CMMC: What Federal Suppliers Need to Know
On January 31, 2020, the DoD released v.1.0 of The Cybersecurity Maturity Model Certification (CMMC) standards. The purpose of CMMC as outlined by the DoD is to:
“assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”
In the end, CMMC is all about ensuring that DoD’s critical supply chain is protected from cybersecurity threats.
I recently spoke on Forcepoint’s To the Point Cybersecurity Podcast to discuss CMMC and what contractors need to know now to ensure they’re compliant in 2020.
Increasingly Interconnected Environments Highlight the Need for Mandated CUI Controls
Network segmentation and access control have historically been the go-to ways for government and private sector to protect unclassified but sensitive data, also known as controlled unclassified information (CUI). But what happens in an interconnected environment such as when agencies are working with mission partners and subcontractors outside of their protected IT enterprise? These interconnected environments have enabled increased collaboration, quicker mission-critical information access and very real cybersecurity risks. This risk comes about because an agency doesn’t always know what type of infrastructure and maturity partner organizations have in place and how CUI is being handled beyond their enterprise.
Couple these interconnected environments with the increasing attention on the identified weaknesses in the DoD’s supply chain and we see an urgent need for standardizing verification mechanisms to ensure appropriate levels of cybersecurity practices and processes. The Cybersecurity Maturity Model Certification (CMMC), is that mechanism. It provides the latest framework to ensure cyber hygiene and organizational maturity required to protect unclassified but controlled information.
Katie Arrington, the Chief Information Security Officer for Assistant Secretary for Defense Acquisition, also recently spoke on To The Point Cybersecurity and she likens CMMC to the tracks on a tank: ‘WWI & II changed warfare with trenches, and to defeat the trench the tank was invented. Cyberwarfare is the “new trench”, cybersecurity is the tank, and CMMC is the tank’s tracks.’
CMMC: is your organization ready?
CMMC will become the de facto standard for the protection of the DoD’s CUI. If we look back on the threats and particularly how much the lower levels of supply chain have been attacked in recent years, industry and government agree the government must do something – and CMMC is the solution.
CMMC has been designed from the ground up to be a risk-based framework, with five increasing levels of maturity that are tailored to the level of risk posed. The required CMMC maturity level will be established on a contract-by-contract basis based upon the CUI risk posed by that opportunity. If a contractor wants to bid an opportunity, they will have to demonstrate compliance to the appropriate level and undergo a third-party audit to validate their compliance.
Did you know? There will be no waivers if an organization is not compliant and the CMMC certification is required regardless of whether a contractor is handling CUI.
If a company doesn't handle CUI, it may be able to get by with level one or level two, which is more of an ad hoc cybersecurity framework. However, if companies are handling CUI, it's unlikely that they will be able to do business at level one and two. It’s becoming more and more apparent that these organizations are going to have to be at level three and four, and in so doing demonstrate a high level of organizational maturity as it relates to cybersecurity.
With the release of v.1 and expectations of CMMC requirements as part of Requests for Information by June 2020, the time is now for vendors to get ahead of CMMC. While certifications will not be easy and likely expensive: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”
It is strongly encouraged for any organization doing business with the DoD and civilian agencies like DHS to get ahead of the game now (even if they're not yet mandating CMMC) as it’s only a matter of time before it’s mandated.