CMMC Analysis

Part
01
of four
Part
01

CMMC: History, Future + International

CMMC is a certification process from the DoD to measure the ability of a DIB sector company's strength to protect CUI and FCI. It incorporates several cybersecurity control standards, including NIST SO 800-171, AIA NAS9933, ISO 27001, and ISO 27032.

The History of Cybersecurity Maturity Model Certification (CMMC).

WHAT IS CMMC
WHEN CMMC WAS FOUNDED
HOW CMMC WAS FOUNDED
  • The malicious cyber activities threatened the US national security and economy, which led to the loss of billions of dollars of intellectual property (IP).
  • According to the council of economic advisors, in 2016, the malicious cyber activity cost the US economy about $57 billion to $109 billion. Most of this IP theft is directly linked to poor cybersecurity and unsuccessful implementation of measures to guard sensitive data.
  • The office of Department of Defense (DoD) of the United States through the Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) partnered with Defense Industrial Base (DIB) sector to counter the malicious cyber activities by increasing protection to sensitive data. This majorly focuses on Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
  • Previously, all contractors and sub-contractors working with DoD were required to comply with the NIST Special Publication (SP) 800-171. Since the compliance was based on the honor system, very many contractors could not meet the standards hence resulting in security issues.
  • Since Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) shares DIB sector contractors, the DoD's sensitive data is distributed beyond their information security boundary.
  • Due to these threats, the Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started working with DoD stakeholders, Federally-funded research and development centers, and University-affiliated research centers to come up with the Cybersecurity Maturity Model Certification (CMMC).

The Future Vision for Cybersecurity Maturity Model Certification (CMMC)

GOALS AND OBJECTIVES
PLANS

CMMC LEVELS

Strategy

We initially started our research by looking for information about the history of the CMMC, the future vision, and how the CMMC works for companies from other countries. We used several credible sites such as The Business of Federal Technology and Federal news network, among others. We found data on the history of the CMMC and the future vision. However, we could not find any information regarding how CMMC works for companies from other countries.

Since we found CMMC is a government initiative, we decided to check the US government sites such as the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)), Department of Defense (DoD), and Information Technology Industry Council, among others. We found the latest version of the draft CMMC guide from the site of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)). It had all details about what is CMMC, the history, and how the organization working with DoD must be certified to curb cybersecurity issues. However, this guide did not mention anything about how CMMC works for companies from other countries or how they intend to work with other nations interested in Contracting the US DoD.

Upon finding that there is no information about CMMC working with other countries from the government sources, we checked from news sites, media sources, and press releases. However, no information regarding the same was found. We decided to peruse all previous versions of the CMMC draft. We started checking from the first version (V 0.1) through (V 0.7), thinking that we could trace any information regarding CMMC working with other nations. We only found that the updates from one version to another included more details on the procedures to be followed by organizations that will work with the US DoD from 2020.

We decided to redirect our research towards determining countries working with the US DoD. We searched for any study or articles from publications to check if there were certifications required for contractors or subcontractors to work with the US DoD. This would help us know if the previous certification was included in the new CMMC draft. However, we could not trace any information regarding the same. We, therefore, assumed that since the draft is being implemented in different phases, and every newer version come with revised data, probably newer versions of the draft might include the information.
Part
02
of four
Part
02

CMMC: Reasoning

Cybersecurity Maturity Model Certification (CMMC) is important in order to protect basic cyber hygiene and the CIU (Controlled Unclassified Information) on the networks of the Department of Defense's partners. The Commission on the Theft of American Intellectual Property reports that the total theft of the trade secrets of the United States accounts for about 3% of the total GDP of the US. More information on the topic has been presented below.

Importance of CMMC

  • Cybersecurity Maturity Model Certification (CMMC) is important to examine the Defense Industrial Base's cybersecurity posture and enhance it. This verification mechanism has been designed to make sure that proper levels of cybersecurity processes and practices have been placed.
  • One of the main purposes of the CMMC framework is to protect basic cyber hygiene and the CIU (Controlled Unclassified Information) that can be found on the networks of the Department of Defense's partners.
  • CMMC is intended to unify multiple cybersecurity control standards, including "NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933."
  • CMMC is very important as it will also assess the maturity of "a company’s institutionalization of cybersecurity practices and processes."
  • Around 300,000 companies in the United States have been expected to apply for the Cybersecurity Maturity Model Certification. If a company does not get certified, the company will lose its ability to do business with the Department of Defense.

The Threats CMMC is Hoping to Stop

  • The biggest threat that the Cybersecurity Maturity Model Certification is hoping to stop is the huge loss of controlled unclassified information (CUI) from the Defense Industrial Base sector. The aggregate loss of CUI has increased the national economic security risks in the US.
  • The Commission on the Theft of American Intellectual Property reports that the total theft of the trade secrets of the United States "accounts for anywhere from $180 billion to $540 billion per year." This number amounts to about 3% of the total GDP of the US.
  • The Council of Economic Advisers is an agency working under the Executive Office of the President. The council reported that the US economy had to face a loss of $57-$109 billion due to malicious cyber activity in 2016.
  • According to the Center for Strategic and International Studies (CSIS), "as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year."
  • Due to these big threats, the Cybersecurity Maturity Model Certification (CMMC) is going to be enforced upon the companies that are involved with the Department of Defense.

The Problems CMMC is Trying to Solve

  • As mentioned above, the loss of controlled unclassified information (CUI) has become a huge security problem in the US. This is resulting in major economic losses.
  • According to Stronghold Cyber Security, many countries, including China, Russia, and Iran, are stealing valuable and secret information from the US.
  • According to Stronghold Cyber Security, China's Y-20 aircraft, and the Boeing C-17 aircraft of the US are identical to each other. Similarly, Russia's Su-57 aircraft and the Lockheed F-22 of the US are also identical to each other.
  • The loss of intellectual property and secret information has become a huge problem for the Defense Industrial Base, manufacturers in the US, and other enterprises that sell or create valuable information. The CMMC framework has been designed to solve this problem.
Part
03
of four
Part
03

CMMC vs. HIPAA & PCI

The potential threat for a business that does not comply with the cybersecurity maturity model certification (CMMC) is disqualification from participating in a Department of Defense (DoD) contract. Assessment for CMMC will be done by third-party assessment organizations and the frequency is still being considered. Businesses that fail to comply with the PCI requirements may face increased levels of assessments and examination, and be fined a lot of money. While the PCI Security Standards Council develops and maintains the standards, card companies have their own compliance regulations including the frequency of assessment. The potential threat and consequences for not participating or complying with the Health Insurance Portability and Accountability Act (HIPAA) regulation include the company receiving heavy penalties and fines ranging from $100 to $50,000 per violation or record. Detailed information on the comparison is below.

CMMC

The Potential Threat/Consequences For Not Participating/Complying

  • A business may be disqualified from participating in a Department of Defense contract that requires Cybersecurity Maturity Model Certification if the business is not certified.

The Level of Enforcement

  • All companies that conduct business with the Department of Defense are required to comply with CMMC. There are different levels of certification and the level a company will be required to comply with depends on the amount of Controlled unclassified information it processes or handles.
  • The CMMC assessment will be done by third party commercial assessment organizations when it comes into full use, but some higher-level assessments could be done by "organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA)."
  • The frequency and duration of the CMMC or how often an organization needs to be reassessed is still under consideration.
  • An organization is only awarded certification at the requested CMMC level, which is determined by the government when it demonstrates its capabilities and maturity "to the satisfaction of the assessor and certifier."
  • If an organization is certified CMMC but is compromised by a security breach, it will not lose its certification. However, depending on the circumstances of the compromise and an assessment carried out by the government's program manager, the organization may be asked to undergo a re-certification.

The Reasoning for the Consequences for not Complying

  • Disqualifying businesses from participating in a Department of Defense contract when they are not certified under the Cybersecurity Maturity Model Certification is justified to protect the cybersecurity posture of the Defense Industrial Base.
  • Disqualifying businesses from participating in a Department of Defense contract when they are not certified under the Cybersecurity Maturity Model Certification is also justified to reduce the threat to controlled unclassified information within the supply chain, and reduce the risk of specific sets of cyber threats.

PCI Security Standards Council

The Potential Threat/Consequences For Not Participating/Complying

  • When a business fails to comply with the PCI requirements and is compromised, it may face increased levels of assessments and examination, and be forced to hire a "QSA to conduct a PCI assessment and issue a Report on Compliance." This can be costly especially for small businesses and may lead to their collapse.
  • Failure to comply with PCI requirements can lead to huge fines and penalties imposed by card companies. It can also lead to a company's credit card payment services being revoked or its accounts to be suspended. Violating PCI compliance regulations can lead to businesses paying fines of between $2,000 to over $100,000 per month, and more fines if there are repeat violations. Fines are normally calculated using the number of card records stolen and varies from one payment card provider to another.
  • Failure to comply with PCI requirements can lead to data breaches which can damage the name and reputation of a company when the data breach is covered by the media. Businesses can also suffer from lawsuits and repairing costs brought about by data breaches when PCI requirements are ignored.
  • When a business fails to comply with PCI requirements, the cardholder data they process can be stolen and this can lead to losses incurred from fraud when fraudsters use the stolen data, including card and account numbers. The business can also be forced to fund the cost to re-issue cards that were compromised, and the cost to prevent further fraud, of detecting or monitoring further suspicious activity, through things like forensic audits.

The Level of Enforcement

  • The PCI Security Standards Council connects businesses to qualified council-trained and validated assessors to assist in evaluating the effectiveness and implementing PCI controls and processes. These may include approved scanning vendors, qualified security assessors, and PCI forensic investigators.
  • Although the PCI Security Standards Council develops and maintains the standards, the five payment card brands namely Visa, American Express, MasterCard, Discover, and JCB International are the ones that enforce the standards.
  • Each payment card company has its own compliance regulations and penalties for noncompliance. Companies need to get in touch with their merchant bank providers for specific compliance requirements on things such as deadlines, validation, reporting, specific definitions, and penalties for not complying with the requirements.
  • Businesses are also required to validate their compliance with the PCI regulations every year, in addition to complying with the security requirements of PCI. The validation requires a business to "submit a passing vulnerability scan performed by an Approved Scanning Vendor (ASV) regardless of their location and the size or the number of credit card transactions they process each year."
  • Companies can also use a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) to validate their PCI DSS and demonstrate compliance yearly. Validation requirements depend on how many transactions a company processes annually and the payment card company they are using.

The Reasoning for the Consequences for not Complying

  • The consequences of not complying with the PCI Security Standards are justified to protect personal data that is collected from individuals.

HIPAA

The Potential Threat/Consequences For Not Participating/Complying

  • The potential threat and consequences for not participating or complying with the HIPAA regulation include the company sometimes receiving help to fix the problem. However, in other instances, the company is required to pay heavy penalties and fines. The penalties and/or fines depend on how severe the violation is and the level of negligence. The penalties could start from $100 to $50,000 per violation or record, with $1.5 million being the maximum penalty a company can be asked to pay per year for identical violations.
  • Financial penalties are determined using different factors including the number of patients affected, what data was compromised, and for how long. Four tiers are also used to determine financial penalties. The first tier is where a company did not know or could not have reasonably known of the breach, and the second tier covers companies that knew or would have known of the breach but did not act with willful neglect. The third tier covers companies that acted with willful neglect but corrected the breach in 30 days, while the fourth tier covers companies that acted with willful act and failed to correct the mistake in time.
  • Penalties and fines can be a big burden to businesses and even lead to their closure such as was the case with Filefax, Inc. which was fined $100,000 to settle potential violations of the HIPAA Privacy Rule and was forced to close. Since 2003, the OCR has issued nearly $80 million in fines.
  • A HIPAA violation can also lead to criminal charges that may get one into jail for up to one year for negligence. One can also be jailed for up to 10 years for knowingly violating HIPAA rules for personal gain or with malicious intent. Aggravated identity theft also leads to a two-year mandatory jail term.
  • The reputation of the company can also be tarnished and the trust between a company and its customers ruined.

The Level of Enforcement

  • The Office for Civil Rights (OCR) conducts periodic audits to assess the compliance of HIPAA Privacy, Security, and Breach Notification Rules that covers organizations and businesses.
  • Organizations are randomly chosen to be audited. Once the OCR has randomly chosen an organization for an audit, the company has 10 days to respond. In 2017, the results of 166 audits were released.

The Reasoning for the Consequences for not Complying

  • The consequences of not complying with HIPAA regulations are justified to protect the medical records and personal health information of individuals. This can be information related to people's drug subscriptions and health plans.
Part
04
of four
Part
04

CMMC: Other Certifications and Standards

CMMC is a single standard that will be used across all DoD contracts in 2020 and 2021. It is based on NIST 800-171 controls. CMMC combines several cybersecurity control standards, including NIST SO 800-171, AIA NAS9933, ISO 27001, AND ISO 27032. While the requirements for CMMC are not out yet, some DoD contractors will be expected to have certifications in NIST 800-171 and ISO/IEC 27001.

CMMC Requirements

  • The official requirements for CMMC are expected to be rolled out in January 2020 and contractors will have to get certified by late 2020 to bid on contracts.
  • Implementing "cybersecurity in DoD supply chains is based on the identification" of five certification tiers: CMMC Level 1 or Basic Cyber Hygiene, CMMC Level 2 or Intermediate Cyber Hygiene, CMMC Level 3 or Good Cyber Hygiene, CMMC Level 4 or Proactive, and CMMC Level 5 or Advanced/Progressive.
  • CMMC requirements encompass controls from other frameworks like ISO 27032, AIA NAS9933, NIST SP800-171, NIST SP 800-53, and ISO 270001; however, "800-171A and 800-171B controls make up the core and thus good starting point."
  • To be effectively CMMC complaint, DoD contractors need to get access to easy-to-use compliance tools and security control expertise by coordinating with solution, contract, and business development teams.
  • Those with no in-house NIST compliance experts can seek out help from a virtual compliance officer. This officer will help determine the appropriate levels of CMMC and specific control implementation.
  • Being CMMC compliant requires spot audits and DoD contractors. As a result, DoD contractors can "streamline CMMC efforts with a solution that supports secure role-based access for staff, external advisors and third-party assessors."
  • In general, all government contractors must meet the requirements of NIST Special Publication 800–171 as mandated by the Department of Defense.

DoD Contractors Dealing with CUI

  • Government contractors that handle or manage CUI (Controlled Unclassified Information) need to be compliant with NST 800-171 first before being CMMC compliant.
  • Companies with CUI accessed or stored on their contractor information systems must protect it by adhering to NIST SP 800-171 requirements before CMMC kicks in, in 2020.

Preparing for CMMC

  • To prepare for CMMC, government contractors need to work with cybersecurity professionals that are focused on NIST 800-171.
  • These professionals will do a risk assessment and review the contractor's progress "toward compliance with the NIST 800-171 controls and list the ones that are deficient."
  • Some DoD contractors that deal with audit and accountability must abide by the CERT Resilience Management Model (CERT-RMM) version 1.2 before getting CMMC compliant.
  • For CMMC Level 3, certain DoD contractors that deal with asset management are required to have ISO/IEC 27001 certifications.
  • DoD contractors that have already incorporated NIST SP 800-171 controls are expected to easily pass a CMMC audit to Level 3.
Sources
Sources

From Part 01
Quotes
  • "In May, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, gave a presentation to a small group of DoD contractors, introducing the development of the Cybersecurity Maturity Model Certification (CMMC). Designed to be a unified security standard that enhances the protection of CUI and applies to all organizations in the DIB, this new framework takes the previous requirement to the next level by featuring a verification component, among other demands."
Quotes
  • "The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018]."
From Part 03
Quotes
  • "The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself."
Quotes
  • "Fines can range from $2,000 to more than $100,000 per month for PCI compliance violations, plus additional fines for repeat violations, depending on the merchant’s acquiring bank. "
Quotes
  • "If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision. "
Quotes
  • "Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year. "
Quotes
  • "Since 2003, the OCR has discovered 55 Privacy Rule violations and handed out close to $80 million in fines. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews."