on LinkedIn or meet manufacturers at an Industy day everyone bemoans the cost of CMMC. Folks wonder how the Department of Defense just through this on the Defense Industrial Base overnight. CMMC did not just pop up in some podcast bonanza. In fact you can trace the roots of CMMC back to the Federal Information Security Act of 2002 (FISMA). Only twenty years ago. The bill got revised in 2014.
The CMMC story starts with FISMA as the first page and the story much longer than CMMC critics think. The CMMC-AB did not make cybersecurity expensive. The DoD did not drop CMMC in your lap. Congress laid the foundation in FISMA. This bill sets out to,” provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.”
This of course seems to mirror the goals of CMMC.
Every federal agency, ” developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements,” and then they have to provide training and assess
‘(a) IN GENERAL.—(1) Each year each agency shall have performed an independent evaluation of the information security pro-gram and practices of that agency to determine the effectiveness of such program and practices.”
The Department of Defense tried to meet this obligations using self-attestation so that failed. This in turn lead to CMMC, a third party attestation to NIST-SP-800-171…but how did we get to NIST?
The Cyber Security Research and Development Act then passed in November of 2002.
This law allowed the secretary of Commerce to establish and deliver research funds through the National Institute of Standards and Technology. Many of the policies that will come to influence CMMC as they got funded through this program in order to meet the requirements of FISMA. FISMA nor the Cyber Security Research and Development Act explicitly refer to supply chain risk management. These policies specifically deal with federal and not non federal systems. In 2003 the Homeland Presidential Security Directive 7 was signed. This directive, sought to identify risk to “critical infrastruture and begins to loop private sector into “cybersecurity” and “supply chain efforts.
The Department of Commerce, in coordination with the Department, will work with private sector, research, academic, and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts, including using its authority under the Defense Production Act to assure the timely availability of industrial products, materials, and services to meet homeland security requirements.
The 9/11 commission reported on a series of problems with the sharing of classified and unclassified information among federal agencies. The H0meland Security Act passed in 2002 sought to address many of thesse issues, and reorganized mush of the Federal Government.
The FISMA project then got launched in 2003. This would lead to critical documents that shape CMMC and will impact supply chain risk management. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53. All documentation required by Congressional Legislation.
Title III tasked NIST with responsibilities for standards and guidelines, including the development of
- Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
- Guidelines recommending the types of information and information systems to be included in
- Minimum information security requirements (i.e., management, operational, and technical>controls), for information and information systems in each such category<
So the first document released in Feb of 2004 categorized different risk levels of data as low, moderate, or high across the three CIA triad: confidentiality, Integrity of Availability. Then in FIPS 200 procedures to meeting these categories gets met and a catalog of controls that can be used to meet FIPS 200 get laid out in NIST-SP-800-171. Executive Order 13556 was signed by President Obama to authorize an information sharing report. This created the Controlled Unclassified Information. It charged all Federal agencies with protecting a much broader class of CUI. The Executive Order rescinded an earlier ordered from 2008 that defined CUI and had three mandates:
- applicable law, including protections of confidentiality and privacy rights;
- the statutory authority of the heads of agencies, including authorities related to the protection of information provided by the private sector to the Federal Government; and
- applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology, and applicable policies established by the Office of Management and Budget.
CFR 32 Part 2oo2
Executive Order 13556 resulted in the creation of Code of Federal Regulations Section 32 Part 2002 which spelled out the CUI Program in 2016. The 150+ different marking schemes for sensitive data got reduced down to one schema with just over 20 categories.
While this legislation got passed a number of hacks occurred that had the Department of Defense begin to examine the role of suppliers and contractors. In 2010 the Department began to introduce rules that laid out the responsibility for contractors to follow. In the 2011 National Defense Authorization Act contained an entire section gets devoted to reducing risk in the supply chain. Cyber and supply chain still get cast as different coins. In 2011 DFARS Case 2011-D039 spells out requirements for safeguarding unclassified information specifically as it related to fundamental research. This represents the first Proposed DFARS rule 7000.
These would come to hold the regulations around cybersecurity. The draft rule pulls 59 controls from the library of NIST-SP-800-53, which we know was meant as a category of controls to meet requirements of FIPS 200. On August 8, 2013 DFARS 252.204-7000 rule goes into effect. This requires the e protection of sensitive data on non federal systems.Meaning contractors had to protect CUI.
In response to these effort NIST published NIST-SP-800-171, “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations.” NIST began by tailoring -53 down to 262 controls related to protecting the confidentiality of CUI at a moderate level as required by FIPS 199/200. Of these 262 controls 18 of them get identified as responsibility of the government. These get labeled as FED controls. Fifty Eight of the 262 controls, while critical to cyber hygiene got labeled as NCO, as not having to do with the confidentiality of protecting CUI. A whopping 61 controls got labeled as being so routine you can just assume businesses have them in place. These got labeled as NFO as Non Federal Organizations would have them in place already. So when you add up these exceptions you get to 152. Subtract that from 262 controls selected from the -53 category and you get the 110 controls of NIST-SP-800-171. You also had to have systems that met FIPS 200 capabilities.
DFARS Rule Making
In August 2015 a new defense clause DFARs 252.204-7012 gets introduced to replace -53 compliance with the new NIST-SP-800-171 standard. Then DFARS Case 2013-D018 Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Service is published as a Draft Interim rule to go into effect October 21, 2016. (https://www.federalregister.gov/documents/2016/10/21/2016-25315/defense-federal-acquisition-regulation-supplement-network-penetration-reporting-and-contracting-for) Most importantly in this it changes and expands DFAR 252.204-7012 to “cover the safeguarding of covered defense information and require contractors to report cyber incidents involving this new class of information as well as any cyber incident that may affect the ability to provide operationally critical support.” DFARS 7008/9/10 are also promulgated covering cloud computing cyber and other requirements. In November 2016 the DFARS 7012 rule goes into effect.
The implementation period for DFARS 7012 ended on The DoD position is that by signing a contract carrying the clause, a contractor is self attesting to the implementation of DFARS 7012, and by extension the 110 controls of NIST 800-171 on January 1, 2018. Every contractor who wants to accept work with a 7012 clause onthe contract must adhere to meeting the 171 baseline. In fact if you think you need an exception to one of the 110 control you had to get written permission from the DoD CIO.. As this happened the Chinese pilfered our military secrets and designed carbon copies of our latest inventions such as the F-35.
Supply Chain Threats
On December 18, 2018 the DoD Inspector General issues a classified report on the cyber security at the Missile Defense Agency itself. The report is scathing and results in more attention on Cyber defense. This report has been redacted, declassified, and released under a FOIA request. https://media.defense.gov/2018/Dec/14/2002072642/-1/-1/1/DODIG-2019-034.PDFThe DoD issues a second scathing report on MDA. This time on enforcement and implementation of cyber controls (DFARS 7012 and the 110 requirements of NIST 800-171. This is really the mark of official notice that the DoD supply chain is broadly not implementing the requirements of DFAR 7012, although a number of different voices had been expressing this concern for some time. People in the Department of Defense began to think “we have to do CMMC like something ” narrative.
In August of 2019 Stacy Bostjanick gave a presentation on the creation of the CMMC program. On January 20th, 2020 the Department of Defense released the first draft of the CMMC model.
DFARS Interim Rules 7019-7021
While the DoD went throguh the process of establishing the CMMC process they felt the threat to the supply chain so great they released a series of interim rules to cement the CMMC programDFARS 252.204-7019 requires any contractor to complete a self-assessment using the NIST-800-171a methodology. This leads to writing an SSP and a POA&M and uploading a Supplier Performance Risk System, SPRS score. The goal was to provide a bridge while the CMMC program launched. DFARS 252.204-7020 define, basic, medium, and high assessments.
This means DIBCAC may have an interview you at the medium level about your SSP or come out and verify for a high assessment. DFARS 252.204-7021 creates the CMMC program. Any contract with the 7021 clause must meet the requirement of CMMC. At this time only the Undersecretary of A&S can assign the 7021 clause to contracts. ” Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.” As of this time we expect the 7021 clause to hit all contractors by 2026.
So for most contractors they need to realize CMMC requirements do not start tomorrow. Until then they should grow the SSP and shrink the POA&M in order to have a predictable burn.
This post was co-written by Vincent Scott and could not have been possible without the reseach of Jacob Horne in “The Fascinating History of CMMC”