THE U.S. DEPARTMENT OF DEFENSE TAKES A NEW APPROACH TO CYBERSECURITY REQUIREMENTS
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity standard and a requirement soon to be seen in contracts from the U.S. Department of Defense (DoD) that will affect its entire supply chain, including all levels of subcontractors and those which may be international in location. Estimated to include 300,000 entities, all organizations in the Defense Industrial Base (DIB), including universities and other federally funded research centers, will be required to obtain the new certification.
The Purpose of CMMC
The leader most closely identified with CMMC is Katie Arrington, the Chief Information Security Officer (CISO) for Acquisition & Sustainment (A&S) at the DoD. “Our adversaries are working hard every day to exfiltrate, hack, and breach our supply chain.” She said in a keynote in February 2020. “CMMC is about creating critical thinking skills for Cybersecurity, and not another checklist.”
“Ultimately, all of you are the base of our national defense. You are the reason we are here,” said Arrington at a May 2020 event hosted by the CMMC Accreditation Body (CMMC-AB). “The Department of Defense doesn’t build a thing. We buy. We contract with you. You’re our national defense. Our adversaries aren’t taking a knee during this time (of the pandemic), in fact, they’ve been extraordinarily aggressive. If there was ever a time and place in our collective history that we needed to stand up and come together, and move forward on this, it’s now. Cultural change generally takes a catalyst to happen.”
Comparing CMMC to Current Requirements
A summary of the current DoD cybersecurity requirements with a comparison to the CMMC framework is shown in Table 1.
Governance, Framework, and Standards
CMMC is a U.S. Department of Defense Program. The CMMC-AB is the sole oversight body authorized by the DoD to operationalize CMMC assessments and training which are essential to meeting the goals for scaling across the entire DIB. The CMMC-AB is a non-profit organization that has a contract with the DoD. A key requirement of that agreement is the AB must become ISO/IEC 17011:2017 certified. The DoD has also stipulated that subcontractors which conduct authorized assessments must achieve ISO/IEC 17020 certification.
While the DoD does not own standards, it does create and maintain the CMMC model. By defining CMMC as a model, not a standard, the DoD retains the right to update it as required to address the dynamic changes in the cyber threat landscape and the DIB threat surface. This enables the model to draw on respected resources as needed to identify and define controls.
The CMMC framework is a combination of various cybersecurity standards and best practices with NIST SP 800-171 being the foundation. The maturity practices rely primarily on the CERT Resilience Management Model (CERT-RMM) from the Software Engineering Institute (SEI) at Carnegie Mellon University. In addition to standards and the Cybersecurity Framework (CSF) from the U.S. NIST, also referenced are the U.K. National Cyber Security Centre (NCSC) Cyber Essentials, the Australian Cyber Security Centre (ACSC) Essential Eight, along with numerous controls from the Center for Internet Security (CIS), a nonprofit cyber defense organization that draws professional expertise from around the world.
“Any standard that requires your organization to maturely document, implement, and manage an ongoing cybersecurity program will be incredibly useful in passing a CMMC assessment, regardless of who wrote it,” posted Ryan Bonner January 2021 on LinkedIn. A respected compliance consultant, Bonner, is among the first 100 provisional assessors approved by the CMMC-AB.
What Is the CMMC Timeline?
The widely publicized full implementation date for CMMC is October 1, 2025, the beginning of the 2026 fiscal year for the U.S. government. At that time, all new DoD contracts and contract extensions are expected to require CMMC certification to be in place prior to the award.
A methodical roll out is forecast for CMMC itself, as shown in Table 2. Intended to test the process while allowing time to create the considerable infrastructure needed to make this work, the throttle on the pace is controlled by Katie Arrington’s office; only contracts which they approve may include the requirement language.
Urgent and Compelling Circumstances
While the wheels of regulation usually turn slowly, and CMMC does not go into full effect until 2025, Katie Arrington and her team surprised many DoD watchers in September 2020 by publishing an Interim Rule which made some new requirements effective November 30th, a mere 60 days later.
The unusual acceleration of the rule was made possible by declaring “urgent and compelling circumstances.”
The case presented for urgency is the enormous gap between the significant losses being incurred by cybercrime and the lack of readiness prevalent among DoD subcontractors. Among the facts cited are the following:
- Cyber theft of intellectual property and sensitive information from all U.S. industrial sectors is estimated to value $570 billion to $1.09 trillion dollars over 10 years.
- Surveys of DoD contractors and subtractors show engagement in the forms of awareness and implementation of existing cybersecurity requirements, some in place since 2013, as low as 36-54%.
Highlights of the Interim Rule
Intended to bridge the gap between cyber losses and readiness, as well as to remove complacency about current requirements until CMMC arrives, the highlights of the Interim Rule are:
- Define a mechanism for reporting results of self-assessment for compliance with existing requirements beginning November 30, 2020, before award of new and extended contracts
- Increase the visibility of prime contractors’ accountability for flow down requirements to their subcontractors
- Announce the contract language for the new CMMC framework and the roll out plan
- Summarize the plan to scale assessment capability via the CMMC-AB
Who Is Impacted?
While the U.S. is clearly the epicenter for this change, there are immediate global implications. Many companies outside the U.S. have DoD contracts or subcontracts. For example, based in Sweden, Saab has a history of many contracts with the DoD and, based on their participation in various public forums focused on compliance with these requirements, Saab is probably in a strong position of readiness.
Research indicates that not all companies are equally prepared. A report from Sera-Brynn says overall implementation numbers are improving, from 39% in 2019 to 53% in 2020, but it is still clear that there is a big gap with smaller companies, especially those with less than $50 million in revenue, struggling the most. Industry differences are another factor. Manufacturing, aerospace, and technical equipment suppliers are well ahead. At the back of the pack are construction and professional services firms.
PECB an Early Leader in CMMC Training Materials
PECB is among the first 16 Licensed Partner Publishers (LPP) authorized by the CMMC-AB to create materials to train assessors. Enormous emphasis is being put on consistent outcomes across assessments, starting with consistent quality of the training materials.
Katie Arrington believes CMMC “will become a federal standard for the whole of government very rapidly.” Indeed, an official from the Department of Homeland Security (DHS) said “it’s likely that civilian agencies will naturally benefit from CMMC implementation. Due to that overlap, we aim to harmonize our cybersecurity approaches as much as possible.” Meanwhile, the U.S. General Services Administration (GSA) has mentioned CMMC requirements in two contracts worth $50 billion and $15 billion, respectively. Arrington sees an even bigger future, saying, “I think the CMMC will become the basis for a global cybersecurity standard.”