Unraveling the DoD’s new cybersecurity certification

Time to ring in the New Year with a new acronym – CMMC. These four letters stand for Cybersecurity Maturity Model Certification and establish cybersecurity standards and best practices for companies nationwide. Becoming familiar with CMMC in 2020 will be a top priority for an estimated 300,000 companies that are contractors or subcontractors in the U.S. Department of Defense supply chain. New Hampshire is home to several large defense contractors and a network of subcontractors.

Jason Golden

CMMC is the next stage in the DoD’s efforts to properly secure the defense industrial base, which is made up of companies contracted to create and supply products that support U.S. military operations. The announcement of a cybersecurity assessment model signals to industry a streamlining of DoD cybersecurity requirements for contractors and subcontractors, who will now be required to gain certification to prove they meet specific levels of security. These levels integrate and build on existing regulation for companies that are already required to be NIST 800-171-compliant by contract, for example. In the current draft, CMMC Level 3 most closely aligns with the NIST 800-171 controls while also filling out cybersecurity requirements above and below this level.

How it works

While final details will be released in 2020, draft versions show that CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place for basic through proactive cyber hygiene. The intent is also to strengthen the protections around controlled unclassified information (CUI) that resides in DoD’s industry partners’ environments.

Organizations with deep experience in information security and a strong understanding of compliance processes and protocols can serve as advisors and assessors to prepare companies to meet certification requirements and audits.

There are layered complexities associated with CMMC, and companies are encouraged to begin investigating what is required of them as soon as possible.

The DoD has recognized that gaining certification as an expense to contractors and made cybersecurity an allowable cost. “Reasonableness” is key. It’s also important to point out that cybersecurity standards are already included in many existing contracts, and associated costs are already assumed to be part of those agreements.

Inclusion as an allowable cost enables contractors to work with a partner for their own certification as well as for certification for their subcontractors. As a result, the actual process will be rigorous and time-consuming, but is not intended to be a prohibitive expense.

Demonstrated capabilities

There are 17 domains, each composed of specific capabilities to achieve each level of CMMC and must be considered depending on the type of work conducted by a company. Examples of domains include access controls, asset management, incident response, security assessment and personnel security. Each level is cumulative meaning the company must demonstrate achievement of previous levels. The five levels are as follows:

Level 1: “Basic Cyber Hygiene,” which addresses limited or inconsistent cybersecurity policies and systems

Level 2: “Intermediate Cyber Hygiene,” which requires established and documented policies, procedures and strategic cybersecurity plans

Level 3: “Good Cyber Hygiene,” which requires effective implementation of controls equal to full NIST 800-171 control set and includes assessments to measure effectiveness

Level 4: “Substantial and Proactive Cybersecurity Program,” which requires continuous monitoring with process optimization and proactive alerts to leadership

Level 5: “Advanced or Progressive Cybersecurity Program,” which requires optimized capabilities to repel advanced persistent threats. Process implementation must be standardized across the entire organization

For defense contractors, becoming familiar with CMMC and gaining certification will be a key New Year’s resolution to enable them to continue to engage in DoD work. Look for CMMC 1.0 to be released later this month. In early- to mid-2020, certified accreditation organizations will be trained. CMMC requirements will appear in new RFI’s by late 2020 and accreditors will be ready to provide certification.

Given the newness of CMMC, it’s not too early to start preparing by selecting a partner that truly understands CMMC complexities and how best to navigate this new cybersecurity certification process. If you are not already prepared based on existing NIST 800-171 requirements, the recommendation is to establish your cybersecurity posture based on CMMC 1.0. Good cyber-hygiene protects your business, and an understanding of costs will be critical.

Jason Golden is chief information security officer at Mainstay Technologies, with offices in Manchester and Belmont.