Hackers are targeting government organizations with increasing frequency, as shown by the U.S. Department of Defense (DoD) data breach that was disclosed on October 4, 2018. Pentagon spokesperson Lt. Col. Joseph Buccino announced that the attackers obtained the personal and credit card information of at least 30,000 military and civilian contractors. The attack exploited vulnerabilities in a third-party system that maintained the travel records of DoD personnel.
This incident shows how difficult it can be to ensure adequate data security when entrusting that data to non-government entities. The federal government is addressing its need to improve the security of its computer networks with solutions that assess, measure and mitigate risk with partners on multiple tiers in real time. For example, DoD contractors will need to obtain Cybersecurity Maturity Model Certification (CMMC) as proof that their computer security meets federal requirements. This program will strengthen the security posture of the U.S. Defense Industrial Base (DIB), which is the supply chain for U.S. armed forces.
The CMMC provides controls across five maturity levels, from basic computer security to advanced measures. Third parties will perform audits on DoD contractors to collect information on their risk management processes and assess their maturity level. This effort will focus on the safety and readiness of third-party systems, which has been historically difficult to control.
The DoD will include CMMC requirements in requests for information (RFIs) beginning in June 2020. Requests for proposals (RFPs) will specify their CMMC requirements beginning in September 2020. In particular, RFPs will specify the CMMC level they require from contractors in Sections L and M.
The CMMC framework is based on the Cyber Security Model, which the United Kingdom’s Ministry of Defense uses for its contracts. However, the CMMC also incorporates many requirements from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which specifies the current standards for a government contractor’s security posture in the U.S. Furthermore, the CMMC includes portions of other standards related to computer security such as Air Intelligence Agency (AIA) NAS9933, International Organization for Standardization (ISO) 270001, ISO 27032 and NIST SP 800-53. In addition to these standards for computer security, the CMMC also includes requirements from the Federal Risk Authorization Management Program (FedRAMP) and Defense Federal Acquisition Regulation Supplement (DFARS). The CMMC thus provides a unified maturity model for the U.S. government.
Maturity Levels for NIST 800-171 Compliance
NIST SP 800-171 already requires defense contractors handling Controlled Unclassified Information (CUI) to implement 110 security controls. However, it only allows for contractors to assess themselves, which lacks auditing and accountability measures for protecting CUI. This shortcoming is one of the driving factors in the development of CMMC, which will require contractors to demonstrate their capabilities, controls and processes to third-party assessors and certifiers.
CMMS recognizes five maturity levels, with Level 1 being the lowest level of maturity and Level 5 being the highest. CMMC Level 1 is also known as Basic Cyber Hygiene and includes 17 of the security controls from NIST SP 800-171 rev 1. CMMC Level 2, or Intermediate Cyber Hygiene, includes 46 controls from NIST SP 800-171 rev 1. CMMC Level 3, or Good Cyber Hygiene, includes 47 controls from NIST SP 800-171 rev 1. Together, the first three CMMC maturity levels include all 110 security controls in NIST SP 800-171 rev 1.
The next two maturity levels incorporate security controls from NIST SP 800-171B, which is still in draft form. This version of NIST SP 800-171 updates the protection measures for CUI in non-federal organizations and adds new requirements for protecting critical programs with high-value assets. CMMC Level 4, or Proactive, includes 26 controls from NIST SP 800-171B. CMMC Level 5, or Advanced/Progressive, includes 4 controls from NIST SP 800-171B.
This tiered approach allows companies to conduct business with the government without requiring them to have more security controls than the work actually requires. Companies only need to obtain the CMMC level they need, making this process more affordable. Certification expenses will also be a reimbursable cost in DoD contracts requiring CMMC.
- Contractors won’t be able to retain a DoD contract if they don’t have the CMMC level required by that contract.
- CMMC certification will be an allowable cost in DoD contracts, meaning contractors can obtain reimbursement for the costs of becoming certified.
- CMMC includes five levels of data security, with progressively higher requirements. Each contract will specify the CMMC level it requires, allowing contractors to implement only the security measures needed by the contract. The security practices of DoD contractors will be rated on a scale of 1 to 5, whether they handle CUI or not.
- A third-party auditor will certify the CMMC security level for the information systems of DoD contractors. The primary purpose of this requirement is to correct the ongoing problem of contractors self-certifying their security compliance without implementing the necessary security controls or even understanding them.
- The DoD will develop a tool that will allow certifiers to collect metrics during the audits. The DoD will also assess contractors’ compliance with DFARS and NIST to ensure they’re handling CUI properly.
- CMMC creates a single standard for computer security across all DoD contracts.
The goal of CMMC is to improve the security posture of all contractors throughout the multi-tiered DIB supply chain in the United States. It will verify that contractors exercise the appropriate level of control over their security processes for protecting CUI on their networks as well as those of their partners and sub-contractors. Auditors will evaluate contractors and assign them a CMMC maturity level, and contracting officers will use the same system to specify the maturity level for their contracts. The U.S. government will initially implement the CMMC model in DoD contracts, but it will probably apply CMMC to other agencies over time. Analysts consider CMMC to be a well-thought-out solution for enforcing DFARS requirements, while still allowing small businesses to continue as government contractors.