At the end of the last year the Department of Defense (DoD) issued six guidance memoranda aimed at assisting acquisition personnel in developing what has been described as “effective cybersecurity strategies to enhance existing protection requirements.” This included a mandate for the Defense Contract Management Agency to ensure that cybersecurity compliance will be a part of a contractor’s purchasing system audit and approval process.
Among the changes is the new Cybersecurity Maturity Model Certification (CMMC), which will replace the self-attestation model and move towards third party certification. It will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards.
The final version of CMMC is set to be published by the end of January. The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. An independent accrediting body will soon begin training the auditors.
“Industry partners and vendor supply chains are an ongoing cybersecurity concern for the federal government and the DoD in particular,” explained Rosa Smothers, senior VP of cyber operations at KnowBe4.
“The DoD has been increasingly focused on supply chain risk management and the CMMC model will provide greater assurance to the DoD’s Defense Industrial Base by ensuring good cyber hygiene throughout the supply chain,” Smothers told ClearanceJobs. “This is a welcome extension to NIST and the DoD’s cloud computing Security Requirements Guide (SRG); like the SRG and FedRAMP, this model isn’t just a series of ‘nice to haves’ but clearly defined preconditions that will require certification through a 3PAO. From a security perspective, I’d love to see a standardized approach throughout our federal government akin to FedRAMP.”
Roadmap for Contractors
CMMC could put all government contractors on a cybersecurity road to the future.
“A maturity model is both natural and appropriate,” said Jim Purtilo, associate professor of computer science at the University of Maryland. “Today’s contractors employ all manner of practices in either developing applications or securing facilities, ranging from one-off ad hoc (we might say ‘odd hack’) defenses to disciplined defense in depth. This is because each company has been on its own. CMMC gives contractors a road map for upping their game yet without having to reinvent the wheel. At the same time it will give DoD a cost-effective way to vet prospective suppliers.”
However, metrics will need to naturally flow from the CMMC.
“If we aren’t measuring something then we’re not improving,” Purtilo told ClearanceJobs. “Guesses and good intentions won’t cut it. The idea is to have an objective indicator of when one or another practice will bring us to a better security posture.”
The CMMC requirement is already having an impact in the federal contractor community.
“Similar to Capability Maturity Model Integration (CMMI) and International Organization for Standardization (ISO) certifications, CMMC compliance will force organizational maturity and ensure the institutionalization of cybersecurity practices and processes,” suggested James Christopher, executive vice president for operations and engineering at the 1901 Group.
“The challenge is that CMMC certifications are poised to rapidly become go/no-go requirements for Defense Department solicitations within fiscal 2020, which doesn’t provide the contractor community with a lot of time to react and obtain the required certifications,” Christopher told Clearancejobs. “CMMC will require commitment and investment to achieve compliance and obtain certification, which will be more difficult for firms that don’t already have a solid cybersecurity foundation.”
In addition, contractors who are unable to achieve certifications in a timely fashion will be unable to compete for DoD contracts and task orders.
“This will also impact teaming strategies, if CMMC requirements flow down to subcontractors,” added Christopher. “All signs are pointing to a possible shake up in the Defense Department contracting community, as firms who are well positioned with respect to CMMC will also be well positioned for additional contract growth, while the reverse is true for firms who are unable to rapidly meet CMMC requirements.”
Certification Levels Explained
The new CMMC will feature several levels of certification. The DoD has stated that all contractors and subcontractors – including commercial item subcontractors – at any level of the defense supply chain will need to be certified at a minimum of Level 1 in order to be eligible to receive DoD-funded contracts and agreements.
“The CMMC is an important step in managing the risk of third parties in government agencies,” said Mike Jordan, vice president of research at The Shared Assessments Program.
“If you read the number of reference documents that informed this certification, it’s apparent that it would be very hard for government contractors to figure out what’s required of them,” Jordan told ClearanceJobs. “The CMMC will help make requirements clear for these third parties.”
Moreover, CMMC will also ensure government agencies have guidance for implementing third party risk management for their contractors, and it will allow government agencies to more easily decide the rigor for given services they want to outsource, and to communicate the requirements for any third parties that wish to provide those services.
“The requirements are not particularly difficult to meet Level 1 compliance,” added Jordan. “It appears that a simple questionnaire would be all that’s necessary to meet those requirements.”
Jordan broke down the subsequent levels for ClearanceJobs:
Level 2 takes a big step up in effort and cost, as it requires documented policies, practices and plans that demonstrate how the policies will be enforced.
While Level 2 could be achieved with temporary consulting resources, Level 3 requires testing of the practices and will require more investment in permanent security resources, including a management resource.
Level 4 requires a significant increase in cybersecurity skills and experienced management. Advanced cybersecurity activities and significant measurement is required.
Level 5 is not that different from Level 4, but requires a more sophisticated governance and evidence that the program has continuous improvement and a plan that can articulate its intended evolution in response to developing threats.
“With this shared understanding of requirements, government agencies will be able to better engage securely with outsourcers,” he added. “Management will be able to assess the risk around their data and select an appropriate maturity level for their service provider. Service providers will be able to demonstrate their adherence to these requirements in a standardized manner.”
These requirements will also introduce more need for cybersecurity talent at the mid to higher levels.
“It will also introduce the need for independent audit or assessment firms that can certify third parties to these requirements, as well as help aspiring government contractors build up their cybersecurity capabilities as required by CMMC,” said Jordan.
“DoD won’t get there overnight,” added University of Maryland’s Purtilo.
“The new CMMC defines a starting point, and just as with the software engineering history, I think it will take some time for best practices to emerge,” Purtilo explained. “In the near term we’ll still see shops with lower maturity overcome issues that plague shops of greater maturity, and likewise the marketplace might not be kind to shops that pay the cost for a benefit of greater maturity. I predict it will take a little shaking out, but it’s great that we’re getting under way.”