For almost two years now, the US Department of Defense (DOD) has been reviewing a process designed to ensure defense contracts meet very specific cybersecurity standards when it comes to handling unclassified information. Known as the Cybersecurity Maturity Model Certification (CMMC), the process will make sure that all defense contractors meet at least a basic level of digital security hygiene in order to increase the DOD’s supply chain risk posture and reduce the threat of potential leaks and information breaches. Here, our Risk Advisory Senior Director, Craig Moores, and Senior Consultant, Tim Hodgkins, explain the ‘what’, ‘how’, ‘when’ and ‘why’ of CMMC.
According to official figures from The White House Council of Economic Advisers, malicious cyber activity regularly costs the US economy up to $109 billion per year. Whilst private businesses form their own risk strategies around cybersecurity, albeit with some legislative help to set standards, public sector organizations as broad and far-reaching as the DOD need to develop their own cybersecurity standards and frameworks in order to minimize risk and increase security.
So-called ‘controlled unclassified information’ or CUI, handled by defense industrial base (DIB) contracts, is one of the biggest risk factors currently facing the department. That’s what CMMC aims to fix, by producing a new standard for all DIB contractors to adhere to when it comes to the handling of unclassified information. In the Pentagon’s own words, it will “adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain”.
Tim outlines that CMMC, like most new frameworks, is currently undergoing a period of review by the Pentagon before it’s put into practice. The initial version, CMMC 1.0, combines risk controls that are commonly used in cybersecurity frameworks with more tailored controls that are unique to the DOD and DIB contracts. It also outlines five levels of security maturity that will determine which processes and practices a particular contractor will have to abide by when doing business with DOD. Compliance with these levels of security will be mandatory for all contractors, including UK-based contractors and those based in other countries around the world. The five levels are as follows:
All federal contract information must be safeguarded. This is the most basic level of security maturity and means that a contractor must be able to guarantee that all data pertaining to the contract is adequately secured.
This builds on level one and acts as a transition step to level three, requiring that all contractors be able to demonstrate the ability to self-audit their processes and prove that their policies and processes align with that of the DOD in terms of security.
Full protection of uncontrolled classified information. Contractors need to adhere to all of the security requirements set out in NIST 800-171 and NIST 800-53, as well as Aerospace Industries Association National Aerospace Standard 9933, and Critical Security Controls for Effective Capability in Cyber Defense. In short, level three requires contractors to adhere to a plethora of compliance standards and be able to demonstrate that compliance robustly. This is where the majority of contractors will most likely sit.
In the highest levels of security maturity, contractors will not only need to demonstrate their compliance with all of the above, but will also need to enact their own cybersecurity policies and controls to reduce the risk of Advanced Persistent Threats (APTs).
The kind of service a business provides, and the level of access and engagement it will need in order to provide that service, will determine which level it is assigned. CMMC version 2.0, of which details emerged in November 2021, will seek to narrow these tiers down to three levels in order to simplify things. But rather than making things easier for contractors, this will likely make the distribution and threshold of security standards even higher for basic services. We will discuss CMMC 2.0 in more detail on the blog soon, including how it differs from CMMC 1.0.
Those doing business with the DOD are going to be forced to review their current internal security standards to understand what more they need to do in order to keep their contracts. For instance, if information flows via email, the DOD will need to know whether or not those emails are encrypted and where they are stored. Likewise, businesses are going to have to take data storage more seriously. Where are shared files located? Is the share file location being regularly recertified to demonstrate ‘good hygiene’ and demonstrate that it’s secure? Organizations bidding for contracts will also need to have tightly controlled access privileges among their team, so that access is only granted on a ‘need to know’ basis. Wider cybersecurity strategies will also be critical. Just because a business can demonstrate good practices around a particular contract or set of data, doesn’t mean it’s bulletproof in other areas. Businesses should therefore take some of the more general requirements and recommendations from CMMC and enact them across all business operations.
The CMMC framework was first established in November 2020 and has been evolving ever since. However, it’s not yet mandatory as the DOD understands the need to allow most businesses the time to prepare for new security controls and policies. It’s currently regarded as an ‘interim rule’, with the idea that by 2025, all contractors and subcontractors will be subject to the same third-party mandatory audits that keep them in line with one of the three levels of security maturity. Put simply, all businesses looking to win contracts with DOD should already be developing their internal security processes in line with CMMC recommendations, as those recommendations will soon become mandates.