The US Department of Defense (DoD) supply-chain has been under attack. This year’s ransomware events such as the ones faced by a US Maritime base that brought cameras, door-access control systems and critical monitoring system down for 30 hours, and defense suppliers such as CPI, EWA, Westech International, Garmin, ST Engineering, Visser, Kimchuk, etc. serve as a warning to all organizations. Organizations of all types and sizes in the Defense Industrial Base (DIB) have faced cyber-attacks. In fact, enterprises like DMI that provide managed IT and cybersecurity services to organizations like NASA and fortune 100 companies have also been breached. Cybersecurity vulnerabilities and intrusions pose major risks to the DoD and its supply chain in forms of business disruptions, national security and trust in the government and companies. According to IBM, cyberattacks against industrial targets doubled in 2019. These events reinforce the DoD’s decision of requiring compliance to Cybersecurity Maturity Model Certification (CMMC).
While cybersecurity requirements have been a part of the defense procurement process in form of the NIST 800-171 compliance for some time now, CMMC compliance standardizes the adherence to cybersecurity requirements with more comprehensive practices and higher degrees of maturity as highlighted in the following sections.
The NIST 800-171 requirement mandated self-assessment and self-attestation of compliance. On the other hand, CMMC requires a 3rd party auditor to certify that an organization has met the requirements outlined for the business. The certification will be valid for 3 years. CMMC Accreditation Body (CMMC-AB), a non-profit organization, is chartered to develop training, audit and certification standards for the auditors. The entity is in process of releasing the provisional class of accredited auditors (C3PAO).
An organization will have to comply to one of the 5 levels depending on the exposure of Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI). The higher the level, the more cybersecurity practices and higher degree of maturity of those practices in the organization are required.
CMMC compliance requires institutionalization of up to 171 practices, about 55% more than NIST SP 800-171, across 17 different business areas with appropriate level of cross-functional engagement and governance. CMMC incorporates practices from NIST SP 800-171, the UK’s Cyber Essentials, Australia’s Cyber Security Centre Essential Eight Maturity Model, the Aerospace Industries Association’s NAS9933, and others.
The maturity requirement is often not well understood by organizations. It isn’t sufficient to institutionalize a practice; the organization has to demonstrate an appropriate level of excellence at the practice. For example, Level 1 requires that an ad-hoc use of the practice whereas Level 3 requires an appropriate level of resources and plan in place for the practice. An organization requiring Level 4 of compliance will have to have quantitative measures for the practices in place and frequent reviews of the performance by the management team. This requires continuous gap assessment, timely remediation, and governance in a programmatic approach.
Who needs to comply and at what level?
All organizations in the DoD direct and extended supply-chain (DFARS flow-down) that are exposed to FCI and/or CUI will have to comply to CMMC. An organization that is only exposed to FCI will only need to comply at Level 1 requirements. On the other hand, an organization that is exposed to DoD sensitive CUI will have to protect CUI and reduce risk of advanced persistent threats.
Level 1: Basic Safeguarding of FCI
Level 2: Transition Step to Protect CUI
Level 3: Protecting CUI
Level 4-5: Protecting CUI and reducing risk of Advanced Persistent Threats
All organizations can benefit from having a higher degree of process maturity in cybersecurity practices from the enterprise risk management perspective.
The CMMC requirements are expected to be in RFPs from the fall of 2020 and actual clauses to be in the contracts starting from winter/spring 2021. The estimated timeline is summarized in the following figure.
All organizations seeking certification by winter/spring of 2021 should start gap assessment process against the CMMC requirements now, remediate the gaps, and demonstrate process maturity to gain certification. Starting early would allow an organization to gain certification in a timely manner. Organizations are highly recommended to take a programmatic approach and be intimately involved in the compliance process because of the breadth and depth of the requirements. CMMC compliance will not only help an organization win new defense business but also help in enhancing overall security and risk management in the organization.
We, at ResiliAnt, continue to hold no-obligation webinars to increase awareness about CMMC, its requirements, and cybersecurity in general. We offer an easy-to-use platform that organizations can use to ensure compliance with CMMC and manage their cybersecurity related risks in a very cost-effective manner. To attend our webinars or learn more about our platform, email us at info@ResiliAnt.co.