Time to ring in the New Year with a new acronym – CMMC. These four letters stand for Cybersecurity Maturity Model Certification and establish cybersecurity standards and best practices for companies nationwide. Becoming intimately familiar with CMMC in 2020 will be a top priority for an estimated 300,000 companies that are contractors or subcontractors with the U.S. Department of Defense (DoD) supply chain.
New Hampshire is home to several large defense contractors and a network of subcontractors that play a key role in our national defense and in economic development for the Granite State. By making the move to require cybersecurity compliance in 2020, the DoD has demonstrated that national security is a top priority and concern for companies selected to help build products that protect our country. To ensure this happens, DoD is taking steps to further refine supply chain cybersecurity requirements and implementing a process for ensuring adherence to the requirements.
CMMC is the next stage in the DoD’s efforts to properly secure the defense industrial base, which is made up of companies contracted to create and supply products that support U.S. military operations. The announcement of a cybersecurity assessment model signals to industry a streamlining of DoD cybersecurity requirements for contractors and subcontractors, who will now be required to gain certification to prove they meet specific levels of security. These levels integrate and build upon existing regulation for companies that are already required to be NIST 800-171 compliant by contract as an example. In the current draft, CMMC Level 3 most closely aligns with the NIST 800-171 controls while also filling out cybersecurity requirements above and below this level.
Here’s how it works
While final details will be released in 2020, draft versions tell us that CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place for basic through proactive cyber hygiene. The intent is also to strengthen the protections around controlled unclassified information (CUI) that resides in DoD’s industry partners’ environments (CUI specific protections apply to levels 3-5).
CMMC is designed to help companies gain certification based levels of compliance required which relate to the kind of work the company will be doing. Organizations with deep experience in information security and a strong understanding of compliance processes and protocols can serve as advisors and assessors to prepare companies to meet certification requirements and audits.
There are layered complexities associated with CMMC and companies are encouraged to begin investigating what is required of them as soon as possible. Mainstay Technologies has been working in this field for several years and has built up the necessary expertise to serve as a trusted partner to perform compliance assessments, identify real world risk factors, remediate any findings, and carry the overall responsibility for cybersecurity long-term.
The DoD has recognized gaining certification as an expense to contractors and made cybersecurity an allowable cost. “Reasonableness” is key. It’s also important to point out that cybersecurity standards are already included in many existing contracts and associated costs are already assumed to be part of those agreements. Inclusion as an allowable cost enables contractors to work with a partner for their own certification as well as for certification for their subcontractors. As a result, the actual process will be rigorous and time consuming, but is not intended to be a prohibitive expense.
Demonstrated capabilities and levels of CMMC
There are 17 domains, each comprised of specific capabilities to achieve each level of CMMC and must be considered depending on the type of work conducted by a company. Examples of domains include access controls, asset management, incident response, security assessment, and personnel security. Each level is cumulative meaning the company must demonstrate achievement of previous levels. The five levels are as follows:
- Level 1 – “Basic Cyber Hygiene,” which addresses limited or inconsistent cybersecurity policies and systems
- Level 2 – “Intermediate Cyber Hygiene,” which requires established and documented policies, procedures and strategic cybersecurity plans
- Level 3 – “Good Cyber Hygiene,” which requires effective implementation of controls equal to full NIST 800-171 control set and includes assessments to measure effectiveness
- Level 4 – “Substantial and Proactive Cybersecurity Program,” which requires continuous monitoring with process optimization and proactive alerts to leadership
- Level 5 – “Advanced or Progressive Cybersecurity Program,” which requires optimized capabilities to repel advanced persistent threats. Process implementation must be standardized across the entire organization
For defense contractors, becoming familiar with CMMC and gaining certification will be a key New Year’s resolution to enable them to continue to engage in DoD work. Look for CMMC 1.0 to be released in January. In early- to mid-2020, certified accreditation organizations will be trained. CMMC requirements will appear in new RFI’s by late 2020 and accreditors will be ready to provide certification.
Given the newness of CMMC, it’s not too early to start preparing by selecting a partner that truly understands CMMC complexities and how best to navigate this new cybersecurity certification process. If you are not already prepared based on existing NIST 800-171 requirements, the recommendation is to establish your cybersecurity posture based on CMMC 1.0. Good cyber-hygiene protects your business, and an understanding of costs will be critical.
Jason Golden is chief information security officer at Mainstay Technologies, an IT and Cybersecurity firm that serves businesses throughout northern New England.