Changes are ahead for businesses of all sizes in the Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD) with new cybersecurity certification requirements on the way.
The Office of the Under Secretary of Defense for Acquisition and Sustainment - OUSD(A&S) - recognizes that security is foundational to acquisition, and should not be compromised along with cost, schedule, and performance moving forward. All businesses in the defense supply chain, regardless of size, will require certification going forward to participate in contracts. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
Theft of intellectual property and sensitive information from all industrial sectors as a result of malicious cyber activity threatens economic security and national security. This reality creates the need for enhanced security measures and certification (verification) for all businesses in the Defense Industrial Base (DIB). The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust, by adding a verification component (Certification) with respect to cybersecurity requirements. A "crawl, walk, run" approach is being introduced to phase in requirements from now through 2026.
The Maturity Model is a set of characteristics, attributes, indicators, and patterns that represent capability and progression in cybersecurity best practices. There are five levels of maturity in the model ranging with increasing capabilities, processes, and practices. Level One mirrors the NIST SP 800-171 framework that organizations are currently self-assessing for, and should be achievable without considerable additional effort assuming current compliance.
Practices and processes are organized by a set of 17 domains:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personal Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System Communications and Protection (SC)
- System Information Integrity (SI)
Each of the 17 domains consists of a set of processes and capabilities across five levels. There are 43 capabilities. Within the CMMC framework, process institutionalization provides assurances that the practices associated with each level are implemented effectively. The CMMC framework is looking for how deeply ingrained the security activity is imbedded in the organization. Certification for a specific level is looking for a track record of the behavior. For example, in moving from Level One to Level Two, Security Awareness training is needed. Trying to introduce this right before an assessment won't fly - the practices need to be deeply ingrained so that the ability to perform the activity, even in times of great stress, will be consistent and repeatable. In other words, no corners will be cut.
The Maturity Levels are summarized below:
- Level 1: Performed
- Level 2: Documented
- Level 3: Managed
- Level 4: Reviewed
- Level 5: Optimizing
All organizations who will handle Federal Contract Information (FCI) will need to achieve Maturity Level 1. In order to handle Controlled Unclassified Information (CUI), Level 3 or above is required. Level 2 is considered a transition level.
We've put together a resource page with supporting documents to understand what's ahead for CMMC: www.ekaru.com/cmmc-resources These resources cover in depth exactly what's required.
Contract requirements are being phased in over a number of years, and organizations only need to have achieved the appropriate certification by the contract award date, not the submission date. so there's time, but we're recommending to our local small business community in Massachusetts and New Hampshire to start planning for CMMC TODAY.