In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self reporting of cyber hygiene which used to govern the DIB. The CMMC puts an end to self-assessment, and requires a third party assessor to verify the cybersecurity maturity level of all contractors.
All DoD contractors must comply with the Federal Acquisition Regulation (FAR) and the Defense Acquisition Regulation Supplemental (DFARS). These regulations require companies to meet specific security standards from the National Institutes Standard of Technology. If a company connects to the government network, they must meet the NIST 800-53 standards. Companies not connected to a network were previously required to self-certify that they met the 110 controls and completed actions to increase cyber hygiene as laid out in NIST 800-171.
Third party assessors, who must complete coursework and obtain a certification, must now measure what maturity level a contractor has met. An organization must demonstrate the institutionalization of the process and the utilization of the practices outlined by NIST. Furthermore, the maturation model is cumulative, meaning a contractor must demonstrate they have met the practices and processes of lower levels as well.
The goal is to protect two types of sensitive data: federal contract information, and controlled unclassified information.
What is FCI?
Authorized holders, who have a Department of Defense Contract with a 7012 clause must protect two types of sensitive data: Federal Contract Information and Controlled Unclassified Information.
FCI, or Federal Contract Information, is any information included in or created for a government contract not meant for public release.
You or the government can create FCI. Then, you must do the work on behalf of a contract that generates or uses information not intended for public release.
You do not need to label FCI. No classification exists. Instead, you must apply basic safeguards to information not meant for public release.
All of this was established by FAR Clause 52.204-21, which lays out basic protections for sensitive data. A company should not assume meeting the requirements of FAR will be easy or cheap. However, FAR requirements often reflect better business practices, and provide a good starting point on your CMMC journey.
Contractors who only touch or create FCI will need to pass a Level 1 maturity assessment.
By 2025, all contractors will be assessed using the CMMC Level 1 methodology.
What is CUI?
Controlled Unclassified Information requires greater protections than FCI. The government defines CUI as information that demands safeguarding or dissemination controls required by law, regulation, or Govt-Wide Policy, but which is not classified, and does not include nuclear data or material. These require greater protections than CUI.
The CUI program was created by President Obama’s Executive Order 13556 after 9/11 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies.
Contractors who touch, create, receive, transmit, or destroy CUI will need to pass a Level 3 maturation assessment
By 2025(ish) all contractors will be assessed using the CMMC Level 3 methodology.
History of CMMC?
The Department of Defense launched the Cybersecurity Maturity Model Certification Program in 2019.
The Software Engineering Institute built the initial versions of the CMMC in collaboration with the Johns Hopkins University Applied Physics Laboratory.
However, the effort to secure the Defense Industrial Base goes back as far as 2017, when the Department of Defense required all contractors who receive a 7012 clause to self-assess their cyber hygiene using a set of controls called the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This was published by the National Institute of Standards and Technology, and is commonly reffered to as NIST SP-800-171, or simply 171.
NIST was empowered to set the standards for cybersecurity by the Secretary of Commerce under the Federal Information Security Modernization Act, which was passed all the way back in 2002. In fact, NIST began taking charge of technology standards as far back as 1901n with the Organic Act. This was updated for the digital world with FISMA.
So the CMMC, while officially beginning in 2019, has roots that are almost twenty years old.
FISMA empowered the Secretary of Commerce to authorize the Office of Budget and Management to team with NIST. Through NIST, the OMB, and thus the Secretary of Commerce, set standards such as FIPS 199. FIPS 199 is a type of encryption authorized users must use when handling CUI. CMMC-AB, for example can’t just strip away FIPS.
The Department of Defense instead created CMMC to help speed up compliance to 171 after the F-35 was stolen by the Chine military.
The plans did not fall into Chinese hands by hacking a single computer or company. Rather, thousands of cyber attacks were launched against the networks of small government contractors who moved plans and files, such as key radar information, back and forth between emails and servers.
These efforts did not stop with the F-35. In fact, according to a Government Accountability Office:
“The Department of Defense (DOD) faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”
Something had to be done.
The Interim Rules
The Department of Defense took the extraordinary approach of releasing an Interim Rule to speed up implementation of CMMC. The Interim rule introduced three new clauses, 7019, 7020, and 7021.
The 7019 and 7020 clauses rely on the same approach to 171, but now only the Under Secretary of Defense for Acquisition and Sustainment can assign the 7021, which has the CMMC requirements.
As of Nov 30, 2020 all contractors must continue to upload SRPS scores and self-attest under the 7019 clause.
If the DoD wants to apply a medium review, the 7020 clause kicks in.
Until 2025, only the Undersecretary of A+S can assign the 7021 clauses.
The interim rule only applies to contracts after Nov 30. However, when a contract or Task Orger gets modified, which is often, than the interim 7019, 7020, and 7021 clauses kick in.
The Interim rule is set to be finalized in May of 2021, which then lays out a path for all Defense contracts to have the 7021 clause by 2025-2026.
It makes sense for Defense Contractors and Managed Support Providers, the IT companies that work with small manufacturers, to begin to understand and implement the CMMC model
What is the CMMC Model?
Since December 13, 2017 companies could lose DoD contracts due to lax cybersecurity. But the DoD took an extraordinary step of releasing an interim rule to DFARS.
Until recently, DFARS required organizations to self assess. Companies had to provide documentation on meeting the 110 controls of NIST 800-171 by collecting artifacts into a Body of Evidence.
A Body of Evidence contained three major items. The first was a Systems Security Plan, which describes a company’s infrastructure, such as the hardware and software utilized. The Plan of Action and Milestones (POA&M) documented any shortcomings and described a remediation plan for those shortcomings. A company would also submit their procedures and policies as part of the Body of Evidence.
DFARS required a contractors POA&M to be shared with the DoD. A major change presented by the CMMC model is the removal of POA&M and the introduction of third party auditors, rather than self assessments.
The CMMC builds off of NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third party assessors. The CMMC defines 17 domains of cyber hygiene that are comprised of 43 capabilities. These capabilities are institutionalized through 171 practices across five levels of maturation.
The Office of the Under Secretary of Defense for Acquisition and Sustainment defines maturation as a, “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” The CMMC contains five levels of maturation.
The Five Levels of CMMC
The CMMC model has five levels of maturation:
Level 1: Safeguard Federal Contract Information (FCI) Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI Level 3: Protect Controlled Unclassified Information (CUI) Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
The Cybersecurity Maturity Model Certification program has 17 total Domains across these five levels.
Almost all of the domains come from NIST 800-171 and Federal Information and Processing Standards 200.
To these 14 domains, the CMMC model adds Asset Management (AM), Recovery (RE), and Situational Awareness (SA) from other Interational and Risk Management Frameworks. Practices and Processes
Across these Domains the model has 171 practices. In oder to be compliant with each practice, you must demonstrate compliance with every single objective taken from the 171a methodology. For Level 3 maturation, the practices in each of the Domains of CMMC require someone to meet compliance on 362 objectives.
The CMMC model also requires an assessor to establish process maturity.
Maturity Level 1 allows you to demonstrate processes in an ad hoc manner, and will not require poilcy in place for compliance. However, every company will find security impossible to meet without good policy. So, while you are not technically required to show policy for Level 1 compliance, it will be hard to reach without it.
Level 2 maturity requires an organization to establish and document practices within a Domain. This does not mean you must write a process documentation for each Domain. Many of the objectives used to measure process maturity will exist across your portfolio.
Level 3 maturity is required to handle CUI. An organization must establish, maintain, and resource a plan for managing cybersecurity. CUI activities must be defined in the plan.
Level 4 requires an organization to review and measure practices for effectiveness. They must look for vulnerabilities and address them when found.
Level 5 requires a company to standardize and optimize process implementation throughout the organization. Most Level 5 organziations will be better prepared through experience handling Classified or nuclear information.
The CMMC Model includes several assumptions about the cost of implementing CyberSecurity.
As Jacob Horne of DefCert notes, the Interim Rules assume Defense contractors have implemented the controls of 171, although few have managed to do so.
In fact, NIST-800-171 itself assumes that many of the controls required in FAR-21 just happen as part of the way we do business in the modern world. The Department of Defense knows the web has existed for 30 years or longer. They used to call it ARPANet.
Can you blame the Department of Defense for not wanting to use contractors who have done nothing to address cybersecurity in 30 years? They will not accept excuses for a lack of cybersecurity, and have published some pricing guidance. Jacob warns us to understand that these prices also include the assumptions built into the CMMC model. Still even if these number represent the floor and not the ceiling, it will still cost a pretty penny for a sheen of cyber hygiene
The cost CMMC certification consists of 3 things (based off of DoD estimates (assuming you are already 171 compliant):
The cost of the assessment itself; First year, non-recurring engineering costs; Recurring engineering costs split over five years.
Level 1 Certification: $2,999.56
Assessment: $2,999.56 Nonreccuring Engineering: N/A Recurring Engineering: N/A
Level 2 Certification: $50,755.88
Assessment: $22,466.88 Nonreccuring Engineering: $8,135.00 Recurring Engineering: $100,770.00 ($20,154.00 per year x 5 years)
Level 3 Certification: $118,975.60
Assessment: $51,095.00 Nonreccuring Engineering: $26,214.00 Recurring Engineering: $208,330.00 ($41,666.00 per year x 5 years