As evidenced by the October 4, 2018, disclosure of a data breach at the U.S. Department of Defense (DoD), hackers are increasingly targeting government agencies. According to Lt. Col. Joseph Buccino, a spokesman for the Pentagon, the attackers managed to get their hands on the credit card numbers and private details of at least 30,000 federal and civilian contractors. The hackers took advantage of flaws in a system operated by a third party that kept track of DoD employees’ travel history.
This event demonstrates how challenging it can be to guarantee sufficient data security when transferring that data to non-government organizations. The federal government is using technologies that assess, measure, and minimize threats with partners on several tiers in real time to satisfy the requirement to enhance the privacy of its computer networks. For instance, to demonstrate that their computer security complies with government standards, DoD contractors must receive Cybersecurity Maturity Model Certification (CMMC). The Defense Industrial Base (DIB), which serves as the army’s supply chain, will have a stronger security posture through CMMC for DoD contractors program.
What is CMMC compliance?
The CMMC offers controls ranging from elementary computer security to sophisticated safeguards across five maturity levels. The defense department will conduct audits by outside parties on DoD contractors to gather data on their risk management procedures and gauge their maturity. This initiative will concentrate on third-party systems’ readiness and safety, which have historically been challenging to control.
Beginning in June 2020, the DoD will incorporate CMMC requirements in requests for information (RFIs). Beginning in September 2020, requests for proposals (RFPs) will detail the CMMC specifications. In particular, Sections L and M of RFPs will outline the CMMC level required by contractors.
The Cyber Security Model, which the U.K. Ministry of Defense employs for its contracts, serves as the foundation for the CMMC framework. The National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-171, which outlines the current requirements for a government contractor’s security posture in the U.S., is also heavily included in the CMMC. The CMMC also incorporates various computer security standards, including AI NAS9933, ISO 270001, ISO 27032, and NIST SP 800-53. The CMMC includes the requirements from the FedRAMP and DFARS in addition to these computer security standards. The CMMC DFARS offers the U.S. government a single maturity model as a result.
Levels of Maturity for NIST 800-171 Compliance
Defense contractors processing Controlled Unclassified Information (CUI) are already required by NIST SP 800-171 to install 110 security procedures. However, it lacks monitoring and transparency methods for preserving CUI and only permits contractors to evaluate themselves. This deficiency is one of the driving forces behind the creation of CMMC, which would mandate that contractors provide third-party evaluators and certifiers with proof of their competencies, controls, and procedures.
The 5 Levels of CMMC Maturity
The CMMS acknowledges five maturity levels, with Level 1 being the least mature and Level 5 being the most. Basic Cyber Hygiene is another name for CMMC Level 1, which has 17 security measures from NIST SP 800-171 Rev 1. Intermediate Cyber Hygiene, or CMMC Level 2, consists of 46 controls from NIST SP 800-171 rev 1. CMMC Level 3, often known as Good Cyber Hygiene, consists of 47 NIST SP 800-171 rev. 1 controls. All 110 security measures in NIST SP 800-171 rev. 1 are collectively covered by the first three CMMC maturity levels.
The security protocols from NIST SP 800-171B, which is still in draught form, are included in the following two maturity levels. This update to NIST SP 800-171 introduces additional standards for safeguarding essential projects with high-value assets and safety protocols for CUI in non-federal entities. Twenty-six controls from NIST SP 800-171B are included in CMMC Level 4, also known as Proactive. Four measures from NIST SP 800-171B are part of CMMC Level 5, also known as Advanced/Progressive.
With this multi-tiered system, businesses may engage with the government without having to implement more security measures than are truly necessary. Companies just need to get the CMMC level that they require, which lowers the cost of the procedure. In DoD contracts requiring CMMC, certification expenditures will also be a reimbursable expense.