Cybersecurity Standards and Contractor Certifications
The DoD (Department of Defense) or more specifically, The Office of the Assistant Secretary of Defense for Acquisition began the process of creating the (CMMC) or "Cybersecurity Maturity Model Certification" in March 2019.
The CMMC has been under development through a collaborative effort with Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University Software Engineering Institute, Defense Industrial Base Sector Coordinating Council (DIB SCC), and the Office of Small Business Programs. Together they have issued a long-awaited cybersecurity standard in draft form for contractors who work with the Pentagon’s sensitive data. In addition, support from industry associations such as the National Defense Industrial Association (NDIA), the Aerospace Industries Association (AIA), and the Professional Services Council (PSC) has been contributed as well to provide input from industry.
Three (3) Drafts So Far:
There have been three drafts issued to date, (Version 0.4 in August 2019, Version 0.6 in Nov 2019, and now version 0.7 which came out in December 2019)
Below is summary information for both releases, and information about a unique Green Paper, penned by Michael Semmens, (President of Imprimis, Inc), Steve Lines (President of the DIB ISAC), and Jennifer Kurtz, Cyber Program Director (Manufacturer's EDGE) providing insight and analysis on the impact of these changes being driven by the DOD and its impact on small commercial and government contracting businesses. (See Green Paper Section Below).
Version 0.4 of the CMMC
The CMMC v0.4 cybersecurity standards provides contractors with a new “roadmap” for cybersecurity standards they will need to adopt and be certified with if they want to seek out DoD contracts that handle or process Controlled Unclassified Information (CUI). Ultimately, the CMMC effort is designed to secure the DoD‘s large and complicated supply chains from the largest prime contractors down to the smallest sub-contractors .
The new CMMC framework addresses 18 domains, described as “key sets of capabilities for cybersecurity” that were outlined in a slide deck distributed by the Office of the Assistant Secretary of Defense for Acquisition. See thelink below and image of the OSD Website, (with embedded link). These domains include areas like access control, governance, incident response, and risk assessment.
Each domain is then assessed based on practices or “activities performed at each level” as well as the processes engaged “at the level of maturity” for each practice within an organization. By separating these two criteria into separate categories, DoD contractors (prime and subcontractor's) can demonstrate that they have institutionalized these “processes,” even if they don’t exactly match or score points on any the “practices” at the time of assessment. The result is a five-tier scoring model, each tied to a certain level of cybersecurity assurance. Both practices and processes are reviewed and evaluated across five basic levels, basic through advanced, and are optimized accordingly.
Version 0.4: August 2019 Published by the DoD
The Inspector General report and the report provided by Sera-Brynn indicated that the implementation of NIST SP 800-171 had failed – the implementation, not the security requirements. So, it would be logical to want to fix the problem – the implementation and enforcement. All the discussion to date regarding the CMMC is around developing a new standard. Performing risk analyses and adding controls where needed is a reasonable thing to do. But to do so accurately, the operational objectives and boundaries need to be defined. Major increases in complexity may actually work against successful implementation of good cybersecurity practices, making it more difficult for small businesses to reach maturity levels concomitant with meaningful program participation. The CMMC offers constructive improvements to the current guidance, however the operational objectives at each level must be defined to ensure a fair system and to allow proper control selection.
Let us know what you think. Submit comments to https://nationalcyber.org/cmmc-comment-form
The new release of the CMMC v0.6 (November 2019) indicated a new positioning of the standard to closely align with the NIST SP 800-171. In fact, at level 3 it can be accurately referred to as “171+21.” The practices reference NIST 800-171 requirements in the overwhelming majority of practices and they closely align in both intent and content. There is a total of 21 practices that have been included in the CMMC that do not refer to a NIST 800-171 requirement. A Comparison of the total number of practices between the two versions of CMMC are shown in Figure 1 at right.
The CMMC drafts have changed significantly between v0.4 and v0.6. Although only levels 1-3 were published in v0.6, it's clear that the size and content have been shaped to make primary use of NIST SP 800-171 through level 3 as promised by OSD. Key takeaways from v0.6 are:
- The number of practices and processes has been dramatically reduced as has been the number of cited security controls and requirements from other frameworks and standards.
- Clarification was provided that cited controls and requirements such as NIST800-171, CSF or CIS v7.1 are used to “inform” the practices defined in CMMC v0.6 and are references and NOT requirements for compliance. However, after a number of comments received back to the DoD through the review of v0.4 and v0.6 is seems that NIST 800-171 controls ARE GOING TO COMPROMISE A MAJOR ROLE MOVING FORWARD FOR COMPLIANCE.
- The Australian Cyber Security Centre or ACSC Essential 8 Maturity Model and the UK NCSC (United Kingdom National Cyber Security Centre) Essentials were added as cited or referenced material.
- The Governance Domain has been deleted and policy and governance has been integrated into the five maturity processes required through level 3.
- The practices of CMMC, in fact, follow the cited references very closely so implementing the CMMC practices effectively implements the cited reference, and vice versa, particularly in the case of NIST 800-171.
- Implementing all requirements defined in NIST800-171 satisfies the overwhelming majority of the CMMC practices through level 3as defined in CMMC v0.6.
- There is a total of 21 practices contained within CMMC v0.6 that do not have reference to NIST 800-171 and are therefore additional requirements.
The CMMC does not represent a huge change from NIST 800-171 but does add some important practices that do bring value to the security baseline. The big questions remain. First, what category of work or contract can be performed at the various maturity levels or conversely, what level of procurement activity will each level earn? It still appears that level 3 is the first meaningful certification level. The second question is how and when certification will happen? OSD is actively developing the certification program and details should be available soon. The key takeaway for DoD contracting companies is that certification will happen and soon.
Let us know what you think. Submit comments to: https://nationalcyber.org/cmmc-comment-form
The new release of the CMMC v0.7 was published by the DoD on December 6, 2019. This new releaseincludes Level 4-5 practices and modifies some maturity processes and Level 1-3 practices. The DoD is releasing this draft version to suport the public's continued review of the draft model in preparation for the release of the CMMC Model Version 1.0 at the end of January 2020. Section 2 of the draft release describes the model framework in more detail, including levels, capability domains, and processes. Section 3 provides instructions on how to read the model. Appendix A presents the latest version of the CMMC Model. Appendices B, C, and D present the practice of clarifications of CMMC Levels 1-3, respectively. The draft also provides key references, a glossary of terms, and a list of acronyms.
From the v0.7 CMMC Draft: The CMMC Model Framework is taking form and is specified into three primary categories of cybersecurity best practices, with the highest level beginning at Domans, (See Figure 1 at left). Each Domain is then further segmented by a set of capabilities. Capabilities are achievements to ensure cybersecurity objectives are met with each domain. Companies achieve cybersecurity compliance with the required capabilities by demonstrating adherence to practices and processes which have been mapped across the five maturity levels of CMMC. Under this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, and processes will measure the maturity of a company's processes. Within each domain, DIB companies, (Defense Industrial Base) will be accredited under the CMMC only if they can demonstrate compliance with the required practices and mature process as required for the given CMMC level.
The Need for Standards and Certification:
Ellen Lord, the Undersecretary for Acquisition and Sustainment at DoD said at a recent press briefing, “The model’s inclusion in department contracts will be a 'go/no go decision.' " CMMS, she explained, “establishes security as the foundation to acquisition, and combines the various cybersecurity standards into a unified standard.”
Creating these cybersecurity standards and pushing for certification for both prime and sub-contractors has been a top priority for the DoD in recent years. Earlier in 2019, Dana Deasy, (the DOD CIO) explained that tier-one prime contractors are not the bigest concern. “It’s when you get down to the tier-three and the tier-four” subcontractors". “Where the issue breaks down is that as you go down to those various subcontractors, do they understand, [are they] equipped, have the knowledge and the capabilities to defend themselves, and what is it we should be doing more to help them learn how to defend themselves at those tiers?”
As in 2017, the DoD introduced regulations that required all contracting vendors who do business with the department to guard and protect “Covered Defense Information” (CDI) that is transmitted to or stored in systems or networks for contracted work.
Katie Arrington, the defense official in charge of the CMMC roll out, emphasized the need for industry feedback in June as part of her “listening tour” in developing the standards. She said at a recently held Professional Services Council Conference… “it’s not a ‘me’ thing, it is a ‘we’ thing”. She also said that, “The vast majority of DoD contractors have ad hoc and inconsistent cybersecurity practices. We should be infuriated about what has happened to our data,” she concluded.
Current Status of Draft Standard:
The CMMC model is currently in its seventh draft. The department released it first draft for public comment on Wednesday Sept 4, 2019 (v0.4); the second draft was released on Nov 7, 2019 (v0.6); and the third or most recent draft appeared on December 6, 2019 (v0.7). The DoD expects to be releasing final versions in the first quarter of 2020. The defense contracting community has already submitted comments on these new rules through the end of November. Defense offices who publish RFP’s will be expected to include certification requirements in their requests for information by June 2020 and in all official solicitations by the fall of 2020.
The draft represents an early stage of development of the new standards and the DoD is requesting feedback, according to information published on the model at an informational website located here: (https://www.acq.osd.mil/cmmc/draft.html)
The DOD’s Office of the Under Secretary of Defense for Acquisition & Sustainment is taking feedback on the third draft (v0.7) of the CMMC through the end of 2019.
The "Green Paper" Review and Public Comment Initiative from NCX and its Partners:
NCX has reached out to Michael Semmens, (President of Imprimis, Inc), Steve Lines (Executive Director of Cyber Technology & ISAO Operations, NCX), and Jennifer Kurtz, Cyber Program Director (Manufacturer's EDGE) to develop a top-down and bottom-up analysis of the CMMC Initiative. The purpose of the Green Paper (and public comment initiative) is to analyze the motivation behind developing the CMMC for defense contractors and what its impact will be on the DoD contracting process. The significant increase in the number of compliance items and complexity imposed by multiple cybersecurity frameworks and standards is also quantified and described. The potential threat to small businesses is made clear. A call to action for small and medium business is put forward so that important feedback is provided to DoD so that an appropriate design is achieved and balanced with respect to the competing demands of good security and affordable, achievable implementation of the core competencies of Information Security.
How you can participate and provide comments on our online NCX CMMC Comment Form:
The CMMC model and best practices specification will continue to be updated over the next several months with the collaboration of all stakeholders and input from the general public. The goal is to come up with a final version ‘v1.0” by January 2020.
NCX along with our partners Imprmis, and Manufacturer's EDGE welcome your inputs and comments and have set-up a special online “intake form” to enable you to provide comments and feedback on the current CMMC Standard v0.7. We have already compiled and aggregated a number of comments for the v0.4 and v0.6 reviews (which are now closed) and submitted them to the DoD as an industry group representing The NCX, and Manufacturer's EDGE members.
We will also keep the CMMC Comment form online as we anticipate participating in and providing future CMMC Model comments for public review through Q2 2020. We intend to maintain an ongoing database of comments and will provide updated reports and best practice recommendations in the future to new CMMC Governing or Auditing entities that become established.
Please take a few minutes to provide your comments on the CMMC Comment form at this URL: