Approximately 300,000 US government subcontractors are about to experience a major shift. In an effort to assess and strengthen the cybersecurity posture of its Defense Industrial Base (DIB) subcontractors, the Department of Defense recently announced the development of a new framework called the Cybersecurity Maturity Model Certification (CMMC). This framework is especially relevant for controlled unclassified information (CUI) within the supply chain. CUI is information that must be protected or safeguarded, but is not considered classified. Examples are: personally identifiable information, healthcare information, financial information, tax information, controlled but unclassified technical information such as engineering drawings or specs, intelligence information, procurement and acquisition information and unclassified nuclear information.
The CMMC Is Not Business As Usual
Currently, the cybersecurity requirements for DIB subcontractors are not strongly defined or enforced. This is about to change. The official CMMC program requirements will be rolled out in January 2020 and will start being used in RFIs as early as June and then in RFPs shortly thereafter. This means that DIB subcontractors will need to be audited and certified for CMMC by spring of 2020 in order to bid on and be awarded any government defense contracts.
The CMMC requirements are still under development, but here’s what we know so far:
Security requirements will match the need. CMMC compliance will range from level 1 (common sense cyber standards) to level 5 (full NIST compliance plus additional security controls) depending on the defense agency’s specific needs for a given project.
Independent audits will be required. Each company’s CMMC compliance will need to be certified by a third-party auditor. Contractors will not be allowed to self-certify as CMMC compliant.
There will be transparency in contracting requirements. All RFPs will clearly state the required CMMC level, and only companies with the required level or higher will be allowed to submit bids.
Adoption cost will not be a barrier. Under CMMC, contractors will be able to roll any costs associated with security into their billable rate. In addition, the grants will be available to smaller contractors to assist with their initial certification.
Determine the appropriate level of CMMC security that applies to your company’s network. Unless your organization is storing CUI on its network, level 1 or 2 may be enough.
Perform an internal audit to identify and address any inconsistencies between your organization’s security and CMMC requirements. Depending on your company’s resources and IT staffing, you may be able to accomplish this internally, or it may be helpful to bring in an outside advisor. Organizations applying for certification up to level 3 may use the National Institute of Standard and Technology’s Handbook 162.
Book your third-party compliance audit as early as possible. Given the short time frame for compliance, auditor schedules are likely to fill up quickly.
The Potential Role of CSfC Devices In The New CMMC Program
Contractors applying for CMMC certification may wish to evaluate security solutions that have already been vetted for use on government systems to protect classified and sensitive information, such as those approved under the Commercial Solutions for Classified (CSfC) program. The CSfC program was designed to provide government entities with the security solutions that they need to protect both classified and CUI data as quickly as possible. Rather than limiting acquisitions to government off the shelf (GOTS) hardware, the CSfC program certifies commercial off the shelf (COTS) as meeting certain security needs. In fact, in order to keep costs down, the CSfC program requires giving preference to COTS over GOTS products when possible.
In order to achieve CSfC approval, a product must undergo two levels of vetting: validation against a protection profile followed by testing against the Common Criteria security standards by an independent certified testing laboratory. The Common Criteria are an international agreement on the security standards to require for government-acquired devices. While it is not mapped directly to NIST SP 800-171 requirements, the security level of a CSfC device should meet or exceed the CMMC requirements for handling classified or sensitive data.