Cybersecurity Maturity Model Certification (CMMC) is Taking Shape
1/2/2020Articles & Podcasts
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) certification process and framework designed to align, protect, and certify the defense industrial base (DIB). The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Currently, when dealing with covered defense information, the DIB is subject to the provisions of Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause mandates that qualifying companies must implement the cybersecurity control requirements in National Institute of Standards and Technology (NIST) Special Publication 800-171 revision 1. This activity is currently a self-assessment, but there is a chance you may be audited by the Defense Contract Audit Agency (DCAA).
Recognizing that a low-enforcement regulatory structure in a “high stakes” environment is a mismatch, the DoD introduced the CMMC framework and a proposed timeline in the Spring of 2019. The CMMC framework pulls from some of the top best-practices frameworks including NIST SP 800-171 r1, as well as Australia’s Essential Eight Maturity Model, FIPS PUBs 197, 199, 200, and 201, NAS9933, NIST Cybersecurity Framework, and CERT Resilience Management Model, among others. It differs significantly from the current DFARS 7012 plus NIST 800-171 r1 regime in a few key areas, namely:
It is multidimensional. There are five “Levels” a company may be required to be certified for. They increase in difficulty and in required process maturity.
The framework is cumulative. If you are required to be certified for Level 3, you must meet the requirements in Levels 1, 2, and 3.
It is not a self-assessment. Certification is required to bid.
Recertification will be required every three years.
We are still in the draft phase of CMMC with version 0.7 released in early December. The DoD is expecting the release version to be ready by late January 2020. The certifier accreditation program (how to accredit and approve auditors) should be announced in February or March 2020 with auditors/certifiers being accredited by September. After this point, the first certifications may be required in RFPs, meaning the earliest you may be required to become certified is September 2020.
Structure of the CMMC Framework
The CMMC framework, at the highest level, is comprised of 17 domains. Domains are meant to be the highest-level groupings within the framework. Most of these domains originated from FIPS 200 and NIST SP 800-171 r1, so they may look familiar to you if you have previously undergone a DFARS compliance effort. The 17 domains are:
Audit and Accountability
Awareness and Training
Identification and Authentication
System and Communications Protection
System and Information Integrity
Below the domains are capabilities. Capabilities are intended to be the specific achievements or objectives carried out within each domain. In order to deliver the listed capability, the company must implement the corresponding practices and processes contained in the subgrouping. Practices and processes can be looked at as security requirements or control requirements.
The CMMC framework is comprised of five levels. You will be asked via Sections L &M in RFPs to be certified to a particular level. The levels increase in difficulty and complexity, with levels 4 & 5 being reserved for companies with mission-critical program activities that are likely to be targeted by Advanced Persistent Threats (APTs) and state-sponsored hackers. It is expected that the majority of organizations in the DIB will be certifying to Level 3.
Next Steps – What should you do now?
If you are anticipating being subject to the CMMC, that means you are probably subject to DFARS 252.204-7012 / NIST 800-171 r1 already. You should consider a mapping exercise that compares your current state of compliance to a CMMC level you can reasonably expect to be asked to certify for. There will likely be additional work required to meet the new standard. Given the relatively short timelines involved, starting the work now will save time and trouble later on. DGC’s IT Risk Assurance & Advisory Team takes a proactive approach into every engagement. We assess each client’s individual circumstances and put together a thorough and efficient plan of action to ensure compliance. For more information, contact a member of your client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / email@example.com.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.