Sharon Page - CISSP-ISSMP, CAP, Certified ISO 27001 Lead Auditor
Security Architect
Malicious cyber actors are targeting the Defense Industrial Base (DIB), and the supply chain of the Department of Defense (DOD). So the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)), developed the Cybersecurity Maturity Model Certification (CMMC), requiring its implementation by all companies doing business across the DOD supply chain by 2025. The CMMC is a framework that consists of maturity processes and cybersecurity best practices, at five (5) levels of maturity.
Reference: Cybersecurity Maturity Model Certification (CMMC), Version 1.02, March 18 2020, copyright 2020 Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC., page 11.
For companies in the United States, that usually means implementing the security controls, also known as best practices, contained in NIST SP 800-171, plus some other best practices. Each maturity level, builds upon the previous level.
Level 1 is required by any organization with a DoD contract, and protects Federal Contract Information (FCI). It consists of 17 security controls, and minimal effort with their cybersecurity defenses.
Level 2 is the minimum level required to protect Controlled Unclassified Information (CUI). It consists of 55 additional security controls, in addition to the 17 controls in Level 1, and requires the development of written cybersecurity policies, plans, and standard cybersecurity practices.
Level 3 consists of all the controls in Level 1 and 2, plus 58 additional security controls, necessary to increase the protection of CUI. The organization should perform continuous monitoring, and reviews of their cybersecurity activities, based on their cybersecurity policy.
Level 4 adds 26 more security controls, 11 of which are from the draft NIST SP 800-171B, a supplement to the NIST SP 800-171. This level also adds the requirement of monitoring and measuring the security controls, to determine if they’re effective.
Level 5 adds 15 new security controls, so there are 171 security controls in place. The organization must have standardized cybersecurity policies, and processes, across the entire organization.
Levels 4 and 5 go beyond just protecting CUI. They also provide the ability to reduce the risk of Advanced Persistent Threats (APTs).
CMMC applies only to the Defense Industrial Base (DIB) contractors’ unclassified networks, which process, store, or transmit FCI or CUI. The FCI and CUI are data collected, created, transmitted, or received when performing contract obligations that a law, regulation, or Government-wide policy requires be handled using safeguards or dissemination controls. Therefore, the scope of a company’s CMMC boundary must cover the company’s network infrastructure that uses CUI and/or FCI.
Obtaining a CMMC certification, at any maturity level, requires the implementation of security best practices, with official validation from an authorized and accredited, CMMC third-party assessment organization (3PAO).
The CMMC is being implemented in a 5 year, phased rollout approach. During the first year (2021), fifteen new prime contracts will include the requirement for a CMMC certification. Each following year will increase the number of prime contracts including CMMC certification requirements: 2022 – 75, 2023 – 250, 2024 – 325, and 2025 – 475. These contracts will focus on mid-sized programs that require the contractor to process, or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirements to their subcontractors. Contracts that include the CMMC requirements will not be awarded, if a company is not certified at the appropriate CMMC level at the time of contract award.
Note: Companies that only provide Commercial-Off-The-Shelf (COTS) products to the DOD are not required to obtain a CMMC certification.
Look forward to UGI's blog for May, we will be diving deeper in to CMMC Compliance and what is to be expected in the future.