This content is provided by Attila Security.
Approximately 300,000 US government subcontractors are about to experience a major shift. In an effort to assess and strengthen the cybersecurity posture of its Defense Industrial Base (DIB) subcontractors, the Department of Defense recently announced the development of a new framework called the Cybersecurity Maturity Model Certification (CMMC). This framework is especially relevant for controlled unclassified information (CUI) within the supply chain. CUI is information that must be protected or safeguarded, but is not considered classified. Examples are: personally identifiable information, healthcare information, financial information, tax information, controlled but unclassified technical information such as engineering drawings or specs, intelligence information, procurement and acquisition information and unclassified nuclear information.
The CMMC Is Not Business As Usual
Currently, the cybersecurity requirements for DIB subcontractors are not strongly defined or enforced. This is about to change. The official CMMC program requirements will be rolled out in January 2020 and will start being used in RFIs as early as June and then in RFPs shortly thereafter. This means that DIB subcontractors will need to be audited and certified for CMMC by spring of 2020 in order to bid on and be awarded any government defense contracts.
The CMMC requirements are still under development, but here’s what we know so far:
Positioning Your Organization For CMMC Compliance
The CMMC will be based upon NIST SP 800-171, but depending on the level, it may also incorporate other standards and regulations (ISO 27001, NIST SP 800-53, AIA MAS 9933, FIPS, etc.). Right now the CMMC requirements are still in draft form, and the time frame between the January 2020 official requirements release to the spring 2020 certification bidders deadline will be very tight. Here are some recommendations to position your organization for CMMC compliance success:
The Potential Role of CSfC Devices In The New CMMC Program
Contractors applying for CMMC certification may wish to evaluate security solutions that have already been vetted for use on government systems to protect classified and sensitive information, such as those approved under the Commercial Solutions for Classified (CSfC) program. The CSfC program was designed to provide government entities with the security solutions that they need to protect both classified and CUI data as quickly as possible. Rather than limiting acquisitions to government off the shelf (GOTS) hardware, the CSfC program certifies commercial off the shelf (COTS) as meeting certain security needs. In fact, in order to keep costs down, the CSfC program requires giving preference to COTS over GOTS products when possible.
In order to achieve CSfC approval, a product must undergo two levels of vetting: validation against a protection profile followed by testing against the Common Criteria security standards by an independent certified testing laboratory. The Common Criteria are an international agreement on the security standards to require for government-acquired devices. While it is not mapped directly to NIST SP 800-171 requirements, the security level of a CSfC device should meet or exceed the CMMC requirements for handling classified or sensitive data.