Department of Defense’s Cybersecurity Maturity Model Certification Planning Moves Forward

security-600The Department of Defense (DoD) has taken another step on the path toward full implementation of its Cybersecurity Maturity Model Certification (CMMC) initiative. On September 5, 2019, the Office of the Assistant Secretary of Defense for Acquisition released version 4 of the CMMC and has requested public comment.

The CMMC process began early this year and has been an iterative process. According to DoD, it anticipates continuing to refine and improve the model over the coming months and releasing a version 6 for further public review in November 2019.

DoD has designed CMMC to add a verification component to cybersecurity compliance. Currently, DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, outlines the requisite security measures that must be taken to protect controlled unclassified information (CUI)[1] generated, accessed, used, or stored on contractors’ or subcontractors’ IT systems in connection with the performance of DoD contracts and subcontracts. Since the inception of the rule, contractors and subcontractors have self-certified that they are compliant with the DFARS -7012 clause.

With CMMC, DoD is abandoning the self-certification approach and replacing it with a third‑party verification requirement. In an approach similar to that used for FedRAMP certification of cloud service providers, DoD will use certified and independent third‑party organizations to audit compliance with cybersecurity requirements across the defense industrial base.

In addition to mandating third-party evaluation, CMMC will also involve identification of “maturity levels” of security that apply to DoD contracts. The levels will range from “Basic Cybersecurity Hygiene” to “Advanced.”  Each increasing level will require implementation of more extensive cybersecurity protections by contractors. DoD will assess whether a contractor is compliant at the appropriate maturity level as part of the initial proposal evaluation process. While some of the required protections will closely mirror the current NIST SP 800-171 standard used in the DFARS -7012 clause, the intent of CMMC is to combine multiple cybersecurity control standards, including not only NIST SP 800-171, but also NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for cybersecurity.

As presently envisioned, all contractors and subcontractors in the defense industrial base will need to obtain CMMC, whether or not they handle CUI. While yet-to-be-identified third‑party assessment organizations will perform most CMMC reviews, DoD also has indicated that some higher‑level assessments may be performed by the Defense Contract Management Agency, the Defense Counterintelligence and Security Agency, or other DoD organizations.

DoD’s move towards third-party audits and more comprehensive risk assessment and analysis is in large part a response to the continued risk to national security and national economic interests posed by increasing malicious cyber activity targeted towards CUI. While this is no doubt a serious concern both for DoD and the defense industrial base at large, there remain a number of unanswered questions about when and how CMMC will be fully implemented. Full implementation of the DFARS -7012 clause stretched out over several years and included multiple iterations and rounds of public comment. DoD seems to be moving more quickly to implement CMMC, but a number of factors inevitably will introduce delay, including, but not limited to: the need to finalize and standardize the security criteria for each maturity model; the need to educate the DoD procurement community on inclusion of CMMC standards in solicitations and requests for proposals; the need to identify and certify a significant number of third-party assessors; and, last but not least, the need for those assessors to complete hundreds of thousands of assessment. CMMC is the wave of the future, but also perhaps a long ways away.

[1] CUI is an umbrella term for all unclassified information that requires special safeguarding or dissemination controls. The DFARS -7012 clause refers to CUI that relates to DoD programs as “covered defense information,” or CDI.