If your organization competes for Department of Defense (DoD) contracts, you may have spent a great deal of time and effort over the last four years aligning your information security controls with NIST Special Publication 800-171. Today, compliance with the 800-171 controls is mandatory for suppliers who have access to Controlled Unclassified Information (CUI) under Defense Finance Accounting Rules 252.204-7012.
But as we discussed in the first article in this series, it rapidly became apparent that the DFARS / NIST 800-171 was an abysmal failure. Within two years of introduction, plans were already underway to replace the program with a much more ambitious framework: The Cybersecurity Maturity Model Certification (CMMC).
While a great deal of commonality exists between these two frameworks at the security control level, they are wildly different animals at the programmatic level. In this article, we will discuss the top three differences between these programs that your organization must consider as you migrate to the new CMMC framework.
DFARS 252.204-7012 required all suppliers dealing with CUI to achieve compliance with the 110 controls in NIST 800-171 — eventually. In reality, organizations only had to achieve compliance with the 15 minimum requirements covering basic cyber hygiene to avoid any negative contractual consequences. For non-compliance with any of the remaining 95 controls, organizations could essentially submit a plan for how compliance would eventually be achieved.
This plan was composed of two components. The System Security Plan detailed how the control would be implemented — the end state after corrective action was complete. The second component was the Program of Actions and Milestones (POAM), which was essentially the roadmap to implementation of the SSP.
Oversight of SSP and POAM implementation was lacking at best, and very few organizations were penalized for failure to fully implement all the NIST 800-171 controls. That’s all about to change.
CMMC certification will be required for awarding DoD contracts. Whereas organizations could work towards NIST 800-171 compliance in parallel with execution of the contract, CMMC certification is an initial barrier to entry. No certification, no award — period.
Whether this lofty goal can be implemented without breaking the supply chains that the DoD relies upon is yet to be seen. However, it is worth noting that the DoD has publicly stated that they will not delay CMMC implementation due to the COVID-19 pandemic. Given that they have taken a pass on an easy opportunity for delay, it would not be prudent to bet against seeing certification requirements in RFPs this fall.
NIST 800-171 was a one-size-fits-all framework. Whether you were a large Prime contractor like Raytheon or simply produced ball bearings for gun turrets, the expectation was for full compliance with all controls. There are two main flaws with this paradigm.
First, it was extremely difficult for small suppliers to (truthfully) achieve compliance with the full control set. Before I joined PlexTrac, I provided security services to a number of very small companies with less than two dozen personnel. Many had little to no in-house IT staff, and almost none had a dedicated information security professional. Basic cyber hygiene was a real challenge.
Let’s take a look at an example of how NIST 800-171 imposed unrealistic burdens on organizations like these. Control 3.14.6 requires these small organizations to “monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.” This control is an active requirement; the word “monitor” implies that it is someone’s job to analyze network traffic. This situation smells a lot like requiring a SIEM solution — and having someone assigned to managing that solution. Sure, there are outsourced continuous monitoring solutions available. However, these come at a cost that most Small and Medium Sized Businesses (SMBs) don’t find palatable.
On the other end of the spectrum are the large Prime contractors. Achieving full compliance with NIST 800-171 is much less burdensome for these organizations, especially given that they are held to more rigorous standards such as NIST’s Cybersecurity Framework (CSF) and FEDRAMP as part of their more sensitive operations. For these organizations, NIST 800-171 presented a disincentive to implement continuous improvement. Once the minimum baseline was achieved, there was no apparent return on investment to invest additional resources in their information security posture.
CMMC addresses these concerns through a tiered approach. Each control (called a “practice” in CMMC parlance) is mapped to one of five maturity levels. Level 1 is the most basic and will be the bare minimum for any contract award involving CUI. Level 5 is the most stringent, and requirement for certification at this level will be reserved for the most sensitive contracts. To achieve certification at a given level, the organization must achieve compliance with that level’s controls in addition to all controls at any lower levels.
The expectation is that Level 3 compliance will be the standard for most contract awards. Full Level 3 compliance approximates the maturity of an organization that has fully implemented all NIST 800-171 controls. However, some lucrative awards will be reserved for those companies which have achieved Level 4 or 5, creating the incentive for additional improvement among more mature organizations in the Defense Industrial Base.
You can view the breakdown of controls by maturity level in the official documentation (along with other CMMC resources) here: https://www.acq.osd.mil/cmmc/draft.html.
Time to address the elephant in the room. While the changes we have discussed so far are profound, the biggest change that CMMC brings is the elimination of self-attestation. Put more bluntly, you don’t get to grade yourself anymore.
If your organization has been acting with integrity, the implications are limited to the financial cost of hiring a third-party certifier. Good news here: the DoD fully expects the costs associated with CMMC certification to be passed on to them. RFPs can and should include costs associated with obtaining and maintaining CMMC certification. While the specifics of how this will work are not fully baked yet, the DoD is at least now acknowledging that costs should not winnow your margins.
If your self-attestations have been “generous,” it’s time to pay the piper.
As you prepare your organization for certification, it is important to understand that third-party security firms will offer two different kinds of service. Both are valuable and should be considered.
Many consultancies are already offering advisory services to assist organizations in preparing for the inevitable formal certification. While CMMC may be new, compliance with frameworks is old hat for many consultancies. These organizations have years of experience with frameworks such as NIST 800-53, 800-171 and even international standards like ISO 27001. Just as we all took practice tests before college entrance exams, we need to prepare before the formal CMMC certification process to identify where resources must be invested. There are many reputable firms offering these services today, and your choice in consultancy will likely be based on factors related to your specific organization.
The second class of service is certification itself — the “golden ticket” you will need to successfully bid on contracts come this fall. Unfortunately, there are no accredited certifiers yet. The CMMC Accreditation Body (https://www.cmmcab.org/) is still finalizing the training and accreditation standards. Notwithstanding any COVID-related delays, expectations are to begin training certifiers in July of 2020. As consultancies achieve this certification, we will update this post to include a list of trusted partners to assist you.
We are living in a very tumultuous time and it will be extremely shocking if the planned roll-out of CMMC stays wholly “on the rails.” However, the messaging from the DoD has not changed. If your organization relies upon DoD contracts, many of which involve the exchange of CUI, you have no choice other than to eventually obtain CMMC certification. Fail to plan, and you may face an existential threat.
In our next installment of this series, we will dive into the structure of the CMMC framework itself. Spoiler alert: If you are already doing the right things, the burden of implementation is not onerous. The controls themselves are well-thought and the framework is well-structured. Implementation may not be trivial, but it will help your organization secure contract awards and achieve a more robust security posture.