What is CMMC?
The Department of Defense (DoD) recently announced that contractors who provide products and services within the Defense Industrial Base (DIB) will be required to comply to the Cybersecurity Maturity Model Certification (CMMC). Version 1.0 of the CMMC was released on January 30th, 2020 and consists of “maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the DIB and DoD stakeholders.”
The CMMC is the DoD’s next step to ensure and enhance the breadth of cybersecurity for national security data and networks following the Defense Federal Acquisition Regulation Supplement (DFARS), issued in 2016. The CMMC will create a verification program to ensure that ample cybersecurity controls and processes are in place to protect controlled unclassified information (CUI) that resides on DoD and DoD contractors’ networks.
Katie Arrington, the Chief Information Security Officer for Assistant Secretary for Defense Acquisition, recently spoke on To The Point Cybersecurity and likens CMMC to the tracks on a tank: ‘WWI & II changed warfare with trenches, and to defeat the trench the tank was invented. Cyberwarfare is the “new trench”, cybersecurity is the tank, and CMMC is the tank’s tracks.’
CMMC Model Framework
The CMMC is formatted as a hierarchical matrix. Primarily, the certification is broken down into 18 different “domains” that are defined as “key sets of capabilities for cybersecurity.” For a given domain, there are “processes” that span a subset of five levels. Additionally, for a given domain, there one or more “capabilities” that span a subset of five levels. Finally, for a give “capability,” there are one or more “practices” that span a subset of five levels.
A large majority (14) of the Domains use the same terminology and detail the same best practices as described in NIST Special Publication (SP) 800-171. Added in the CMMC is Asset Management, Cybersecurity Governance, Recovery, and Situational Awareness. The full list of Domains is:
- Access Control
- Asset Management*
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Cybersecurity Governance*
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- Situational Awareness*
- System and Communications Protection
- System and Information Integrity
The CMMC details five security levels, ranging from basic cyber hygiene to advanced security operations.
- Level One: Basic Cyber Hygiene
- Requires organization perform a specified set of practices
- Consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
- Level Two: Intermediate Cyber Hygiene
- Requires organization establish and document practices and policies.
- Serves as a progression from Level 1 to Level 3, consists of security requirements specified in the NIST SP 800-171.
- Level Three: Good Cyber Hygiene
- Requires organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.
- Focuses on the protection of CUI (NIST SP 800-171 and DFARS clause 252.204-7012)
- Level Four: Proactive
- Requires that an organization review and measure practices for effectiveness and take corrective action when necessary.
- Focuses on the protection of CUI from Advanced Persistent Threats (APTs) and encompasses a subset of the enhanced security requirements from NIST SP 800-171B as well as other cybersecurity best practices.
- Level Five: Optimizing
- Requires an organization to standardize and optimize process implementation across the organization.
- Increase in the depth and sophistication of cybersecurity practices.
Level Five of the CMMC requires contractors to have sophisticated protocol for access control, incident response, and system and information integrity. Forcepoint’s Insider Threat gives you complete visibility of privileged users, including forensics and video. If threats to cybersecurity occur, contractors can use Insider Threat to investigate and remediate user actions and monitor critical systems.
How Defense Contractors Can Prepare for CMMC Compliance
After it’s version 1 release in January 2020, companies responding to DoD Request for Proposals (RFPs) will be required to show their designated CMMC compliance in June 2020. The CMMC aligns closely with the 110 security requirements of NIST 800-171 as well as DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Initially, companies will want to assess current security operations and compliancy within these requirements.
Contractors will want to build a System Security Plan (SSP) that describes the system and its purpose, number of users, details the environment, etc. NIST has provided a template for SSPs.
Next, contractors will want to create the Plan of Action & Milestones (POAMs) detailing cyber deficiencies and plans to correct them. POAMs will be directly mapped to CMMC levels.
With CMMC enforcement approaching, it’s important contractors take action. In a recent episode of To the Point Cybersecurity, Roger Bache, Forcepoint’s Chief Operating Officer-Global Government, said “If you do not meet the maturity level specified in the RFP (Request for Proposal), you’re out of business.”