The Department of Defense (DoD) is serious about significantly improving the cybersecurity posture of everyone involved in the Defense Industrial Base chain. On August 30, 2019, the Cybersecurity Maturity Model Certification (CMMC) draft was published and opened for its public comment period. According to the timeline, CMMC Rev 1 will be issued in January 2020, and will be required in RFPs by the fall of 2020. The CMMC will replace the current system for DFARS certification, which is a self-assessment process without 3rd party auditing.
On the heels of DFARS (learn about DFARS compliance here), the DoD is continuing in its efforts to implement universal cybersecurity standards for the DoD supply chain, to include any entity with which it shares sensitive information, including vendors at the earliest steps of the acquisition process.
The CMMC builds on DFARS and is designed to be “a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).” It combines various cybersecurity standards and “best practices,” and maps those practices and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, when the associated practices and processes are implemented, the risk against a certain set of cyber risks will be reduced.
The stated goal of the CMMC is to be, “cost-effective and affordable for small businesses to implement at the lower CMMC levels,” with the intent to have third-party organizations conduct audits and inform risk.
At the top level, the framework covers 18 domains:
- Access Control
- Asset Management
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Cybersecurity Governance
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Each domain is assessed based on practices (activities performed at each level) and processes (the level of maturation for each practice). By separating the two, it gives vendors the ability to show they have at least “institutionalized” the necessary processes (have plans, policies and procedures to manage the environment where CUI resides), even if their “practice” score falls a little short at the time of assessment.
Both practices and processes are assessed across five levels, with Level 1 being the most basic level, and Level 5 being the most advanced. Hence, a low level vendor could be certified at level 1. This might be a supplier of components or base materials. Machine shops and job shops might be certified at level 2 or 3. The closer a company is to the final product, the more mature certification required.
Practices and Processes by Maturation Level
|Level||Description of Practices||Description of Processes|
||Practices are performed, at least in ad-hoc manner|
||Practices are documented|
||Processes are maintained and followed|
||Processes are periodically reviewed, properly resourced, and improved across the enterprise|
||Continuous improvement across the enterprise|
*Table from Draft CMMC Model Rev 4 Release & Request for Feedback – Under Secretary of Defense for Acquisition and Sustainment 8/30/19
Using a uniform level-tiered system streamlines certification in a way that will allow small businesses to focus their efforts and resources (costs, manpower, time, etc.) appropriately.
This fourth draft of the CMMC is now open for public comments (as of August 30, 2019). Comments are due by 5 p.m. September 25, 2019.
The department is looking for feedback on four questions:
- What do you recommend removing or de-prioritizing to simplify the model and why?
- Which elements provide high value to your organization?
- Which practices would you move or cross-reference between levels or domains?
- In preparation for the pending easy-to-use assessment guidance, what recommendations might you have to clarify practices and processes?