By Tom Wojcinski, CISA, CRISC, Wipfli
Recognizing the threat of cybercrime and nation-state-sponsored cyber espionage, the Department of Defense (DoD) is enacting new rules to expand cybersecurity requirements within its supply chain.
The new rules establish the Cybersecurity Maturity Model Certification (CMMC) and defines cybersecurity control practices and process maturity levels that organizations within the defense industrial base (DIB) sector must have in place. Notably, CMMC will be required in order to be awarded new contracts.
Additionally, the CMMC moves beyond the existing trust-based self-assessment and requires an external examiner to certify the organization’s cybersecurity control processes and maturity. Here’s what you need to know about the CMMC:
Who does it apply to?
All DIB contractors with access to federal contract information (FCI) and controlled unclassified information (CUI) will be required to comply. Contractors with access to CUI will be required to meet at least CMMC level 3 and obtain a biennial certification. Level 3 requires a DIB contractor to have the “basic capability to protect and sustain an organization’s assets and CUI.”
How many levels are there?
The CMMC is organized into five primary levels. Each level contains a set of corresponding practices based on the DOD’s expectation for sophistication and maturity of the cybersecurity controls. The DoD sets the level that an organization needs to meet, and the higher the level, the more practices must be met and the more mature the processes are expected to be.
To meet a given level, an organization must demonstrate both the technical practices and the process maturity that correspond to that level as well as the levels below it.
How many domains are there?
The cybersecurity requirements within CMMC are organized into 17 domains. These domains are sourced from existing regulation and standards, such as Federal Information Processing Standards 200 and National Institute of Standards and Technology Special Publication 800-171. In addition to these existing control standards, the DoD has included Asset Management, Recovery and Situational Awareness domains as part of CMMC.
What are capabilities?
The capabilities get into the meat of the CMMC requirement.
Each domain has an associated set of capabilities that an organization must be able to do. For example, within incident response, there are five different capabilities: plan incident response, detect and report events, develop and implement a response to a declared incident, perform post incident reviews and test incident response.
What are practices?
The capabilities in CMMC are supported by the practices identified for each level. These practices are the verifiable cybersecurity controls and safeguards that an organization must have in place.
Following our incident response example, the capability to detect and report events at a level 3 maturity requires an organization to maintain practices that 1) develop and implement responses to declared incidents according to predefined procedures and 2) track, document and report incidents to designated officials and/or authorities both internal and external to the organization.
The practices are cumulative. An organization that must meet level 3 also needs to address the practices identified at levels 1 and 2.
How do you demonstrate process maturity?
In parallel with the practices, CMMC also requires a level of process maturity.
At initial levels of process maturity, organizations perform activities on an informal or ad-hoc basis. As organizations progress their process maturity, processes become more formal and consistently performed.
Ultimately, the most mature processes are measured and optimized with corrective actions to improve defects that management identifies within the process.
As part of the certification, an organization must demonstrate process maturity at the following levels:
- Performed: Practices are performed informally; however, there is no institutionalization of the process.
- Documented: Practices are supported by a documented policy, a documented procedure and a plan to implement and perform practices related to the domain.
- Managed: Management periodically reviews activities related to the domains to confirm adherence to policy and practices. Additionally, management provides sufficient resources to meet the plan for the given domains.
- Reviewed: Management reviews and measures activities to determine the effectiveness of controls and safeguards to meet the required capabilities. Additionally, executive management reviews results of domain activities and helps resolve issues.
- Optimized: The organization uses a standardized approach to apply domain activities across all relevant business units or organizational divisions. Additionally, identified practice improvement opportunities are shared across the organization.
What are the costs and reimbursement options?
Demonstrating their commitment to increasing cybersecurity through the DIB, the DoD has stated that the cost of the certification will be a reimbursable expense under the contract.
As of this writing, the DoD hasn’t published the certification process, so we can’t say for certain what the certification will cost. However, the DoD has indicated their desire to ensure the process is affordable and commensurate with the level of risk.
If you have access to, or generate, CUI as part of a contract with the DoD or with a prime contractor, this requirement will apply to your organization.