The Department of Defense is not about to compromise on cybersecurity. In January 2020 it released its Cybersecurity Maturity Model Certification (CMMC) to “enhance the protection of controlled unclassified information.” This article examines the expectations of the CMMC and what it means to defense contractors.
The CMMC standardizes cybersecurity expectations across the defense industrial base (DIB). That includes over 300,000 companies in the supply chain. Drafted with significant industry input, the CMMC aims to reduce cyber threat risks.
Building upon existing regulation, DFARS 252.204-7012, the CMMC adds a verification component with respect to cybersecurity requirements. Contractors already had to implement, monitor and certify their information technology system security. Now the CMMC adds third-party assessments of contractors’ compliance with certain mandatory practices, procedures and capabilities.
“Previously there were a number of different frameworks that applied to a number of different circumstances,” said Allen O’Rourke, co-chair of Robinson Bradshaw’s Cybersecurity and Privacy Practice Group. The framework represents “a more uniform approach.”
In the past, contractors would have self-certified cybersecurity compliance. The new approach involves a third-party assessment. From a legal perspective, the old approach carried more risk, O’Rourke said. However, the new approach is going to require a greater investment of money and energy on the contractor’s part. “This approach is more of a practical undertaking,” he said. “It will frankly be a boon to the third-party cybersecurity consultant industry.”
Why Cybersecurity Maturity Needed
The CMMC version 1 seeks to avoid any further compromises of sensitive DoD information stored on or transmitted by contractors’ information systems.
A July 2019 Inspector General report determined DoD contractors did not consistently implement security controls for safeguarding Defense information.
The report identified deficiencies related to using multifactor authentication and enforcing the use of strong passwords. Plus, identifying and mitigating network and system vulnerabilities was problematic. The report also noted shortcomings in protecting data stored on removable media and documenting and tracking cybersecurity incidents. Issues were also found with overseeing network and boundary protection services provided by a third-party company .
The Inspector General’s findings also raised concerns regarding:
- configuring user accounts to lock automatically after extended periods and unsuccessful logon attempts
- implementing physical security controls
- creating and reviewing system activity reports
- granting system access based on the user’s assigned duties
Understanding the CMMC Framework
Going forward, contractors will be certified at one of five levels reflecting their cybersecurity maturity and reliability:
- Level 1 — the contractor must adhere to “basic cyber hygiene” practices
- Level 2 — contractors document their “intermediate cyber hygiene” practices to begin to protect any CUI
- Level 3 — an institutionalized management plan implementing “good cyber hygiene” practices to safeguard CUI is required of the contractor
- Level 4 — the contractor must have processes in place to review and measure efficacy of their practices to detect and respond to advanced persistent threats (APTs).
- Level 5 — requires standardized and optimized processes and additional enhanced practices across the organization providing more sophisticated capabilities to detect and respond to APTs
The mandatory CMMC requirements are further outlined on a CMMC FAQ.
Cybersecurity Maturity Compliance
Ultimately, the CMMC Framework requires new practices and processes. Katie Arrington, of the Pentagon’s acquisition policy office, has said, ”this is a change of culture.” The chief information security officer added, “it’s going to take time, it’s going to be painful, and it’s going to cost money.”
All DoD contractors, at all supply chain tiers, regardless of size or geography are expected to obtain a CMMC certification. Already, the government has begun to include minimum certification requirements in its requests for bids.
In the end, the level of certification required will vary based on the given contract.
“The different levels are tailored to different needs,” O’Rourke said. “A defense contract may not call for you to be a Level 5 if you are not doing something that is materially sensitive.” In other words, someone hired to work with marketing materials that are going to go public anyway would not need the same certification level as someone doing weapons development.
Nevertheless compliance at any level is going to require contractors to clearly document their cybersecurity practices and procedures. So companies that want to work with the DoD are going to need to make changes. Reviewing or developing compliance programs to facilitate assessment is a start.
From a legal perspective, it will be important for a managed service provider (MSP) to spell out who is responsible for what. Define responsibility in storing, processing and securing data on behalf of a client. Further, MSPs need to think through how legal risks the client faces could come back on them.
Calyptix Can Help
Above all, agility will be key. Viewing certification achievement as an endpoint isn’t going to position the contractor to protect against or respond to evolving threats.
In conclusion, regardless of the CMMC level, contractors can always be looking to expand their cyber resiliency and flexibility.
Calyptix offers an all-in-one solution for network security and management designed for small organizations in need of advanced yet easily implemented and affordable network security. AccessEnforcer version 5.0 adds Geo Fence and Gatekeeper to shrink network exposure and attack vectors, shield ports and systems from malicious actors and implement two factor network authentication. Our UTM Firewall blocks threats like hackers, spam, and malware automatically. The network tools keep your connections fast and reliable. Learn more today!