There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.
For those unfamiliar with the CMMC, background on the evolving model can be found in our previous alerts on the subject here, here, and here—because it’s been a very tumultuous rollout. But, for brevity’s sake, the CMMC is intended to be a certification process that (1) measures and assesses a defense contractor’s ability to protect sensitive defense contract information and (2) provides for a certification element to verify implementation of cybersecurity requirements. All told, the program is intended to “provide the DoD assurance that a [Defense Industrial Base] contractor can adequately protect [Controlled Unclassified Information (CUI)] at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain.” The release of CMMC .6 is intended to provide Defense Industrial Base (DIB) contractors notice and guidance so they can “prepare for the eventual CMMC roll out”—expected in January 2020—before CMMC is formally included in solicitations beginning in July 2020. Notably, CMMC .6 includes only the CMMC model for Levels 1 through 3; the model for Levels 4 through 5 is still in the works “because public comments are still being addressed.” However, CMMC .6 identifies that when CMMC 1.0 is expected to be released in January 2020, 1.0 will include tailored maturity processes for each domain.
The Lay of the Land
In examining the 90-page CMMC .6, which is far more robust than the preceding skeletal CMMC .4 slideshow, the first thing that jumps out is that the CMMC is now, for the first time, formally addressing Federal Contract Information, or FCI. This is noteworthy because FCI is not a type of data that is specifically covered (or generally considered) by preexisting cybersecurity clause DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Rather, FCI is addressed in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, where it is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.” Accordingly, this means that, at the outset, CMMC .6 is already more expansive than its predecessor with its intent to measure “a DIB sector company’s ability to protect FCI and CUI.”
At its highest level, the CMMC model is broken into “Domains” representing generalized areas of best practices for cybersecurity. Previously including 18 domains, CMMC .6 now includes only 17 domains. Removed from the prior list of domains is “Cybersecurity Governance,” a domain that had previously been very lean and targeted contractors aiming for Level 4 by addressing topics such as impact assessments as identified in the NIST Cybersecurity Framework.
CMMC .6 also offers new insight into what would be expected by defense contractors under the cumulative levels created under the standard:
LEVEL 1 – The baseline level wherein the contractor possesses basic cyber hygiene and meets the requirements in FAR 52.204-21. The maturity of a Level 1 contractor is not measured.
LEVEL 2 – A stepped increase by a contractor possessing intermediate cyber hygiene defined by documented procedures, policies, and strategic plans in place that govern their cybersecurity program.
LEVEL 3 – A contractor has good cyber hygiene including effective implementation of the safeguarding requirements found at NIST SP 800-171, Revision 1. If the contract requires access to or generates CUI, Level 3 is the targeted level, but the model recognizes that meeting the challenges posed by advanced persistent threats will be “challenging.”
LEVELS 4 & 5 – A contractor has a “proactive” cybersecurity program capable of adapting its tactics, techniques, and procedures to address advanced persistent threats.
CMMC .6 also raises a notable distinction between the Technical Practices and Process Maturities it is assessing, as the contractor will be assessed as possessing the level of the lowest category it meets. In practice, this means that if the contractor possess the Technical Practices found at Level 4 but possesses a Process Maturity of only Level 2, the contractor will meet only the requirements of Level 2 for CMMC purposes. This distinction reinforces the need for contractors to examine cybersecurity holistically: it’s not just about gadgets and gizmos, but a matter of investment, understanding, and [shudder] dynamic corporate compliance.
Perhaps the most insightful part of CMMC .6 is the inclusion of Appendix B, CMMC Level 1 Discussion and Clarification. This appendix, intended as aid and not guidance, provides Level 1 insight and clarifications for the practices that map to the safeguarding requirements directed by FAR 52.204-21 and NIST SP 800-171 Revision 1 (although many discussion points cite to Draft NIST SP 800-171 Revision 2). Through a series of discussions and hypothetical clarifications, this appendix attempts to provide contractors with a sense of what is expected for each identified capability a CMMC Level 1 holder is expected to possess. For example, how does a CMMC Level 1 contractor “[s]anitize or destroy information system media containing Federal Contract Information before disposal or release for reuse” under Media Protection (MP) P1118, or “[i]dentify, report, and correct information system flaws in a timely manner,” as required under System and Informational Integrity (SII) P1210? By citing to both documentary references (i.e., FAR, NIST, etc.) and providing basic examples, Appendix B attempts to educate Level 1 contractors (and each subsequent level that also must possess these rudimentary capabilities) on the DoD’s expectations.
From Whence It Came
Perhaps one of the most prescient indicators of CMMC’s eventual form will be found in its origins. The sources of inspiration for CMMC .6 include the aforementioned FAR and DFARS clauses along with “NIST SP 800-171 rev 1, Draft NIST SP 800-171B, the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight [4,11,12,47].” For the uninitiated, the UK’s Cyber Essentials is a basic framework proffered by the UK’s National Cyber Security Centre, premised on the country’s 10 Steps to Cyber Security program. Similarly, the Essential Eight is a straightforward maturity model established by the Australian Signals Directorate’s Australian Cyber Security Centre in its Strategies to Mitigate Cyber Security Incidents. Both are simple programs intended to provide a framework for routine cyber hygiene.
Further, in a boon for compliant contractors, this iteration of CMMC looks to be more properly aligned with existing contractual requirements included in FAR 52.204-21 and DFARS 252.204-7012, with most practices (158 of the identified 219) stemming directly from the FAR, NIST SP 800-171 rev. 1, and NIST SP 800-171B. The new additions to the regulatory schema—those not included in NIST SP 800-171 or its progeny—stem mostly from the 2016 version of the CERT Resilience Management Model (CERT-RMM), which is not particularly surprising as both the CERT RMM and CMMC originate in part from the minds at Carnegie Mellon University’s Software Engineering Institute. According to CERT, the RMM is intended to operate as “the foundation for a process improvement approach to operational resilience management. It defines the essential organizational practices that are necessary to manage operational resilience.” Additional practices are addressed by way of the SANS Institute’s CIS Critical Security Controls, “a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.”
What all of this means is that to be in compliance with the rigors of CMMC, DIB contractors will be expected to meet additional and broader requirements woven into their contracts beyond their existing NIST-laden DFARS obligations. This includes, for example:
- CMMC requirements that contractors “[r]eview audit logs” (for Levels 2 through 5) and “[c]ollect audit logs into a central repository” (for Levels 3 through 5);
- CERT RMM requirements that contractors “[d]evelop and implement responses to declared incidents according to predefined procedures” (for Levels 2 through 5) and “[p]eriodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria” (for Levels 3 through 5); and
- CIS Critical Security Control requirements that contractors “[u]se encrypted sessions for the management of network devices” (for Levels 2 through 5) and “[r]egularly perform complete and comprehensive data back-ups and store them off-site and offline” (for Levels 3 through 5).
These additional requirements, and the good many other similar additions scattered throughout CMMC .6, all serve to counsel DoD contractors that they already need to be significantly prepared to meet the evolving requirements.
Navigating the Curves Ahead
It’s worth noting that the proper translation of Lao Tzu’s sojourning advice is actually “A journey of a thousand Chinese miles starts beneath one’s feet.” Before fretting too much about what is coming next, DoD contractors need to understand where it is they stand right now. So, with that in mind, the best advice we can give right now on how to tackle CMMC can be summed up in the following bullets:
- The clauses at FAR 52.204-21 and DFARS 252.204-7008 and -7012 still apply if (1) they are in your contract and (2) the type of data that requires protection is in your company’s possession. Follow their requirements.
- Remember that NIST “compliance” is not enough—contractors are required to maintain “adequate security” under DFARS 252-204-7012, and simply applying the safeguards identified in NIST SP 800-171 is likely insufficient.
- As you look toward where you want to be on the CMMC, beyond being DFARS “compliant,” examine the corresponding requirements (e.g., if you’re targeting CMMC Level 3, examine the requirements found in CERT RMM v 1.2).
- CMMC .6 does not appear to have any sort of request for comments, and that fact and the calendar tend to advise that the January 2020 start date for CMMC will happen—so be prepared to act.
The cybersecurity journey has started. Where are you on that road?