Cybersecurity Standards and Contractor Certifications
The DoD (Department of Defense) or more specifically, The Office of the Assistant Secretary of Defense for Acquisition began the process of creating the Cybersecurity Maturity Model Certification (CMMC) in March 2019.
The CMMC has been under development through a collaborative effort with Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University Software Engineering Institute, Defense Industrial Base Sector Coordinating Council (DIB SCC), and the Office of Small Business Programs. Together they have issued a long-awaited cybersecurity standard for contractors who work with the Pentagon’s sensitive data. In addition, industry associations such as the National Defense Industrial Association (NDIA), the Aerospace Industries Association (AIA), and the Professional Services Council (PSC) contributed as well to provide input from industry.
Three (3) Drafts and a Final 1.0 Version:
There have been three drafts issued to date, (Version 0.4 in August 2019, Version 0.6 in November 2019, and Version 0.7 which came out in December 2019). In January 2020 Version 1.0 of the CMMC from the DoD was released... (See below)
In January 2020, the DOD the Department of Defense (“DoD”) released Version 1.0 of the CMMC framework. The CMMC is a certification framework developed by DoD that measures a defense contractor’s ability to safeguard Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) that is processed and handled by the contractor (as well as their sub-contractors) in the performance of DoD contracts. And over the course of the next 5 years, (up to and including 2026), CMMC certification will be a requirement for any company doing business with DoD, either as a prime contractor or lower-tier subcontractor. Version 1.0 of the CMMC provided new updates and insights into the many gaps from the earlier CMMC drafts. In addition, the public briefing that accompanied the release of Version 1.0 included new insights into DoD’s rollout of the CMMC framework:
- Version 1.0 addressed many process and procedural gaps left in the prior draft specifically in the discussion and clarification for Level 4–5 practices. The current 1.0 version contains fewer practices (171 vs. 173) and processes (5 vs. 9).
- In addition, The DoD has confirmed that it is planning a phased rollout. DoD will work with agencies to identify “pathfinder programs” that will initially implement CMMC requirements targeting a complete rollout taking place during FY 2021–25, with a targeted end date of FY 2026 where all DoD contracts will need to incorporate CMMC requirements.
- DoD is still in "rulemaking mode" (through spring 2020) and expects to release follow-on CMMC requirements in select RFIs in June 2020 and select RFPs in September 2020.
- It was important to note that companies that engage in non-procurement contracts that are not subject to the DFARS, such as OTAs, may have CMMC requirements implemented as technical requirements.
- Also, DoD officials commented that CMMC certifications will remain valid for three years.
At right is the Version 1.0 version of the CMMC for immediate download, (right click to download the PDF file).
CMMC is a unified cybersecurity standard for future DoD acquisitions • CMMC Model v1.0 encompasses the following: – 17 capability domains; 43 capabilities – 5 processes across five levels to measure process maturity – 171 practices across five levels to measure technical capabilities
CMMC model framework organizes processes and cybersecurity best practices into a set of domains:
- Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that:
- An organization will continue to perform the activity – including under times of stress – and
- The outcomes will be consistent, repeatable and of high quality. – Practices are activities performed at each level for the domain
At right is the Version 1.0 version of the Public Breifing Powerpoint Presesentation for CMMC for immediate download, (right click to download the PDF file).
The Need for Standards and Certification:
Ellen Lord, the Undersecretary for Acquisition and Sustainment at DoD said at a recent press briefing, “The model’s inclusion in department contracts will be a 'go/no go decision.' " CMMS, she explained, “establishes security as the foundation to acquisition, and combines the various cybersecurity standards into a unified standard.”
Creating these cybersecurity standards and pushing for certification for both prime and sub-contractors has been a top priority for the DoD in recent years. Earlier in 2019, Dana Deasy, (the DOD CIO) explained that tier-one prime contractors are not the bigest concern. “It’s when you get down to the tier-three and the tier-four” subcontractors". “Where the issue breaks down is that as you go down to those various subcontractors, do they understand, [are they] equipped, have the knowledge and the capabilities to defend themselves, and what is it we should be doing more to help them learn how to defend themselves at those tiers?”
As in 2017, the DoD introduced regulations that required all contracting vendors who do business with the department to guard and protect “Covered Defense Information” (CDI) that is transmitted to or stored in systems or networks for contracted work.
Katie Arrington, the defense official in charge of the CMMC roll out, emphasized the need for industry feedback in June as part of her “listening tour” in developing the standards. She said at a recently held Professional Services Council Conference… “it’s not a ‘me’ thing, it is a ‘we’ thing”. She also said that, “The vast majority of DoD contractors have ad hoc and inconsistent cybersecurity practices. We should be infuriated about what has happened to our data,” she concluded.
Summary Drafts of the CMMC (0.4, 0.6, and 0.7)
Below is summary information for all three previous draft releases, and information about a unique Green Paper series, penned by Michael Semmens, (President of Imprimis, Inc), Steve Lines (President of the DIB ISAC and now part of NCX), and Jennifer Kurtz, Cyber Program Director (Manufacturer's EDGE) providing insight and analysis on the impact of these changes being driven by the DOD and its impact on small commercial and government contracting businesses. (See Green Paper Section Below).
Version 0.4 of the CMMC
The CMMC v0.4 cybersecurity standards provides contractors with a new “roadmap” for cybersecurity standards they will need to adopt and be certified with if they want to seek out DoD contracts that handle or process Controlled Unclassified Information (CUI). Ultimately, the CMMC effort is designed to secure the DoD‘s large and complicated supply chains from the largest prime contractors down to the smallest sub-contractors .
The new CMMC framework addresses 18 domains, described as “key sets of capabilities for cybersecurity” that were outlined in a slide deck distributed by the Office of the Assistant Secretary of Defense for Acquisition. See thelink below and image of the OSD Website, (with embedded link). These domains include areas like access control, governance, incident response, and risk assessment.
Each domain is then assessed based on practices or “activities performed at each level” as well as the processes engaged “at the level of maturity” for each practice within an organization. By separating these two criteria into separate categories, DoD contractors (prime and subcontractor's) can demonstrate that they have institutionalized these “processes,” even if they don’t exactly match or score points on any of the “practices” at the time of assessment. The result is a five-tier scoring model, each tied to a certain level of cybersecurity assurance. Both practices and processes are reviewed and evaluated across five basic levels, basic through advanced, and are optimized accordingly.
Version 0.4: August 2019 Published by the DoD
The Inspector General report and the report provided by Sera-Brynn indicated that the implementation of NIST SP 800-171 had failed – the implementation, not the security requirements. So, it would be logical to want to fix the problem – the implementation and enforcement. All the discussion to date regarding the CMMC is around developing a new standard. Performing risk analyses and adding controls where needed is a reasonable thing to do. But to do so accurately, the operational objectives and boundaries need to be defined. Major increases in complexity may actually work against successful implementation of good cybersecurity practices, making it more difficult for small businesses to reach maturity levels concomitant with meaningful program participation. The CMMC offers constructive improvements to the current guidance, however the operational objectives at each level must be defined to ensure a fair system and to allow proper control selection.
The new release of the CMMC v0.6 (November 2019) indicated a new positioning of the standard to closely align with the NIST SP 800-171. In fact, at level 3 it can be accurately referred to as “171+21.” The practices reference NIST 800-171 requirements in most practices and they closely align in both intent and content. There is a total of 21 practices that have been included in the CMMC that do not refer to a NIST 800-171 requirement. A comparison of the total number of practices between the two versions of CMMC are shown in Figure 1 at right.
The CMMC drafts have changed significantly between v0.4 and v0.6. Although only levels 1-3 were published in v0.6, it's clear that the size and content have been shaped to make primary use of NIST SP 800-171 through level 3 as promised by OSD. Key takeaways from v0.6 are:
- The number of practices and processes has been dramatically reduced as has been the number of cited security controls and requirements from other frameworks and standards.
- Clarification was provided that cited controls and requirements such as NIST800-171, CSF or CIS v7.1 are used to “inform” the practices defined in CMMC v0.6 and are references and NOT requirements for compliance. However, after a number of comments were received back to the DoD through the review of v0.4 and v0.6 it seemed that NIST 800-171 controls ARE GOING TO COMPRISE A MAJOR ROLE MOVING FORWARD FOR COMPLIANCE.
- The Australian Cyber Security Centre or ACSC Essential 8 Maturity Model and the UK NCSC (United Kingdom National Cyber Security Centre) Essentials were added as cited or referenced material.
- The Governance Domain has been deleted and policy and governance has been integrated into the five maturity processes required through level 3.
- The practices of CMMC, in fact, follow the cited references very closely so implementing the CMMC practices effectively implements the cited reference, and vice versa, particularly in the case of NIST 800-171.
- Implementing all requirements defined in NIST800-171 satisfies the overwhelming majority of the CMMC practices through level 3as defined in CMMC v0.6.
- There are a total of 21 practices contained within CMMC v0.6 that do not have reference to NIST 800-171 and are therefore additional requirements.
The CMMC does not represent a huge change from NIST 800-171 but does add some important practices that do bring value to the security baseline. The big questions remain. First, what category of work or contract can be performed at the various maturity levels or conversely, what level of procurement activity will each level earn? It still appears that level 3 is the first meaningful certification level. The second question is how and when certification will happen? OSD is actively developing the certification program and details should be available soon. The key takeaway for DoD contracting companies is that certification will happen and soon.
The new release of the CMMC v0.7 was published by the DoD on December 6, 2019. This new release includes level 4-5 practices and modifies some maturity processes and level 1-3 practices. The DoD is releasing this draft version to support the public's continued review of the draft model in preparation for the release of the CMMC Model Version 1.0 at the end of January 2020. Section 2 of the draft release describes the model framework in more detail, including levels, capability domains, and processes. Section 3 provides instructions on how to read the model. Appendix A presents the latest version of the CMMC Model. Appendices B, C, and D present the practice of clarifications of CMMC levels 1-3, respectively. The draft also provides key references, a glossary of terms, and a list of acronyms.
From the v0.7 CMMC Draft: The CMMC Model Framework is taking form and is specified into three primary categories of cybersecurity best practices, with the highest beginning at Domans, (See Figure 1 at left). Each Domain is then further segmented by a set of capabilities. Capabilities are achievements to ensure cybersecurity objectives are met with each domain. Companies achieve cybersecurity compliance with the required capabilities by demonstrating adherence to practices and processes which have been mapped across the five maturity levels of CMMC. Under this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, and processes will measure the maturity of a company's processes. Within each domain, DIB companies, (Defense Industrial Base) will be accredited under the CMMC only if they can demonstrate compliance with the required practices and maturity process as required for the given CMMC level.
The CMMC models most recent draft appeared on December 6, 2019 (v0.7) and incorporated a variety of public input and spurred discussions throughout the Defense Industrial Base. Once the defense contracting community submitted comments on the new rules through the end of November the final draft was put together and released in January 2020.
Now Defense offices who publish RFP’s will be expected to include certification requirements in their requests for information by June 2020 and in all official solicitations by the fall of 2020.
The early drafts represented an early stage of development of the new standards and the DoD solicited feedback, according to information published on the model at an informational website located here: (https://www.acq.osd.mil/cmmc/draft.html)
The "Green Paper" Review and Public Comment Initiative from NCX and its Partners:
NCX has reached out to Michael Semmens, (President of Imprimis, Inc), Steve Lines (Executive Director of Cyber Technology & ISAO Operations, NCX), and Jennifer Kurtz, Cyber Program Director (Manufacturer's EDGE) to develop a top-down and bottom-up analysis of the CMMC Initiative. The purpose of the Green Papers (and public comment initiative) was to analyze the motivation behind developing the CMMC for defense contractors and what its impact would be on the DoD contracting process. The significant increase in the number of compliance items and complexity imposed by multiple cybersecurity frameworks and standards is also quantified and described. The potential threat to small businesses is made clear. A call to action for small and medium business is put forward so that important feedback is provided to DoD so that an appropriate design is achieved and balanced with respect to the competing demands of good security and affordable, achievable implementation of the core competencies of Information Security.
The CMMC Version 1.0 Specficiation and certification model and best practices will continue to be updated over the next several years with the collaboration of all stakeholders and input from the general public as the specification stage moves to execution and implimentation where an Accreditation body is now going to be stood up to develop the certification and auditing standards
CMMC Accreditation Body
What has now acclerated afte the release of Version 1.0 of the CMMC specification is that the DoD is currently in the process of drafting a memorandum of understanding between DoD and the recently frormed Accreditation Body (“AB”), which consists of 13 members from industry. The AB is responsible for training and certifying the third-party assessment organizations (“C-3PAOs”), which will conduct a cybersecurity assessments of DoD contractors. The DoD expects the AB to establish a “marketplace” or directory of C-3PAOs on its website in March or early April 2020. Companies can use the marketplace to obtain information on the various C-3PAOs and schedule an assessment for a needed certification level. DoD expects this to be sufficient time to allow companies to obtain the relevant certification by the time of contract award for the pathfinder programs.
How you can participate to the ongoing discussion and improvement of the CMMC:
Imprimis, along with our partners NCX and Manufacturer's EDGE, welcome your inputs and comments and have set-up a special online “intake form” to enable you to provide comments and feedback on the final CMMC Standard Version 1.0 and the ongoing developments for the Certification and Auditing processes that are now underway. We have already compiled and aggregated a number of comments for the v0.4, v0.6, and v0.7 reviews (which are now closed) and submitted them to the DoD as an industry group representing the NCX, Imprimis and Manufacturer's EDGE members. We intend to participate and be active in the new Accreditation Body developments as we will be providing both Assessments, as well as Auditing capabilities once the rules and processes are full defined.
We will also keep the CMMC Comment form online as we anticipate participating in and providing future CMMC Model comments for public review through Q4 2020. We intend to maintain an ongoing database of comments and will provide updated reports and best practice recommendations in the future to new CMMC Governing or Auditing entities that become established.
Please take a few minutes to provide your comments on the CMMC Comment form at this URL: