As recent high-profile ransomware attacks and data breaches have once again demonstrated, there’s a growing imperative to better protect the public sector and the U.S.’s critical infrastructure against cyber threats. But in few places is this more important than the Defense Industrial Base (DIB). According to analysts from the Cyberspace Solarium Commission, “Cyber-enabled intellectual property theft from the DIB and adversary penetration of DIB networks and systems currently poses an existential threat to U.S. national security.”
Announced in July of 2019 and beginning to take effect in January of 2020, the Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense (DoD)’s latest response to this urgent threat. The CMMC imposes uniform cybersecurity standards across the entirety of the DIB, which includes more than 300,000 organizations that collect, process or store Controlled Unclassified Information (CUI).
Based upon the standards outlined in NIST SP 800-171, the new regulation incorporates a handful of additional requirements and outlines a modified certification process in which validation of compliance by a qualified third-party assessor is now required. The CMMC also describes five distinct levels of increasing maturity: which maturity tier an individual contractor belongs to will depend on the sensitivity of the government information that the organization handles.
The rollout process for the new standard will be a gradual one, with full implementation to be achieved over a five-year period, but the DoD has already begun to include minimum certification requirements in certain requests for proposals (RFPs) that it’s issuing.
What’s Different About the New Standard?
The biggest change for defense contractors and subcontractors — as well as businesses in their supply chains — is that organizations can no longer self-certify that they’re in compliance. Instead, contractors are required to complete a more stringent review process conducted by a certified third-party assessor to verify their compliance status.
The cybersecurity practices and procedures that DoD contractors are expected to adhere to have already been published by the DoD, so contractors can begin compliance efforts. Remaining to be seen is how third-party assessors interpret and inspect contractor programs. While CMMC standards are largely prescriptive, there is always some degree of assessor judgement applied when opining on the quality of the design and operating effectiveness of controls. For example, specific to objectives that require a CMMC practice to be “adequate,” “monitored”, or “protected” it’s quite possible that there will be at least some degree of variability among third-party assessors.
The CMMC also applies more broadly, to a greater number of organizations than NIST 800-171 did. This expanded reach means that more subcontractors and extended supply chain participants will need to think about and get ready for compliance.
How Can My Business Prepare for CMMC Compliance?
Although we are not a Certified Third-Party Assessor Organization, BTB Security is a CMMC Registered Provider Organization (RPO). We’re listed in the CMMC Marketplace among the organizations that can help DIB companies advance their CMMC compliance programs and prepare for assessments. Accordingly, we’ve created a specialized service to assist DoD contractors and subcontractors in preparing for assessments. In addition, our core services like managed detection and response, penetration testing, and web application security assessments can help companies achieve CMMC compliance.
We recommend that organizations undertake the following steps to get ready:
Readiness AssessmentPrior to the actual certifying assessment with the third-party assessor, thoroughly review all the requirements for your maturity level. Consider using an outside party adept at understanding standards and remediating gaps. In essence, this is an open-book test, with a clearly defined scope, so it is relatively easy to understand what you will need to demonstrate to the assessor ahead of time.
AuditabilityBeing able to readily demonstrate that you comply is likely to be just as important as being in compliance. In order for your assessment to go smoothly, you’ll need to be able to provide clear, reliable, demonstrable evidence that your controls are operating at the requirements and specifications you’ve defined within your policies and standards. If the evidence that you provide is unclear, inconsistent, or arbitrary the assessor might be reluctant to certify your organization. Focus in being able to produce clear, consistent evidence of your controls; ideally system-generated, automated, time-stamped, and centrally managed.
Clarity of Ownership and Upkeep
It is vital to designate clear ownership of and responsibility for the operating controls within your program. This person should ensure that your control set is defined, implemented, enforced, and operating as intended. Periodically assessing, correcting, and maintaining the in-scope practices and processes will help with CMMC program sustainability. When it comes to CMMC compliance, “set it and forget it” is the enemy of success.
The new CMMC standard represents a significant step forward for DIB cybersecurity as a whole. Because the requirements are based on NIST standards that are already well-respected in the private and public sectors alike, we may well see growing numbers of organizations beyond the federal space voluntarily adopting the CMMC’s provisions in the future.
In the meantime, if you’d like to learn more about what your company can do to get ready for CMMC compliance today, download our new Security Solution Guide or schedule a free consultation with a member of our expert team.