The Department of Defense (DoD) has released a draft of its Cybersecurity Maturity Model Certification (CMMC) framework. It comes as part of the DoD’s initiative to assess and enhance the cybersecurity posture of its supply chain.
Currently DoD contractors must comply with the National Institute of Standards and Technology (NIST) SP 800-171 via the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. To date, the regulation does not provide a mechanism for demonstrating compliance, which has been based on assumed good will and trust. However, the CMMC will soon start enforcing verification on a contractual basis; this will solidify a company's compliance.
The DoD’s intent is to improve the identification (and subsequent notifications) of cybersecurity risk by having independent third-party organizations conduct audits to demonstrate contractors’ compliance with the CMMC.
The proposed CMMC combines various cyber security standards and best practices and maps these controls and processes across five maturity levels. With each level of maturity, the required controls and processes grow more sophisticated. For example, Level 1 maturity will encompass basic cyber hygiene requirements whereas Level 5 will require an advanced degree of controls and processes. Each level will clearly define the controls and processes necessary for compliance.
All companies conducting business with the DoD will require certification —albeit at varying maturity levels as dictated by the DoD and its specific contractual requirements. The main component or driver of maturity will likely be contractors’ services and exposure to DoD data. But regardless of the focus of the audits, the CMMC introduces a new level of compliance that DoD contractors must prove they are meeting through external audits and certification.
As of now the DoD has not set the date for when contractors must demonstrate compliance with the CMMC. The final version of the framework is expected to be released in January 2020. The DoD said it will be used in new solicitations starting in Fall 2020. However, with the December 31, 2017 deadline for compliance with NIST 800-171 long passed, most contractors should be well on their way to being able to demonstrate some level of cyber security maturity.
Although the NIST SP 800-171 controls are referenced in the CMMC model—and “coverage” of all NIST SP 800-171 security controls is a requisite for meeting Level 3 certification—the framework has been influenced by other sources, such as ISO 27001:2013. Consequently, even the most mature contractors may have some work to do and should plan accordingly.
We recommend starting with an assessment of your current controls and processes. Understanding where you are is pivotal to determining where you want to be and how you are going to get there. An assessment will serve to identify gaps or weaknesses in your current controls and processes and help us develop a plan of action to correct the deficiencies in a timely and scheduled manner.
Getting a head start can be the difference between meeting contractual obligations or being in breach — the difference between winning and losing.