The Department of Defense is establishing a new approach they expect their contractors, and sub-contractors, to use for measuring cybersecurity maturity. This is meant to help reduce risk and mitigate many challenges observed in implementing existing security/compliance regulations in the defense industrial base. Our review of this new development leaves us optimistic that this is a positive change. Here is what you need to know:

A new method of evaluating companies, known as the Cybersecurity Maturity Model Certification (CMMC), includes many widely used and relevant control frameworks and security solutions. But it brings these familiar elements together in a smart way that can be measured and used to continuously improve security posture, hopefully in economical ways. 

Short version of the change

CMMC is a way of measuring compliance with existing regulations.

Background on CMMC

This activity builds on previous DoD work, so it contains few surprises for those that have tracked the community closely. It flows directly from work the Department did with MITRE on supply chain security (see: Deliver Uncompromised).

DoD has long desired that contractors and sub-contractors do more regarding security and have even put regulations into the acquisition rules (DFARS) that spell out minimum standards to be followed. DFARS rules also spell out when notifications must be made when a breach occurs and how forensics will need to be collected and analyzed. There are also NIST standards that must be followed as part of these DFARS regulations. 

But this new assessment adds in a way of measuring compliance and overall maturity of a cybersecurity posture. By measuring maturity with repeatable metrics, business and government will be able to make resource decisions on how to focus their security efforts and the government will be able to make more informed decisions on who to buy from.  

 

CMMC Overview

DoD has provided a graphic overview of how this construct can look. For example, the thermometer chart below implies that very few firms are currently at the highest levels of maturity, the majority are at lower levels and vulnerable to most threats:

Other points made by DoD include:

• DoD is working with John Hopkins University Applied Physics Lab (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and complete this approach, including ensuring various cybersecurity standards are mapped into one unified approach for the defense industrial base
• The CMMC levels will range from basic hygiene to state of the art. The levels will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.
• The required CMMC level (notionally 1 to 5) for a specific contract will be contained in the RFP sections L&M for contracts.
• CMMC is expected to be semi-automated and cost effective. Even small businesses are expected to be at least CMMC level 1 .
• The CMMC model is expected to be agile enough to adapt to emerging cyber threats to the DIB.
• The CMMC will include a center for cybersecurity education and training.
• The CMMC will include the development and deployment of a tool that 3rd party certifiers can use to conduct audits, collect metrics, and inform risk mitigation.

 

What does this mean for your business?

• This is an assessment and certification program. Which means it will involve compliance and checking/auditing to ensure that firms are in compliance (businesses will no longer be able to self-certify that they are compliant).
• Security professionals have long known that compliance does not equal security and this will remain true here. So businesses should comply, but understand there is a continued need to track the latest in threats and remain agile in defense of your business. 
• Since this is an assessment and certification program, it will add to the cost of doing business with government. Those costs are expected to be passed back on to the government. Which will, of course, be passed on to the taxpayer. But the objective is to have this result in fewer compromises requiring less cleanup and saving money in the long run. 
• A draft of the framework is being provided to industry and a roadshow is being planned to provide industry-day type events to solicit feedback. This will result in a first iteration being released by January 2020. 
• The time to prepare for CMMC is now. To do so, you should familiarize yourself with the DFARS security requirements, which include the requirements to have a security plan in place. Businesses will also need to ensure compliance with appropriate NIST standards (especially NIST 800-171).