This is the first in a three-part series on the new Department of Defense (DoD) audit requirement called Cybersecurity Maturity Model Certification (CMMC). This first part introduces CMMC and what it means for the future of U.S. government suppliers of cybersecurity. Part two will discuss how to prepare for a CMMC audit. Part 3 will cover the assessment process and how CMMC could become the model for all future compliance standards.
Why Audits and Why Now?
US Federal Law Enforcement have been warning for decades about how global cyberactors threaten U.S. national security through economic espionage and cyberwarfare. Since the private sector owns and runs 85 percent of critical U.S. infrastructure, the U.S. government can do little directly to bolster the cyberdefenses of civilian organizations. However, there is a lot it can do indirectly. Thus was born the CMMC, a new procurement requirement for DoD contracts. Affecting all defense suppliers, this new rule is meant to move the needle significantly for U.S. companies tied to critical defense matters. Because of CMMC’s broad reach and open standard, the hope is that it will stimulate better security measures beyond the DoD supply chain as well.
Of course, the DoD had security requirements in place for suppliers before CMMC, such as the cybercomponents of the Defense Federal Acquisition Regulation Supplement (DFARS). CMMC does better by being an all-inclusive prerequisite for a contract award. In the past, suppliers could risk losing their contract for noncompliance if their security programs contained significant unresolved shortfalls. With CMMC, suppliers need to pass an audit before the DoD can award their contract.
The good news (for suppliers) is that the DoD is starting slow. Existing contracts are unaffected—only the new request for proposal (RFP) process is changed. This gives everyone time to ramp up and meet the new standard without too much scrambling. However, the DoD expects everyone to eventually be compliant over the next five years.
Cybersecurity Audits Are the New Normal
Many find audits to be tedious exercises of paperwork and minutiae, but more and more they are being used to bring cybersecurity standards up to a measurable minimum standard. For those who work in the financial, retail, or medical sectors, audits are just another facet of doing business in the 21st century. In fact, some organizations find themselves subject to overlapping cybersecurity audits, such as publicly traded banks, whose information protection programs fall under both the Gramm-Leach-Bliley Act (GLBA) banking rules as well as the publicly traded company rules of the Sarbanes-Oxley Act of 2002 (SOX). Anyone handling payment cards is subject to contract-mandated audit against the Payment Card Industry Data Security Standard (PCI DSS). Organizations serving global customers may find themselves subject to audits and assessments from other entities around the world.
Even with no explicit regulatory requirements, some organizations in supply chains have to prove to their customers that access to customer-supplied confidential data is secure. For example, many law firms, consulting companies, and software contractors find themselves under cybersecurity assessment from their clients because of the sensitive data they handle. It's becoming commonplace for service contracts for IT services that touch sensitive data to include a "right to audit" clause. So CMMC isn’t completely unexpected, merely inevitable.
The Capability Maturity Model and CMMC
To understand CMMC, it is helpful to understand how it is based on the Capability Maturity Model (CMM).1 The DoD sponsored the CMM through the Software Engineering Institute in 1986 as a way to measure IT processes within an organization. The model uses a scale of 1 through 5 to quantize how established and organized a particular IT-related practice is within an organization. The scale, from lowest to highest, goes:
- Initial. The organization is performing the process, but it is done some of the time and is not necessarily defined or repeatable. Documentation-wise, this usually represents a policy stating the organization’s intention and goal to do something but not much else described.
- Repeatable. The process is repeatable, with basic methods in place to ensure it is being performed. For documentation, assessors often look for a standard that describes how often a process should be done and specific tangible outcomes.
- Defined. At this level, the process is documented as a procedure with a series of standardized steps and assigned roles.
- Managed. This level adds internal review and monitoring of the process and its effectiveness. Documentation includes tracking metrics and goals related to the process.
- Optimizing. At this highest level, the organization reviews the metrics and status of the process and then develops and optimizes the practices to improve efficiency and effectiveness toward the defined goals.
A zero level is also sometimes used to denote a practice that is done on an ad hoc basis or that is nonexistent within the organization.
CMM to CMMC Based on Risk to CIA
CMMC also has five levels, roughly corresponding to the organization’s cybersecurity practice maturity. The first level, which the DoD estimates the majority of small suppliers will fall into, necessitates only 17 specific controls implemented at a basic “initial” level. Moving up the level requirements includes more controls with more depth and integration required. CMMC Level 3 will encompasses all 110 individual control processes across 14 areas included in Special Publication 800-171 from the National Institute of Standards and Technology (NIST). Levels 4 and 5 add even more cybersecurity processes.
The level organizations will need to meet will be based on the risk to Controlled Unclassified Information (CUI), which is the confidential DoD data made available to suppliers for performing contracted services.2 The size and importance of the CUI the supplier handles determines the CMMC level. However, at a minimum, all suppliers will need to meet Level 1.
Like all other audits, this raises the issue of determining which systems to include in the audit and how they are segregated from the rest of the environment. This is called the scope and it determines what is important and needs to be more highly protected. In financial audits, the focus is on financial and payment information. Payment card audits concentrate on payment card processes such as point-of-sale terminals and online shopping carts. For any CMMC level above 1, the attention is on CUI data.
One caution regarding audit parameters: organizations can declare what they consider to be in scope and protected, but auditors have the right to redefine those boundaries. It pays to define the scope correctly and carefully. At this point in time, the specifics around CMMC scoping have not been published. Are all applications or services pertaining to the DoD contract included? What about financial or messaging systems? This has yet to be determined and will be a major factor to watch as more CMMC details are released.
How and When CMMC Will Roll Out
The first version of CMMC is available on the DoD website. More releases are expected in June and in the fall of 2020, along with more specific information about what needs to be included in an RFP. However, these deadlines could slip because of the pandemic.
Overall, the DoD expects around 300,000 companies to become part of the CMMC program, and they expect around 85 percent of those to be at Level 1, the lowest level, which means these are likely small businesses and individual contractors. About 4 percent, or 13,000 companies, are expected to classify to Level 3, which is the minimum acceptable level for handling CUI. If a lower level supplier needs access to CUI, they have the option of subcontracting with a higher-level company and falling under their program and rules. The DoD is expecting relatively few Level 4 and Level 5 organizations, as these will be the larger firms who already routinely handle sensitive military contracts.
The good news is that the DoD is willing to pay for quality cybersecurity, as now expenses related to CMMC and security efforts are an allowable cost within DoD contracts. As all companies will be competing on an equal footing to meet CMMC requirements with costs included, the DoD hopes this will bolster their entire supplier community as a whole.
In the End, CMMC Is a Good Thing
As much as people dislike regulations and being forced to do something (even if it’s a good thing), audits are great forcing functions for building security programs. The scoping and risk analysis work is effective in clarifying a company’s mission, rethinking assumptions, and pruning out unneeded technology and functions. If something costs too much to secure and isn’t critical to delivering a useful service, then its value to the business as a whole can be reconsidered. Furthermore, IT departments have always struggled to find resources (both money and time) to complete security projects. When passing an audit is part of a customer requirement, a lot more resources suddenly become available.
In addition to resources, organizational change is a tough nut to crack, especially for security programs. When that change is tied to landing a lucrative government contract, getting people motivated becomes a whole lot easier. Furthermore, organizations tend to feel they are “doing enough” when it comes to cybersecurity. It’s a different story when an auditor comes in and points out all the areas where they fall short. Painful as the process can be, it can lead to a stronger security program.
Lastly, an organization’s security leader is often the one who delivers the bad news or explains why something can’t be done. With CMMC, there is a scapegoat. The security leader can simply say, “Hey, I don’t want to do two-factor authentication but CMMC requires it.” Love them or hate them (and most people hate them), audits can produce results.
In part two, we'll dive deeper into CMMC itself, look at CMMC control sets in more detail, and discuss how to prepare for an audit.