DoD Cybersecurity Maturity Model Certification (CMMC)
Coming in 2020, proof of adequate security is going to be a requirement for contractors of the DoD. In fact, every prime and subcontractor on a supply chain will be audited and certified under a Cybersecurity Maturity Model Certification (CMMC) framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). This will benefit the security of contractors and the DIB, as well as help the DOD to avoid future losses due to cyber breaches.
The move to stricter cyberhygiene is in response to a series of high-profile breaches of DoD information. The CMMC initiative was designed to strengthen the DOD attack vector and provide relevant benchmarks to secure the supply chain. The framework aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI).
What is the CMMC?
CMMC is a framework of security measures that include associated controls and processes across several maturity levels that range from basic cyberhygiene to advanced measures. This DoD effort is geared towards fortifying its cybersecurity strategy addressing an area of risk that includes third-party systems safety and readiness.
The Cyber Security Maturity Model Certification (CMMC) will help alleviate some of the problems associated with DOD cybersecurity compliance in the past by implementing the following key points…
- Unified standards – Under the new CMMC compliance, there will be one unified DoD cybersecurity standard that combines NIST SP 800-171, NIST SP 800-53, AIA MAS 9933, FIPS and others.
- Varying levels of security – CMMC will provide five levels for prime and subcontractors. RFPs will reflect what level is needed by DoD for each contract.
- Affordability – Security will now be an allowable cost on DoD contracts.
- Supply chain verification – CMMC third-party certifiers will perform audits to establish an organizations level.
The CMMC is designed to have varying degrees of compliance (e.g. low, medium, high). However, the level required for compliance will be determined by the CUI the organization handles or processes, not by size. Obviously, these requirements will be more of a burden to a small sub-contractor that handles the same level of CUI as a large prime. However, the DoD has said that cybersecurity costs will become an “allowable expense” that will hopefully relieve some of the burden for small businesses.
Cybersecurity in DoD supply chains will be based on the identification of five certification tiers:
CMMC Level 1 | Basic Cyber Hygiene
CMMC Level 2 | Intermediate Cyber Hygiene
CMMC Level 3 | Good Cyber Hygiene
CMMC Level 4 | Proactive
CMMC Level 5 | Advanced/Progressive
The five levels available also recognize that not all companies will need the highest levels of controls and cybersecurity. Companies that conduct business that only requires basic levels of cybersecurity can qualify at the lowest certification level allowed by the RFP.
Timeline for CMMC
Currently this is the proposed timeline for CMMC implementation:
- Mid-2019: Working groups and creation of automated assessment tools
- Early 2020: Begin developing oversight and certifier accreditation program, processes
- Mid-2020: Test the certification program and revise it
- Mid/late-2020: Accredit third-party certifiers
- Future: Begin adding CMMC requirement to all new DoD RFPs
There will be five levels of data security, ranging from basic cyberhygiene to state-of-the-art in order to allow implementation of reasonable security measures based on the needs of the contract. Every defense contract of contractors and subcontractors — whether they deal with sensitive information or not — will have the effectiveness of their cybersecurity practices scored on a scale of 1 to 5.
Contractors that are noncompliant with the required level will not be able to retain DoD contracts.
Under the new certification requirements, DoD contractor information systems will be required to be certified compliant by an outside auditor. This solves an ongoing issue where some businesses have undergone self-certify compliance without fully implementing (or understanding) needed security controls.
A tool will be developed to allow third-party cybersecurity certifiers to conduct audits and collect metrics. The DoD will also measure compliance with the DFARS and NIST requirements to ensure contractors are handling sensitive unclassified information properly.
It will use a single standard across all DoD contracts (doing any kind of business)
Cybersecurity will be an “allowable cost” in DoD contracts. Contractors will be allowed to seek reimbursement from the government for achieving their CMMC certifications.
If you want to discuss DOD cycber security initiatives or a solution that helps your company comply, then call EDM Automation at 757-500-5054.