Over the past two months we’ve been hearing a lot of buzz about CMMC, both with active customers and security partners. In this post, we will talk about our initial high level reaction to the significant new standard.
We’re doing a webinar on March 4 at 1:00 PM CST with a customer, CalcuQuote, to talk about CMMC and how it applies in the EMS domain, where there are a large number of smaller scale DoD suppliers. You can register for the webinar to hear more.
The Cybersecurity Maturity Model Certification is a new (January 2020) standard and accompanying process that will be applied to Department of Defense contractors starting in roughly September 2020. At a broad brush, it is closely related to NIST 800-171 except with a maturity component and actual audits for contractors handling very sensitive data.
The controls in CMMC are broken into 17 control areas:
|Access Control (AC)||Asset Management (AM)||Awareness and Training (AT)|
|Audit and Accountability (AU)||Configuration Management (CM)||Identification and Authentication (IA)|
|Incident Response (IR)||Maintenance (MA)||Media Protection (MP)|
|Personnel Security (PS)||Physical Protection (PE)||Recovery (RE)|
|Risk Management (RM)||Security Assessment (CA)||Situational Awareness (SA)|
|Systems and Communications Protection (SC)||System and Information Integrity (SI)|
Within each of these areas, you can imagine a specific control that must be in place, or a control objective where several controls work in concert to meet the control objective.
CMMC defines Processes and Practices. We use the idea of Maturity to provide a more nuanced view than a simple binary analysis.
The following table outlines the way CMMC handles thinking about maturity of Processes:
|2||Documented||Policy exists, practices documented to implement policy.|
|3||Managed||Establish, maintain and resource a plan that includes the domain.|
|4||Reviewed||Review and measure activities for effectiveness.|
|5||Optimizing||Standarize and optimize an approach.|
The following table outlines how CMMC handles 5 Levels of Practices:
|2||Intermediate Cyber Hygiene||FAR + Subset from NIST 800-171|
|3||Good Cyber Hygiene||FAR + NIST 800-171||Protect CUI||Most should aim here|
|4||Proactive||NIST 800-171B + 15 practices||Protect CUI + Reduce Risk of APT||Household names|
|5||Advanced / Progressive||NIST 800-171r1 & B 11 practices||Household names|
CMMC adds a certification or verification element to the standard process, meaning that companies won't be able to self assess - but rather will need to be audited or certified by a Certified Third Party Assessment Organization (C3PAO). Note that the certifying bodies aren't ready to start certifying yet!
In some ways, CMMC is effectively building on the success of NIST CSF and it's maturity component and expanding it to cover more specific controls. One advantage of a system that captures maturity is that we can build a roadmap from our current maturity level to our desired maturity level. Such a system can emphasize progress and improvement instead of failing scores.
The DoD says that CMMC is intended to be a cost effective way of securing the DoD supply chain. Basing the analysis on NIST 171, which for Level 3 (Protecting CUI), suggests substantial organizational investments, this seems to be a hopeful assertion. One of our first recommendations is that customers communicate with executive management to make sure the costs and effort are understood and accounted for in the business plan. My instinct is that this is going to be extremely costly to implement throughout the supply chain.
That being said, since the marketplace and ecosystem don't exist yet, the costs aren't clear. The DoD will specify the CMMC level required in sections L & M of RFP and cybersecurity will be "an allowable cost". I suspect this means many large companies will pass on significant costs for things they should have been doing all along to the government. The CMMC FAQ suggests that "the costs will not be prohibitive." We will see...
The standard adds more explicit audit steps, reminiscent of FedRamp, with a marketplace and ecosystem of Certified Third Party Assessment Organization (C3PAO). It is not exactly clear how these will be applied and administered. If the Prime vendors require audits for most subs, then this will be a substantial cost through the whole ecosystem. If they don't, it won't be an effective supply chain security initiative.
It is unclear just what criteria will make a DoD Contract require Level 3 versus Level 5. It is equally unclear how a Prime Vendor will know how to apply the maturity levels to their subcontractors. This is a substantial and dangerous area of interpretation that could lead to unfair business practices and security gaps.
A further complexity is scope. As with almost any audit, the devil is in the details. We've seen companies scope an audit so narrowly that it is meaningless - but then they pass and many reviewers don't notice. It seems that having more explicit rules about how scoping should work would benefit the ecosystem. One idea would be to have a standardized way of capturing the scope in detail, then review that periodically and maybe do spot check audits like the IRS does on tax returns and have a penalty if the scope is misleading.
securityprogram.io already provides a simple task management interface and evidence gathering capability to help companies build their programs. To make it work better with CMMC, we have identified the following additional functions:
We didn't build securityprogram.io for CMMC, but we're pretty sure it will make it easier for people to achieve their goals.
CMMC is an ambitious unifying standard that could help the DoD substantially improve the security of their supply chain. It will likely add very substantial costs to defense contracts. Given the breadth of the challenge, we're excited about the opportunity to potentially help a lot of companies navigate it with securityprogram.io.