Just like any other organization, the cybersecurity of the US Department Of Defense (DOD) is only as strong as its weakest link – currently, many of the contractors and subcontractors providing the products and services to the US DoD are not subject to its strict cybersecurity requirements. These smaller companies are often targets for cyber-attacks because they don’t have the same levels of cybersecurity larger organizations have and therefore they can serve as an entry point for attackers to move up the DoD supply chain.
Because of the alarming increase and continual threat of supply chain attacks from both nation-states and cybercriminals alike and the high cost of government data loss from even its smallest contractor, the US Government has decided to implement a Cybersecurity Maturity Model Certification (CMMC) to its entire Defense Industrial Base (DIB) supply chain of contractors and subcontractors.
If you are one of the 300,000 businesses or organizations either contracted directly to the United States DOD, or working as a subcontractor, you form part of their DIB supply chain. From the end of 2020 you will be required to achieve a CMMC certification level prior to bidding on contracts.
What is CMMC?
The CMMC framework implements cybersecurity best practices by standardising existing data protections and practices across multiple US departments and agencies. These new unified cybersecurity standards ensure the security of government data on its DIB networks, replacing the previous Defense Federal Acquisition Regulation (DFAR) requirements.
There are two types of unclassified information DIB contractors and subcontractors handle – Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) – but the CMMC has been mainly implemented to protect CUI.
Although CUI is not classified information it still requires some level of protection from unauthorized access and release due to privacy, law enforcement, contractual protections and other reasons.
How Will CMMC Impact Your Organization?
Previously, DIB organizations could self-certify their security compliance, and DIB’s were responsible for the implementation, monitoring and certification of the security of their information technology systems, as well as any sensitive DoD information stored on or transmitted by those systems.
Towards the end of 2020, DIB organizations contracting and subcontracting to the US DoD will no longer be able to self-certify their compliance. Instead they will now be required to attain CMMC certification by firstly completing an assessment of all their CMMC practices.
Preparation for the assessment requires identifying the current gap in processes and policies and then remediation. Ideally this is performed by security practitioners that have the level of expertise to efficiently work towards developing a roadmap for an organization. Then help to prepare them for assessment by a CMMC third-party assessment organization (C3PAO) for certification.
This means before your DIB organization you can work on US DoD contracts, you will need to ensure all CMMC requirements are implemented for the level you are applying to contract at and then this compliance will need to be assessed and approved by a C3PAO.
One such approach is from eFortresses who offer a CMMC Scorecard that provides a roadmap that is prepared by qualified security practitioners, the roadmap is based on the following workstreams:
- Validate – your current cybersecurity level to objectively assess, provide industry benchmarks and an effective roadmap for your journey towards CMMC Level 3
- Remediate – your gaps in current cybersecurity controls that could potentially present a roadblock in your journey towards CMMC Level 3
- Certify – your cybersecurity program using an Accredited Certified Third-Party Assessment Organization
- Improve – your cybersecurity program to maintain CMMC Level 3 or improve to Level 4 or 5
What is the Difference between CMMC and DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) was implemented by the US DoD in 2016 to protect sensitive government data from cybersecurity attacks. However, as the US Government comes under increasing threat of cyberattack, it has decided to launch the CMMC framework to enhance its cybersecurity defense along its supply chain.
CMMC and DFARS have a lot of similarities and they both target how your DIB organization uses security controls to protect CUI, but the biggest difference between the two is CMMC’s maturity levels.
Let’s take a closer look at the CMMC Model Framework.
How is the CMMC Model Framework Structured?
The CMMC model framework organizes processes, capabilities and cybersecurity best practices within a set of 17 capability domains.
It contains five maturity processes and 171 cybersecurity best practices that progress across five maturity levels.
Instituting cybersecurity processes into the CMMC framework ensures all DIB cybersecurity activities are consistent, repeatable, and of high quality.
Cybersecurity Maturity Model Certification Capability Domains and Levels
CMMC Maturity Process Progression Across Five Levels of Certification
The CMMC standard is assessed across five levels of maturity, with Maturity Level 1 requiring the most basic cyber security and Maturity Level 5 requiring the most advanced.
Cybersecurity Maturity Model Certification Levels
Requirements are cumulative, so requirements at Maturity Level 1 are also required at Maturity Level 2, requirements at Maturity Level 1 and 2 are also required at Maturity Level 3, and so on.
To become certified at any of the CMMC levels, you must demonstrate both the technical practices and maturity processes defined in that level, as well as those in the preceding, lower levels. For example, if you demonstrate practice implementation at Level 3, but only have maturity level implemented at Level 2, you can only receive a Level 2 certification.
What Level of CMMC Does Your Organization Need to Achieve?
The Maturity Level you need to achieve will depend on whether you need to protect only FCI or CUI as well.
- Maturity Levels 1 and 2 are basic and intermediate cybersecurity that allow you to protect FCI but not CUI.
- Maturity Level 3 is Good Cyber Hygiene and the lowest level at which you can receive CUI in any domain.
- Maturity Level 4 is Proactive, focusing on activities your organization can take to detect, protect and respond to changing tactics used by advanced persistent threats (APT)s.
- Maturity Level 5 is Advanced/Progressive requiring process implementation and enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
What Actions Should Your DIB Organization Take Now?
If you’re a DoD contractor or subcontractor, having a full understanding of the CMMC’s technical requirements will prepare your DIB organization for certification, as well as cementing your long-term cybersecurity agility.
If you start now to evaluate your cybersecurity hygiene practices, procedures and gaps when the details are finalized will be well-positioned to navigate the process and meet the mandatory CMMC contract requirements for your upcoming projects.
At Cocoon Data we work with DIB organizations worldwide to navigate government compliance regulations, and we know how challenging it can be for defense contractors to keep up with these regularly evolving compliance requirements. We are fully certified to ISO 27001 and undertake regular external audits to ensure we meet strict, documented standards.