Monday, May 10, 2021
BY: J.R Cunningham - Chief Security Officer
The US Department of Defense (DoD) released the first version of the Cybersecurity Maturity Model Certification (CMMC) on 31 January 2020. CMMC is the latest in a long line of Defense Industry security standards dating all the way back to the early 2000’s. Terms like DITSCAP, DIACAP, ITAR, DFARS, and more recently the Risk Management Framework (RMF) are all defense-industry related security standards. These standards were developed at different times, some supplanted older standards, and many of these standards were intended for different audiences. (For example, the RMF focused on Department of Defense IT).
CMMC was developed after DoD contractors suffered a string of data breaches, despite the rolling out of NIST 800-171 compliance . However, under NIST 800-171, DoD contractors had the option of self-certifying and, as long as any security gaps were identified and listed in the Plan of Actions and Milestones, contractors were allowed to continue providing products and services without achieving compliance with all the NIST 800-171 security controls. Subsequent audits of “compliant” DoD contractors concluded that compliance was more of a myth than a fact. This was in part driven by the “self-certification” model, as well as the “loophole” that gave contractors the ability to create a “plan” versus ensuring a capability was actually effective.
CMMC represents an evolution towards a risk and capability-based approach to security controls and a migration away from “yes/no” checklists and static remediation plans. The idea is simple: Based upon the information you process as a member of the Defense Industrial Base, your requirements for security controls will vary. This concept represents the DoD aligning with how other industries have built security programs for years (i.e., Financial Services & Healthcare).
With CMMC, both self-certification and Plans of Actions and Milestones have been eliminated. Companies will need to address their security weaknesses before they can achieve compliance and certification. The CMMC Advisory Board was formed to certify auditors who will then be responsible for third-party CMMC compliance assessment of DoD contractors.
Who Needs CMMC?
There are over 250,000 companies in the Defense Industrial Base (DIB), including contractors and subcontractors. By 2025 all DoD suppliers will need to achieve at least Level 1 CMMC compliance.
What Are the CMMC Levels?
The CMMC model includes five levels, each with a corresponding set of practices and processes. The DoD requires contractors to meet both the associated practices and the given processes to achieve each specific CMMC level.
Five tips for a Successful CMMC Adoption:
- Understand the relevant data: Controlled unclassified information (CUI) covers a multitude of different types of information including tax-related data, sensitive intelligence information, patents, and intellectual property. This understanding will enable the organization to effectively respond to DoD contractor and subcontractor requirements.
- Assess current capabilities: CMMC has five levels that build off each other, meaning that, for example, requirements for Level 2 include all requirements for Level 1. As maturity levels may differ from contract to contract, it’s important for companies to reach the highest level of CMMC certification for the contracts they hold or intend to pursue.
- Leverage NIST 800-171: Most companies that already do business with the DoD have adopted NIST 800-171 for data protection. As with most compliance frame works CMMC overlaps with controls, especially in the lower compliance levels. CMMC Level 1, for example, is made up of 17 basic cybersecurity controls such as the use of antivirus software and regular password changes which many companies may already have in place.
- Program Strategy: Once you have decided on a CMMC level and identified which capabilities you have in place, you then need to fill the gaps between existing controls and remaining CMMC controls. As with any adoption of Controls, new software and IT security solutions that address security blind spots will need to be enabled and tested to meet CMMC security standards may also be required.
- CMMC certification: Determine core competencies, perform functions that you do well, outsource others to trusted, skilled firms. Some security functions must be done in partnership with your service provider(s).
Contact Nuspire to help your organization meet its compliance and Incident Response Planning.