8 Things to Know About the DoD Cybersecurity Maturity Model Certification (CMMC) for Defense Contractors

Say hello to the new Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) and goodbye to the controversial and often limited value self-assessment process with DFARS NIST 800-171 compliance.

Why the shift? Simple. There’s been quite a bit of chatter in the federal government – and the defense industry as a whole – regarding the value of the current DFARS NIST 800-171 framework – at least in terms of truly validating compliance. It seems as if the fox guarding the hen house scenario has run its course and the DoD is now playing hardball with the more than 300,000 + entities in scope for CMMC. Changes are coming to the world of cybersecurity for defense contractors.

Notable highlights of the new framework, according to the DRAFT CMMC Model issued in September, 2019:

  • The vision of the CMMC is to be a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).
  • The CMMC will combine various cybersecurity standards and best practices.
  • The goal of the CMMC is for a cost-effective and affordable cybersecurity framework for small businesses in the DoD arena.
  • There will be 18 “Domains”, with “Capabilities” within each of the Domains.
  • “Capabilities” are essentially various practices and processes, which will then be mapped to CMMC Level 1 to Level 5.

(1). The DoD is Getting VERY Serious About Cybersecurity

It’s also important to note that DoD contractors will be possibly getting a knock on their door from the DoD themselves. That’s right, if you want to win contracts in the federal DoD space, then you’ll need to make sure your cybersecurity measures are up to the DoD’s standards. There’s talk – real talk – that the DoD will be conducting random audits on defense contractors.

According to Ellen Lord, DoD Undersecretary for acquisition and development, “We have set out an objective of coming up with new cybersecurity standards this year…We’ll have metrics by which to measure them. We’ll have third parties that can actually audit against them such as International Organization for Standardization standards we have for quality. We need to them understand: How do we put cybersecurity into the new networks we are building? How do we make sure that there aren’t back doors there? How do we make sure that data at rest stays secure?”

Here's what you need to know about the DoD Cybersecurity Maturity Model Certification (CMMC), courtesy of FLANK, one of North America’s leading providers of security, governance, and compliance solutions & services.

(2). The CMMC is a New Approach to Cybersecurity for the DoD

Why a new approach? The DoD – and the entire federal government – wants to make sure that contractors are embracing cybersecurity for protecting government data. While the CMMC will no doubt draw directly from NIST 800-171 in terms of controls, other frameworks and best practices will be included also. The new approach by the DoD also aims to make the certification process cost-effective and affordable for small businesses. DoD contractors are already being hit hard with FISMA and DFARS NIST 800-171 costs, so the CMMC may be welcome news to smaller contractors (we’ll just have to wait and see).

(3). The CMMC is not DFARS NIST 800-171

It is the same in some respects, but also different. While the CMMC clearly adopts domains from NIST 800-171, it also expands upon them to include additional domains from other standards, regulations, and best practices. Also, there is a certification process new to the CMMC that has been painfully absent with DFARS NIST 800-171.

Here's the CMMC timeline for implementation:

  • CMMC Timeline of Implementation (As of August 2019)
  • CMMC ver. 0.1 – May, 2019
  • CMMC ver.0.2 identified/reviewed gaps between other standards and CMMC phase 1 model – July, 2019
  • CMMC Listening Tour – July to Oct. 2019
  • CMMC starts initial pathfinders – Fall, 2019
  • CMMC ver. 0.4 – Released
  • CMMC ver. 0.6 – Oct. 2019
  • Training of 3rd party assessment organizations for CMMC – Jan. to June, 2020
  • CMMC to start appearing in RFIs – June, 2020
  • CMMC to start appearing in RFPs – Sep. 2020

(4). Certification for DoD Defense Contractors will be Required

This is one of the biggest changes in the DoD’s outlook on cybersecurity for federal contractors. The complaints – and they are valid, for sure – that contractors have not taken NIST 800-171 seriously – is all about to change when third-party auditors become involved and actually start certifying entities. It’s a new ballgame with the DoD in terms of cybersecurity.

(5). The Controls Framework is Comprehensive – and Necessary

Building on NIST 800-171, other frameworks and best practices, has resulted in the CMMC model structure that includes the following eighteen domains:

  • Access Control
  • Asset Management
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Cybersecurity Governance
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery
  • Risk Assessment
  • Security Assessment
  • Situational Awareness
  • System and Communications Protection
  • System and Information Integrity

That’s an increase of four Domains over the current NIST 800-171 framework, which is important to note. Yet much like DFARS NIST 800-171 compliance, a healthy dose of documentation in the form of policies and procedures will be required.

(6). Certification will be Performed by Approved and Accredited Assessors

This is the interesting part of the entire CMMC framework. We’ve been asked a number of times by clients – “Who can and will be certifying DoD contractors for CMMC?” As of this first writing (October, 2019), we’re still waiting for that answer.

(7). There are different levels within the CMMC

Currently, the CMMC Draft is showing the following five (5) Levels:

  • Level 1: Basic Cyber Hygiene.
  • Level 2: Intermediate Cyber Hygiene.
  • Level 3: Good Cyber Hygiene.
  • Level 4: Proactive
  • Level 5: Advanced/Progressive

The CMMC Draft notes that “Levels 4 & 5 are targeted toward a small subset of the DIB sector that supports DoD critical programs and technologies”, thus one can likely assume that the vast majority of DoD contractors will fall somewhere between Levels 1 – 3.

8. Documentation (i.e. Policies and Procedures) Will be Critical

The CMMC has eighteen domains, each of them requiring a hefty number of InfoSec and operational policies and procedures to be in place. Just to give you a few examples of the dozens of policies that need to be in place – you’ll need an access control policy, change management policy, configuration management policy, incident response policy, and more.
And that’s just the policies for the actual domains.

When drilling down deeper into each of the 18 CMMC domains, there are requirements for even more documentation. FLANK offers an incredibly comprehensive, well-written CMMC Policy Toolkit filled with all the necessary documentation. Once the final CMMC is approved, please look for our toolkit online at flank.org.

Many DoD contractors in the supply chain are small entities that simply don’t have the resources and manpower for writing information security policies and procedures. For those organizations, the CMMC Policy Toolkit is invaluable, saving organizations dozens of hours and thousands of dollars on costly policy development. Some things to keep in mind with CMMC documentation:

  • A robust incident response plan is needed. With many defense contractors using a cloud-based solution – an incident response plan reflecting this is necessary. Are you using AWS, Azure, and/or Google Cloud?
  • A comprehensive risk assessment must be performed each year, documented accordingly, and results sent up stream to management.
  • A very well-written access control policy is required for documenting an organization’s entire provisioning and de-provisioning process – and everything in between.

Policies and procedures are a big, big part of CMMC – so download the CMMC Policy Toolkit today.

How can FLANK Help with CMMC?

We are North America’s documentation leaders when it comes to CMMC, offering world-class policy templates in our toolkit that’s available for instant download. Documentation will be one of the biggest requirements for CMMC, and FLANK has them. From access controls policies to incident response plans – and more – our world-class CMMC Policy Toolkit (available in 2020) will be an invaluable resource for CMMC compliance.

Sources:

eMASS Consultants for NIST 800-53 and RMF DoD Cybe...
DFARS NIST 800-171 Compliance Services for Colorad...