September 12, 2019

DFARS CMMC Draft has been released.

Attention DoD Vendors: CMMC Officially on Deck – DoD Cybersecurity Maturity Model Certification Draft is Out and Currently Scheduled to Take Effect in 2020

The Department of Defense (DoD) is serious about significantly improving the cybersecurity posture of everyone involved in the Defense Industrial Base chain. On August 30, 2019, the Cybersecurity Maturity Model Certification (CMMC) draft was published and opened for its public comment period. According to the timeline, CMMC Rev 1 will be issued in January 2020, and will be required in RFPs by the fall of 2020. The CMMC will replace the current system for DFARS certification, which is a self-assessment process without 3rd party auditing.

On the heels of DFARS (learn about DFARS compliance here), the DoD is continuing in its efforts to implement universal cybersecurity standards for the DoD supply chain, to include any entity with which it shares sensitive information, including vendors at the earliest steps of the acquisition process.

The CMMC builds on DFARS and is designed to be “a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).” It combines various cybersecurity standards and “best practices,” and maps those practices and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, when the associated practices and processes are implemented, the risk against a certain set of cyber risks will be reduced.

The stated goal of the CMMC is to be, “cost-effective and affordable for small businesses to implement at the lower CMMC levels,” with the intent to have third-party organizations conduct audits and inform risk.

At the top level, the framework covers 18 domains:

  • Access Control
  • Asset Management
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Cybersecurity Governance
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery
  • Risk Assessment
  • Security Assessment
  • Situational Awareness
  • System and Communications Protection
  • System and Information Integrity

Each domain is assessed based on practices (activities performed at each level) and processes (the level of maturation for each practice). By separating the two, it gives vendors the ability to show they have at least “institutionalized” the necessary processes (have plans, policies and procedures to manage the environment where CUI resides), even if their “practice” score falls a little short at the time of assessment.

Both practices and processes are assessed across five levels, with Level 1 being the most basic level, and Level 5 being the most advanced. Hence, a low level vendor could be certified at level 1. This might be a supplier of components or base materials. Machine shops and job shops might be certified at level 2 or 3. The closer a company is to the final product, the more mature certification required.

Practices and Processes by Maturation Level

Level Description of Practices Description of Processes
1
  • Basic cybersecurity
  • Achievable for small companies
  • Subset of universally accepted common practices
  • Limited resistance against data exfiltration
  • Limited Resilience against malicious actions
Practices are performed, at least in ad-hoc manner
2
  • Inclusive of universally accepted cybersecurity best practices
  • Resilient against unskilled threat actors
  • Minor resistance against data exfiltration
  • Minor resistance against malicious actions
Practices are documented
3
  • Coverage of all NIST SP 800-171 Rev 1 controls
  • Additional practices beyond the scope of CUI protection
  • Resilient against moderately skilled threat actors
  • Moderate resistance against data exfiltration
  • Moderate resistance against malicious actions
  • Comprehensive knowledge of cyber assets
Processes are maintained and followed
4
  • Advanced and sophisticated cybersecurity practices
  • Resilient against advanced cyber threat actors
  • Defensive responses approach machine speed
  • Increased resistance against and detection of data exfiltration
  • Complete and continuous knowledge of cyber assets
Processes are periodically reviewed, properly resourced, and improved across the enterprise
5
  • Highly advanced cybersecurity practices
  • Reserved for the most critical systems
  • Resilient against the most advanced cyber threat actors
  • Defensive responses performed at machine speed
  • Machine performed analytics and defensive actions
  • Resistant against, and detection of, data exfiltration
  • Autonomous knowledge of cyber assets
Continuous improvement across the enterprise

*Table from Draft CMMC Model Rev 4 Release & Request for Feedback – Under Secretary of Defense for Acquisition and Sustainment 8/30/19

Using a uniform level-tiered system streamlines certification in a way that will allow small businesses to focus their efforts and resources (costs, manpower, time, etc.) appropriately.

This fourth draft of the CMMC is now open for public comments (as of August 30, 2019). Comments are due by 5 p.m. September 25, 2019.

The department is looking for feedback on four questions:

  • What do you recommend removing or de-prioritizing to simplify the model and why?
  • Which elements provide high value to your organization?
  • Which practices would you move or cross-reference between levels or domains?
  • In preparation for the pending easy-to-use assessment guidance, what recommendations might you have to clarify practices and processes?
envelope-oclosephonebars linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram