CMMC: History, Future + International
CMMC is a certification process from the DoD to measure the ability of a DIB sector company's strength to protect CUI and FCI. It incorporates several cybersecurity control standards, including NIST SO 800-171, AIA NAS9933, ISO 27001, and ISO 27032.
The History of Cybersecurity Maturity Model Certification (CMMC).
WHAT IS CMMC
- CMMC is a certification process from the DoD to measure the ability of a DIB sector company's strength to protect CUI and FCI.
- It is a combination of different cybersecurity standards and best practices. It is a single standard that will be used across all DoD contracts in 2020 and 2021.
- It will have several maturity levels starting from "Basic Cybersecurity Hygiene to Advanced." At level one, companies are required to practice Basic Cyber Hygiene in an ad hoc manner. Also, it combines several cybersecurity control standards, including NIST SO 800-171, AIA NAS9933, ISO 27001, and ISO 27032.
- While the requirements for CMMC are not out yet, some DoD contractors will be expected to have certifications in NIST 800-171 and ISO/IEC 27001.
- Being CMMC compliant requires spot audits on DoD contractors. As a result, DoD contractors can "streamline CMMC efforts with a solution that supports secure role-based access for staff, external advisors, and third-party assessors."
WHEN CMMC WAS FOUNDED
- The first draft of the framework was provided in September 2019. However, version 1.0 is anticipated to be available by January 2020.
- By June 2020, requirements will be incorporated into Requests for Information, and by fall 2020, request for proposal will also be included.
HOW CMMC WAS FOUNDED
- The malicious cyber activities threatened the US national security and economy, which led to the loss of billions of dollars of intellectual property (IP).
- According to the council of economic advisors, in 2016, the malicious cyber activity cost the US economy about $57 billion to $109 billion. Most of this IP theft is directly linked to poor cybersecurity and unsuccessful implementation of measures to guard sensitive data.
- The office of Department of Defense (DoD) of the United States through the Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) partnered with Defense Industrial Base (DIB) sector to counter the malicious cyber activities by increasing protection to sensitive data. This majorly focuses on Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
- Previously, all contractors and sub-contractors working with DoD were required to comply with the NIST Special Publication (SP) 800-171. Since the compliance was based on the honor system, very many contractors could not meet the standards hence resulting in security issues.
- Since Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) shares DIB sector contractors, the DoD's sensitive data is distributed beyond their information security boundary.
- Due to these threats, the Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started working with DoD stakeholders, Federally-funded research and development centers, and University-affiliated research centers to come up with the Cybersecurity Maturity Model Certification (CMMC).
The Future Vision for Cybersecurity Maturity Model Certification (CMMC)
GOALS AND OBJECTIVES
- The primary objective for Cybersecurity Maturity Model Certification (CMMC) is to have cybersecurity standards from NIST standards.
- The government contractors that handle or manage CUI (Controlled Unclassified Information) need to be compliant with NST 800-171 first before being CMMC compliant.
- The most significant concern by the Pentagon officials is the cybersecurity risks from contractors and sub-contractors. The department's goal is to have new cybersecurity standards for contractors in 2020.
- To ensure that DoD contractors that deal with audit and accountability must abide by the CERT Resilience Management Model (CERT-RMM) version 1.2 before getting CMMC compliant.
- Companies with CUI accessed or stored on their contractor information systems must protect it by adhering to NIST SP 800-171 requirements before CMMC kicks in 2020.
- Generally, all government contractors must meet the requirements of NIST Special Publication 800–171 as mandated by the Department of Defense.
- To achieve their objectives, DoD, other Federal and state agencies are offering financial assistance to both mid-sized and small contractors.
- The Department of Defense (DoD) is planning to move to the new CMMC framework to check and increase the cybersecurity status of the Defense Industrial Base (DIB).
- The CMMC is planned to be a verification method to make sure that the necessary levels of cybersecurity processes and practices are in use.
- This will enforce basic cyber hygiene and also keep safe, controlled unclassified information (CUI) that is stored on the Department’s industry partners’ networks.
- To be CMMC certified, government contractors also need to work with cybersecurity professionals that are focused on NIST 800-171.
- CMMC's initial implementation will be focusing on DoD only.
- The CMMC model consists of 5 levels.
- The first level will focus on cyber hygiene and will have the required specifications detailed under 48 CFR 52.204-21. This will act as the foundation for other levels and must be adhered to by all certified organizations.
- CMMC level two will concentrate on middle cyber hygiene to give the organization a better ability to protect and sustain their assets from more cyber threats.
- The third CMMC level ensures that the organization has met NIST SP 800-171 security requirements.
- CMMC level four focuses on reviewing and documenting activities for effectiveness and also to alert the top management of any issues.
- At level five, the organization is expected to standardize process implementation across the organization.
We initially started our research by looking for information about the history of the CMMC, the future vision, and how the CMMC works for companies from other countries. We used several credible sites such as The Business of Federal Technology and Federal news network, among others. We found data on the history of the CMMC and the future vision. However, we could not find any information regarding how CMMC works for companies from other countries.
Since we found CMMC is a government initiative, we decided to check the US government sites such as the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)), Department of Defense (DoD), and Information Technology Industry Council, among others. We found the latest version of the draft CMMC guide from the site of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)). It had all details about what is CMMC, the history, and how the organization working with DoD must be certified to curb cybersecurity issues. However, this guide did not mention anything about how CMMC works for companies from other countries or how they intend to work with other nations interested in Contracting the US DoD.
Upon finding that there is no information about CMMC working with other countries from the government sources, we checked from news sites, media sources, and press releases. However, no information regarding the same was found. We decided to peruse all previous versions of the CMMC draft. We started checking from the first version (V 0.1) through (V 0.7), thinking that we could trace any information regarding CMMC working with other nations. We only found that the updates from one version to another included more details on the procedures to be followed by organizations that will work with the US DoD from 2020.
We decided to redirect our research towards determining countries working with the US DoD. We searched for any study or articles from publications to check if there were certifications required for contractors or subcontractors to work with the US DoD. This would help us know if the previous certification was included in the new CMMC draft. However, we could not trace any information regarding the same. We, therefore, assumed that since the draft is being implemented in different phases, and every newer version come with revised data, probably newer versions of the draft might include the information.