5 Things You Need to Know About CMMC and How it Builds on DFARS
Cybercriminals have targeted and continue to target the Defense Industrial Base (DIB) sector, as well as the Department of Defense's (DoD) supply chain in the hopes of stealing vital intellectual property and sensitive information. The DIB sector is made up of more than 300,000 organizations that research, engineer, develop, acquire, produce, deliver, sustain, and operate military services, capabilities, installations, and networks. A cyberattack against the DoD supply chain can significantly undercut the United States' technical innovations and advantages, and compromise its national security.
This led the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to create the Cybersecurity Maturity Model Certification (CMMC) framework. This framework is a certification procedure designed to assure the DoD that DIB contractors are capable of protecting sensitive information such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
5 things you need to know about CMMC
1. ALL DoD contractors are required to be CMMC compliant
CMMC regulations state that all DoD contractors need to get a certification prior to bidding for a government project. The DoD decides the certification level of contractors based on the type of CUI they manage. The DoD will also begin implementing minimum certification requirements in requests for information (RFI) in June 2020 and in selected requests for proposals (RFPs) in September.
2. Self-certification is no longer an option
Contractors are required to coordinate with an independent and accredited third-party certification organization when requesting and scheduling a CMMC assessment. Self-certification is prohibited. Contractors specify the level of certification they need based on their business requirements. Those who show the appropriate organizational maturity and maturity in capabilities will receive their certification at the appropriate CMMC level.
3. You need level three certification to handle CUI
- Level 1 - Basic cybersecurity hygiene
- Level 2 - Intermediate cybersecurity hygiene
- Level 3 - Good cybersecurity hygiene
- Level 4 - Proactive cybersecurity hygiene
- Level 5 - Advanced and progressive cybersecurity hygiene
In order for contractors to handle or generate CUI, they should have at least a level three certification. This means that contractors who acquire level three certification under the CMMC framework are known to implement all of the NIST SP 800-171 security requirements, have good cyber hygiene to meet most cyberthreats, and are able to keep CUI secure. Contractors with level three certification may face some challenges from advanced persistent threats (APTs).
4. CMMC does not end DFARS
When the DoD released the Defense Federal Acquisition Regulation Supplement (DFARS) for contractors, there was some confusion which led to its slow adoption. This led the DoD to create the CMMC model to help contractors build strong and efficient cybersecurity standards.
However, the release of CMMC does not mean that DFARS will end. In fact, every DoD contractor that stores, processes, and transmits CUI runs the risk of losing their contracts if they fail to comply with the minimum security requirements of DFARS. To be considered DFARS-compliant, a contractor needs to fulfill the requirements of NIST SP 800-171, which involves 110 controls. The CMMC level three certification only requires 20 additional controls on top of the existing DFARS requirements. And thus, DFARS-compliant contractors are already about 85% ready for a CMMC level three certification.
In addition to NIST 800-171, the CMMC model uses cybersecurity best practices found in NIST SP 800-53, ISO 27032, ISO 27001, AIA NAS9933, and more to create an effective standard for cybersecurity. The CMMC model currently has 17 domains, which include:
- Access control
- Asset management
- Audit and accountability
- Awareness and training
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Personnel security
- Physical security
- Risk management
- Security assessment
- Situational awareness
- Systems and communications protection
- System and information integrity
5. Beware of fake CMMC auditors
The DoD released a memo to the companies within the DIB that they can't obtain a CMMC certification just yet. This is because no auditors are available and that the DoD is currently finalizing the CMMC accreditation board. The CMMC accreditation board will be responsible for training CMMC auditors, which will also be called certified third-party assessment organizations (C3PAO).
Contractors can only be audited and certified once the C3PAOs have been trained. But the DoD doesn't see this happening until summer at the earliest. This is the reason why DoD Under Secretary Ellen Lord warned contractors about companies claiming they can provide CMMC certification.
The CMMC accreditation board has opened the registration for CMMC auditors last June 23, 2020. Applicants have to answer a questionnaire and pay a non-refundable $200 registration fee. The CMMC accreditation board will then select 60 highly qualified cybersecurity auditors who will undergo extensive training before they can conduct initial audits in late 2020 and early 2021.
This slow process does not mean that all DoD contractors can do is wait until the accreditation board is ready to conduct audits. There are a number of ways contractors can ensure success in their upcoming certification.
For instance, building on and strengthening your business’s DFARS compliance can offer a great opportunity to fine tune everything that you are already doing right. And while you may be convinced that you’re already on top of your cyber security, you should still conduct a gap assessment to identify the things that you are doing wrong or should improve upon.
According to one of Charles IT’s CISSP’s Mike Bailie, “many contractors are unaware of the gaps in their security posture, and this is likely going to be the most common reason many will fail the certification and potentially put their contracts at risk. But by identifying these gaps now, contractors will be able to put in place the necessary cyber security solutions required for them to acquire the certification level they desire and secure their contract.”
Charles IT's gap assessment will identify gaps in a contractor's cybersecurity policies, and create a strategy to remediate them so that they'll have no problems obtaining a CMMC certification. Start your gap assessment now!