CYBERSECURTIY MATURITY MODEL CERTIFICATION (CMMC):
Cybersecurity Standards and Contractor Certifications
The Department of Defense (DoD), or more specifically, The Office of the Assistant Secretary of Defense for Acquisition, began the process of creating the Cybersecurity Maturity Model Certification (CMMD) in March of 2019.
The CMMC has been developed through a collaborative effort with Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University Software Engineering Institute, Defense Industrial Base Sector Coordinating Council (DIB SCC), and the Office of Small Business Programs. Together they have issued a long-awaited cybersecurity standard for contractors who work with the Pentagon’s sensitive data. In addition, support from industry associations such as the National Defense Industrial Association (NDIA), the Aerospace Industries Association (AIA), and the Professional Services Council (PSC) has contributed to provide input from industry.
Three (3) Drafts So Far:
There have been three drafts issued to date (Version 0.4 in August 2019, Version 0.6 in November 2019, and now version 0.7 which came out in December 2019).
Below is summary information for the draft releases and information about a unique Green Paper penned by Michael Semmens, (President of Imprimis, Inc); Steve Lines (President of the DIB ISAC); and Jennifer Kurtz, Cyber Program Director (Manufacturer's EDGE) providing insight and analysis on the impact of these changes being driven by the DOD and the impact on small commercial and government contracting businesses.
CMMC GREEN PAPERS
Version 0.4 of the CMMC
The CMMC v0.4 cybersecurity standards provide contractors with a new “roadmap” for cybersecurity standards they will need to adopt and be certified with if they want to seek out DoD contracts that handle or process Controlled Unclassified Information (CUI). Ultimately, the CMMC effort is designed to secure the DoDs large and complicated supply chains from the largest prime contractors down to the smallest subcontractors.
The new CMMC framework addresses 18 domains described as “key sets of capabilities for cybersecurity” that were outlined in a slide deck distributed by the Office of the Assistant Secretary of Defense for Acquisition. These domains include areas like access control, governance, incident response, and risk assessment.
Each domain is assessed based on practices or “activities performed at each level” as well as processes engaged “at the level of maturity” for each practice within an organization. By separating these two criteria into separate categories, DoD contractors (prime and subcontractors) can demonstrate that they have institutionalized these “processes” even if they don’t exactly match or score points on any the “practices” at the time of assessment. The result is a five-tier scoring model, each tied to a certain level of cybersecurity assurance. Both practices and processes are reviewed and evaluated across five basic levels, basic through advanced and are optimized accordingly.
Version 0.4: August 2019 Published by the DoD
(The Bottom Line, Up Front Analysis)
The Inspector General report and the report provided by Sera-Brynn indicated that the implementation of NIST SP 800-171 had failed – the implementation, not the security requirements. So, it would be logical to want to fix the problem – the implementation and enforcement. All the discussion to date regarding the CMMC is around developing a new standard. Performing risk analyses and adding controls where needed is a reasonable thing to do, but to do so accurately, the operational objectives and boundaries need to be defined. Major increases in complexity may work against successful implementation of good cybersecurity practices, making it more difficult for small businesses to reach maturity levels concomitant with meaningful program participation. The CMMC offers constructive improvements to the current guidance, however the operational objectives at each level must be defined to ensure a fair system and to allow proper control selection.
Let us know what you think. Submit comments to
Version 0.6 of the CMMC
The new release of the CMMC v0.6 (November 2019) indicated a new positioning of the standard to closely align with the NIST SP 800-171. In fact, at level 3 it can be accurately referred to as “171+21.” The practices reference NIST 800-171 requirements in the overwhelming majority of practices and they closely align in both intent and content. There is a total of 21 practices that have been included in the CMMC that do not refer to a NIST 800-171 requirement.
Version 0.6: November 2019 Published by the DoD
(The Bottom Line Up Front Analysis)
The CMMC drafts have changed significantly between v0.4 and v0.6. Although only levels 1-3 were published in v0.6, it's clear that the size and content have been shaped to make primary use of NIST SP 800-171 through level 3 as promised by OSD. Key takeaways from v0.6 are:
The number of practices and processes has been dramatically reduced as has been the number of cited security controls and requirements from other frameworks and standards.
Clarification was provided that cited controls and requirements such as NIST 800-171, CSF or CIS v7.1 are used to “inform” the practices defined in CMMC v0.6 and are references and NOT requirements for compliance. However, after a number of comments were sent back to the DoD through the review of v0.4 and v0.6, it seems that NIST 800-171 controls ARE GOING TO COMPRISE A MAJOR ROLE MOVING FORWARD FOR COMPLIANCE.
The Australian Cyber Security Centre or ACSC Essential 8 Maturity Model and the United Kingdom National Cyber Security Centre (NCSC) Essentials were added as cited or referenced material.
The Governance Domain has been deleted and policy and governance has been integrated into the five maturity processes required through level 3.
The practices of CMMC follow the cited references very closely so implementing the CMMC practices effectively implements the cited reference, and vice versa, particularly in the case of NIST 800-171.
Implementing all requirements defined in NIST 800-171 satisfies the overwhelming majority of the CMMC practices through level 3 as defined in CMMC v0.6.
There are 21 practices contained within CMMC v0.6 that do not have reference to NIST 800-171 and are therefore additional requirements.
The CMMC does not represent a huge change from NIST 800-171 but does add some important practices that do bring value to the security baseline. The big questions remain. First, what category of work or contract can be performed at the various maturity levels or conversely, what level of procurement activity will each level earn? It still appears that level 3 is the first meaningful certification level. The second question is how and when certification will happen? OSD is actively developing the certification program and details should be available soon. The key takeaway for DoD contracting companies is that certification will happen and soon.
Version 0.7 of the CMMC
The new release of the CMMC v0.7 was published by the DoD on December 6, 2019. This new release includes level 4-5 practices and modifies some maturity processes and level 1-3 practices. The DoD is releasing this draft version to support the public's continued review of the draft model in preparation for the release of the CMMC Model Version 1.0 at the end of January 2020. Section 2 of the draft release describes the model framework in more detail, including levels, capability domains, and processes. Section 3 provides instructions on how to read the model. Appendix A presents the latest version of the CMMC Model. Appendices B, C, and D present the practice of clarifications of CMMC Levels 1-3, respectively. The draft also provides key references, a glossary of terms, and a list of acronyms.