In its never-ending mission to improve cybersecurity best practices, the U.S. Department of Defense (DOD) published an interim rule in September 2020 on its Cybersecurity Maturity Model Certification (CMMC). The CMMC rule creates a framework for the DOD to more effectively assess the cybersecurity implementation of government defense contractors. The CMMC will also enhance the protection of unclassified information within the DOD supply chain.
Because of these new requirements, prime contractors and subcontractors need to become third-party certified by Nov. 30, 2020, if they wish to continue doing business with the DOD.
"[An] estimated 7,500 companies will be certified in 2021," said Katie Arrington, chief information security officer in the Office of the Undersecretary of Defense for Acquisition and Sustainment. "That doesn't seem like a lot but if you think about the interconnectivity of the [defense industrial base] it's a certification that's good for all DOD contracts for three years."
While the full roll-out of CMMC will take place over the course of five years, contractors need to start moving forward with getting certified quickly.
Breaking down CMMC best practices
The CMMC interim rule falls under the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The clause requires contractors and subcontractors to implement the 110 security controls set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 on "any information system that processes, stores or transmits Controlled Unclassified Information."
The new rule creates a new NIST SP 800-171 Assessment requirement for DOD procurement contracts awarded after Nov. 30 that exceed $10,000. The NIST Framework is segmented into five buckets, or functions: identify, protect, detect, respond and recover.
Even following a successful assessment, certification and authentication process, contractors must keep reviewing and logging activities for rapid detection. Maintaining compliance will involve continuous system monitoring and regularly upgrading necessary safeguards to protect against malicious IPs, coordinated cyberattacks and common web exploits.
Depending on the type of work being contracted, organizations will need to meet varying levels of security requirements, listed as Levels 1 through 5. Level 1 is the least stringent while Level 5 is the most strict:
- Level 1: Performed. This is where documentation of practices begins.
- Level 2: Documented. With documentation in place for all levels, draft a policy that covers all activities.
- Level 3: Managed. A plan exists to cover all activities, which is maintained and resourced.
- Level 4: Reviewed. Activities are reviewed and measured for effectiveness, with the results of the review shared with higher level management.
- Level 5: Optimized. Following the review and measurement, a standardized document approach is implemented across all applicable organizational units.
In each level, all practices must be documented, including those that fall under lower levels.
For this certification, DOD defines "activities" as the organization's mission, goals, project plans, resourcing strategy, training needs and the involvement of relevant stakeholders. The practice progression lists Level 1 companies as having basic cyber hygiene, Level 2 with intermediate cyber hygiene, Level 3 with good cyber hygiene, Level 4 as proactive and Level 5 as advanced and progressive with their cybersecurity practices.
For those federal contractors looking to maintain their government defense contracts, it would be wise to invest in visibility, protection and rapid detection technologies. Contractors and subcontractors can review the associated Federal Register page to find out additional information about this new interim rule, such as expected cost impact.