CMMC: Cybersecurity Standards and Contractor Certifications

The DOD (Department of Defense) or more specifically, The Office of the Assistant Secretary of Defense for Acquisition began the process of creating the Cybersecurity Maturity Model (CMMC) in March 2019.

The CMMC has been under development through a collaborative effort with Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University Software Engineering Institute, Defense Industrial Base Sector Coordinating Council (DIB SCC), and the Office of Small Business Programs.  Together they have issued a long-awaited cybersecurity standard in draft form for contractors who work with the Pentagon’s sensitive data.  In addition, support from industry associations such as the National Defense Industrial Association (NDIA), the Aerospace Industries Association (AIA), and the Professional Services Council (PSC) has been contributed as well to provide input from industry.

 

Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) is now live.

CMMCwebsiteThe CMMC 0.4 cybersecurity standards provides contractors with a new “roadmap” for cybersecurity standards they will need to adopt and be certified with if they want to seek out DOD contracts that handle or process controlled but unclassified information.   Ultimately, the  CMMC effort is designed to secure the DOD‘s large and complicated cyber and IT supply chains from the largest prime contractors down to the smallest sub-contractors .

The new CMMC framework addresses 18 domains, described as “key sets of capabilities for cybersecurity” that were outlined in a slide deck distributed by the Office of the Assistant Secretary of Defense for Acquisition.  See link below and image of OSD Website, (with embedded link).  These domains include areas like access control, governance, incident response, and risk assessment.

Each domain is then assessed based on practices or “activities performed at each level” as well as the processes engaged “at the level of maturity” for each practice within an organization.  By separating out these two criteria into separate categories, DOD contractors (prime and sub’s) can demonstrate that they have institutionalized these “processes,” even if they don’t exactly match or score points on any the “practices” at the time of assessment.  The result is a five-tier scoring model, each tied to a certain level of cybersecurity assurance.  Both practices and processes are reviewed and evaluated across five basic levels, (from basic through advanced and optimized accordingly).   

 

The Need for Standards and Certification:

Ellen Lord, the undersecretary for acquisition and sustainment at DOD said at a recent press briefing, “The model’s inclusion in department contracts will be a “go/no go decision.” CMMS, she explained, “establishes security as the foundation to acquisition, and combines the various cybersecurity standards into a unified standard.”

Creating these cybersecurity standards and pushing for certification for both prime and sub-contractors has been a top priority for the DOD in recent years.  Earlier in 2019, Dana Deasy, (the DOD CIO) explained that tier-one prime contractors are not the bigest concern. “It’s down when you get to the tier-three and the tier-four” subcontractors.   “Where the issue breaks down is that as you go down to those various subcontractors, do they understand, [are they] equipped, have the knowledge and the capabilities to defend themselves, and what is it we should be doing more to help them learn how to defend themselves at those tiers?” Deasy said.

As in 2017, the DOD introduced regulations that required all contracting vendors who do business with the department to guard and protect “covered defense information” that is transmitted to or stored in DOD systems or networks for contracted work.

Katie Arrington, the defense official in charge of the CMMC roll out, emphasized the need for industry feedback in June as part of her “listening tour” in developing the standards.  She said at a recently held Professional Services Council Conference… “it’s not a ‘me’ thing, it is a ‘we’ thing,”.  She also said that “The vast majority of DOD contractors have ad hoc and inconsistent cybersecurity practices”.  “We should be infuriated about what has happened to our data,” she concluded.

 

Current Status of Draft Standard:

The CMMC model is currently in its fourth draft, which the department released for public comment on Wednesday Sept 4, 2019.  DOD expects to be working on the sixth draft by November 2019 and plans to issue the first release of the final version in January. The defense contracting community will have some additional time to review and comment on these new rules through. Defense offices who publish RFP’s will be expected to include certification requirements in their requests for information by June 2020 and in all official solicitations by the fall of 2020.

The draft represents an early stage of development of the new standards and the DOD is requesting feedback, according to information published on the model at an informational website located here: (https://www.acq.osd.mil/cmmc/draft.html)

 

The DOD’s Office of the Under Secretary of Defense for Acquisition & Sustainment is taking feedback on the first draft (0.4) of the CMMS through Sept. 25, 2019 with the goal of issuing another draft (0.6) sometime in November.

 

How you can participate and provide comments on our online NCX CMMC Comment Form:

The CMMC model and best practices specification will continue to be updated over the next several months with the collaboration of all stakeholders and input from the general public.  The goal is to come up with a final version ‘v1.0” by January 2020.

The NCX and the DIB ISAC welcome your inputs and comments and have set-up a special online “intake form” to enable you to provide comments and feedback on the CMMC standard 0.4 version.  We will compile and aggregate your comments together with others and submit them to the DOD as an industry group representing NCX and DIB ISAC members.

We will also keep the CMMC Comment form online as we anticipate participating in and providing Draft CMMC Model v0.6 comments for public review in November 2019.

Please take a few minutes to provide your comments on the CMMC Comment form at this URL:

https://nationalcyber.org/cmmc-comment-form

Please provide your comments no later than September 25th, 2019, by 12:00 Noon (EDT) to allow us time to submit all final comments to the DOD by the close of business the same day.

The documents available for review include an overview briefing, and the draft model, as well as a comment matrix.  Visit  https://www.acq.osd.mil/cmmc/draft.html for the files you can download.

 

Cyber Glossary

If you're confused about the "myriad" of terms and the lexicon for Cyber Security: clickheresm

Follow-us on Social Media...