Over the past two months, we've been hearing a lot of buzz about CMMC, both with active customers and security partners. In this post, we will talk about our initial high-level reaction to the significant new standard.
The Cybersecurity Maturity Model Certification is a new (January 2020) standard and accompanying process that will be applied to Department of Defense contractors starting in roughly September 2020. At a broad brush, it is closely related to NIST 800-171NIST 800-171 is a set of security requirements published by the National Institute of Standards and Technology (NIST) that applies to non-federal organizations that handle controlled unclassified information (CUI). NIST 800-171 compliance is mandatory for organizations that contract with the US federal government and handle CUI, and failure to comply can result in penalties and loss of business opportunities. except with a maturity component and actual audits for contractors handling very sensitive data.
The controls in CMMCCybersecurity Maturity Model Certification (CMMC) is a framework developed by the United States Department of Defense (DoD) to ensure that contractors and suppliers meet specific cybersecurity requirements when working on DoD contracts. Contractors and suppliers must achieve the appropriate level of CMMC certification to be eligible for DoD contracts. are broken into 17 control areas:
|Access Control (AC)||Asset Management (AM)||Awareness and TrainingIn the context of cybersecurity, training refers to educating employees, contractors, and other stakeholders about security best practices and policies. This can include training on how to recognize and avoid common phishing and social engineering attacks, how to create strong passwords and use multi-factor authentication, how to handle sensitive data, and how to respond to security incidents. Effective training programs are ongoing and can help organizations reduce the risk of human error and improve overall security posture. (AT)|
|AuditA cyber security audit is an independent evaluation of an organization's information systems, policies, and procedures to assess their compliance with relevant security standards and regulations. The audit typically involves a thorough review of the organization's security and risk management processes, and incident response plans, as well as an assessment of its ability to prevent, detect, and respond to cyber threats. and Accountability (AU)||Configuration Management (CM)||Identification and Authentication (IA)|
|Incident Response (IR)||Maintenance (MA)||Media Protection (MP)|
|Personnel Security (PS)||Physical Protection (PE)||Recovery (RE)|
|Risk Management (RM)||Security AssessmentA cyber security assessment is a comprehensive evaluation of an organization's information technology systems, infrastructure, policies, and procedures to identify vulnerabilities and risks. The assessment can be performed by internal or external cybersecurity experts and typically involves reviewing policies, procedures, and training of personnel, analyzing security architecture and configuration, and testing security through simulations or real-world attack scenarios. (CA)||Situational Awareness (SA)|
|Systems and Communications Protection (SC)||System and Information Integrity (SI)|
Within each of these areas, you can imagine a specific control that must be in place or a control objective where several controls work in concert to meet the control objective.
CMMC defines Processes and Practices. We use the idea of Maturity to provide a more nuanced view than a simple binary analysis.
The following table outlines the way CMMC handles thinking about maturity of Processes:
|2||Documented||Policy exists, practices documented to implement policy.|
|3||Managed||Establish, maintain and resource a plan that includes the domain.|
|4||Reviewed||Review and measure activities for effectiveness.|
|5||Optimizing||Standardize and optimize an approach.|
The following table outlines how CMMC handles 5 Levels of Practices:
|2||Intermediate Cyber Hygiene||FAR + Subset from NISTNIST stands for the National Institute of Standards and Technology, which is a US government agency responsible for developing and publishing standards and guidelines related to information security and cybersecurity. 800-171|
|3||Good Cyber Hygiene||FAR + NIST 800-171||Protect CUI||Most should aim here|
|4||Proactive||NIST 800-171B + 15 practices||Protect CUI + Reduce Risk of APT||Household names|
|5||Advanced / Progressive||NIST 800-171r1 & B 11 practices||Household names|
CMMC adds a certification or verification element to the standard process, meaning that companies won't be able to self-assess - but rather will need to be audited or certified by a Certified Third Party Assessment Organization (C3PAO). Note that the certifying bodies aren't ready to start certifying yet!
In some ways, CMMC is effectively building on the success of NIST CSF and its maturity component and expanding it to cover more specific controls. One advantage of a system that captures maturity is that we can build a roadmap from our current maturity level to our desired maturity level. Such a system can emphasize progress and improvement instead of failing scores.
The DoD says that CMMC is intended to be a cost-effective way of securing the DoD supply chain. Basing the analysis on NIST 171, which for Level 3 (Protecting CUI), suggests substantial organizational investments, this seems to be a hopeful assertion. One of our first recommendations is that customers communicate with executive management to make sure the costs and effort are understood and accounted for in the business plan. My instinct is that this is going to be extremely costly to implement throughout the supply chain.
That being said, since the marketplace and ecosystem don't exist yet, the costs aren't clear. The DoD will specify the CMMC level required in sections L & M of RFP and cybersecurity will be "an allowable cost". I suspect this means many large companies will pass on significant costs for things they should have been doing all along to the government. The CMMC FAQ suggests that "the costs will not be prohibitive." We will see...
The standard adds more explicit audit steps, reminiscent of FedRamp, with a marketplace and ecosystem of Certified Third Party Assessment Organization (C3PAO). It is not exactly clear how these will be applied and administered. If the Prime vendors require audits for most subs, then this will be a substantial cost throughout the whole ecosystem. If they don't, it won't be an effective supply chain security initiative.
It is unclear just what criteria will make a DoD Contract require Level 3 versus Level 5. It is equally unclear how a Prime Vendor will know how to apply the maturity levels to their subcontractors. This is a substantial and dangerous area of interpretation that could lead to unfair business practices and security gaps.
A further complexity is scope. As with almost any audit, the devil is in the details. We've seen companies scope an audit so narrowly that it is meaningless - but then they pass and many reviewers don't notice. It seems that having more explicit rules about how scoping should work would benefit the ecosystem. One idea would be to have a standardized way of capturing the scope in detail, then review that periodically and maybe do spot check audits like the IRS does on tax returns and have a penalty if the scope is misleading.
securityprogram.io already provides a simple task management interface and evidence gathering capability to help companies build their programs. To make it work better with CMMC, we have identified the following additional functions:
We didn't build securityprogram.io for CMMC, but we're pretty sure it will make it easier for people to achieve their goals.
CMMC is an ambitious unifying standard that could help the DoD substantially improve the security of their supply chain. It will likely add very substantial costs to defense contracts. Given the breadth of the challenge, we're excited about the opportunity to potentially help a lot of companies navigate it with securityprogram.io.