There have been too many posts over the last few weeks about the Department of Defense (DoD) Cybersecurity Maturity Model Certification, or CMMC. The DoD shared a handy guide, and that is a great place to start if you’re a defense contractor.1 But some of the brass tacks are still being worked out. Hopefully this blog can shed a light on some of what you’ll need to know.
Where did the Cybersecurity Maturity Model Certification standards come from?
Directly from the horse’s mouth: “The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.”
In those words is some clarity, but also some confusion. The clarity is in the standards that already exist in the various forms of NIST, ISO and AIA will be used, amongst others. But the confusion comes from the maturity process and the multiple layers. In fact, there will be 5 tiers of CMMC compliance, depending on what the contractor produces and for whom.
What is being protected?
The two big terms that will need to be learned are controlled unclassified information (CUI) and for official use only (FOUO) information. This needs to be protected, and is a paramount goal of the DoD and the defense community at large. Regardless of whether a contractor uses this type of information or not they will have to be CMMC certified, it just may be at a lower tier.
Considering we’re at a time when, according to surveys, developers and other contractors are already operating a heightened level of concern this is hardly shocking.2 A lot stems from changes in laws overseas, particularly China, and the acts of both independent nefarious groups and nation state actors that are adversarial to the United States.
Who needs to meet CMMC standards and how do they become certified?
Do you do work with the DoD? Then you have to be certified. Are you a subcontractor to a group that works with the DoD? You too will most likely have to be certified. And, as it stands today, the costs of certification are unknown, although they will be an ‘allowable, reimbursable’ cost of doing business with the DoD. The best way to figure out if you must be certified is to consult the documents available. Estimates have ranged from a few thousand dollars to well over $250,000 at the higher end.3
So, what this means is that thousands of defense contractors out there will have to begin the process. There is a five year planned roll out, so there is time, but now is the time to prepare. Surveys indicate that over 58% of those who will have to meet the standards were either unprepared or unaware of the initiative and another 27% were unprepared for a cybersecurity event.
In order to meet the standard, a contractor will have to consult with a C3PAO, which is a third party assessor, many of whom are already being trained or will be trained in the standards. At the top end there will also be higher level assessments conducted by the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA). No one will be disqualified if they suffer a breach or have suffered a breach, but it will be taken into account.
What’s the big deal?
While there has been some disagreement about how many companies will have to meet which tier of the CMMC, some range into the thousands and others are much lower. Many may already meet NIST standards and be close, while others may be way off.
Moving from Tier 2 to Tier 3, for example, will mean going from 17 security controls to 110. This is a major delta, even for well-prepared companies. But this will be non-negotiable and so many companies will be scrambling. This is a good time to hit reset and up efforts around cybersecurity, finding good partners that can help you get to that level and setting aside the right amount of budget to be compliant.
With other initiatives like the US Coast Guard “Tech Revolution Roadmap”4 and the Pathfinder searches being conducted by the DoD this is a time during which the US defense community is actively upping their cybersecurity game. It’s exciting, but also a time where change is coming.