The Department of Defense is not about to compromise on cybersecurity. In January 2020 it released its Cybersecurity Maturity Model Certification (CMMC) to “enhance the protection of controlled unclassified information.” This article examines the expectations of the CMMC and what it means to defense contractors.
The CMMC standardizes cybersecurity expectations across the defense industrial base (DIB). That includes over 300,000 companies in the supply chain. Drafted with significant industry input, the CMMC aims to reduce cyber threat risks.
Building upon existing regulation, DFARS 252.204-7012, the CMMC adds a verification component with respect to cybersecurity requirements. Contractors already had to implement, monitor and certify their information technology system security. Now the CMMC adds third-party assessments of contractors' compliance with certain mandatory practices, procedures and capabilities.
“Previously there were a number of different frameworks that applied to a number of different circumstances,” said Allen O’Rourke, co-chair of Robinson Bradshaw’s Cybersecurity and Privacy Practice Group. The framework represents “a more uniform approach.”
In the past, contractors would have self-certified cybersecurity compliance. The new approach involves a third-party assessment. From a legal perspective, the old approach carried more risk, O’Rourke said. However, the new approach is going to require a greater investment of money and energy on the contractor’s part. “This approach is more of a practical undertaking,” he said. “It will frankly be a boon to the third-party cybersecurity consultant industry.”
The CMMC version 1 seeks to avoid any further compromises of sensitive DoD information stored on or transmitted by contractors’ information systems.
A July 2019 Inspector General report determined DoD contractors did not consistently implement security controls for safeguarding Defense information.
The report identified deficiencies related to using multifactor authentication and enforcing the use of strong passwords. Plus, identifying and mitigating network and system vulnerabilities was problematic. The report also noted shortcomings in protecting data stored on removable media and documenting and tracking cybersecurity incidents. Issues were also found with overseeing network and boundary protection services provided by a third-party company .
The Inspector General's findings also raised concerns regarding:
Going forward, contractors will be certified at one of five levels reflecting their cybersecurity maturity and reliability:
The mandatory CMMC requirements are further outlined on a CMMC FAQ.
Ultimately, the CMMC Framework requires new practices and processes. Katie Arrington, of the Pentagon’s acquisition policy office, has said, ”this is a change of culture." The chief information security officer added, "it’s going to take time, it’s going to be painful, and it’s going to cost money.”
All DoD contractors, at all supply chain tiers, regardless of size or geography are expected to obtain a CMMC certification. Already, the government has begun to include minimum certification requirements in its requests for bids.
In the end, the level of certification required will vary based on the given contract.
“The different levels are tailored to different needs,” O’Rourke said. “A defense contract may not call for you to be a Level 5 if you are not doing something that is materially sensitive.” In other words, someone hired to work with marketing materials that are going to go public anyway would not need the same certification level as someone doing weapons development.
Nevertheless compliance at any level is going to require contractors to clearly document their cybersecurity practices and procedures. So companies that want to work with the DoD are going to need to make changes. Reviewing or developing compliance programs to facilitate assessment is a start.
From a legal perspective, it will be important for a managed service provider (MSP) to spell out who is responsible for what. Define responsibility in storing, processing and securing data on behalf of a client. Further, MSPs need to think through how legal risks the client faces could come back on them.
Above all, agility will be key. Viewing certification achievement as an endpoint isn’t going to position the contractor to protect against or respond to evolving threats.
In conclusion, regardless of the CMMC level, contractors can always be looking to expand their cyber resiliency and flexibility.
Calyptix offers an all-in-one solution for network security and management designed for small organizations in need of advanced yet easily implemented and affordable network security. AccessEnforcer version 5.0 adds Geo Fence and Gatekeeper to shrink network exposure and attack vectors, shield ports and systems from malicious actors and implement two factor network authentication. Our UTM Firewall blocks threats like hackers, spam, and malware automatically. The network tools keep your connections fast and reliable. Learn more today!