The Cybersecurity Maturity Model Certification (CMMC)

Background
The US Defense Federal Acquisition Requirements Supplement (DFARS) is a comprehensive suite of requirements setting out the expectations for the procurement and supply of products and services to the US military.  Within these requirements is the need to implement a NIST directive which details a comprehensive set of cybersecurity practices for the protection of Controlled Unclassified Information (CUI).

Under DFARS regulations, Defense Industrial Base (DIB) contractors and their sub-contractors had been self-attesting to comply with NIST practices.  However, it did not fully address the requirement to ensure that suppliers to the DoD had implemented the appropriate cybersecurity practices.  The CMMC framework addresses this oversight and the assurance gaps with DFARS as well as extends the scope of oversight to encompass both CUI and Federal Contract Information (FCI).

The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers.  A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity.  Given the depth, breadth and complexity of the products and services being delivered, a cybersecurity maturity model is the most appropriate solution to achieve this.

The CMMC
The Cybersecurity Maturity Model Certification (CMMC) was developed by the US Department of Defense to address the protection of information and data on DoD networks as well as improving overall cybersecurity and supply chain protection across the DIB.  Whilst the issues of cybersecurity, data protection, and supply chain risk management are not new, the approach by DoD to establish auditable accountability through a certification process moves beyond the previous self-attestation process and breaks new ground.  Although the decision to pursue certification is voluntary for any business or entity, it will become a requirement of eligibility to compete for DoD contract business going forward.

The CMMC framework
The CMMC framework is built on four elements – Security domains, Capabilities, Controls (Practices), and Processes and when combined, they build best practices for the protection of an organization and associated FCI and CUI.  These elements apply at five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) in the overall CMMC framework where Level 1 is the least mature and level 5 the most mature.

Each level of the CMMC is designed to accommodate different levels of cybersecurity maturity, accommodating different levels of process maturity, increasing the number of security domains and levels of practice.  They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers at level 5who are actively targeted by threat actors, potentially from a nation state.  The level of compliance will be defined by the DoD during the procurement process, mapped to the data which the contract will manage, FCI or CUI, and the perceived threat to the DoD.  With levels 1 and 2 being associated with FCI data and levels 3, 4 and 5 with CUI.

CMMC Centre of Excellence
The CMMC Center of Excellence (COE) is an IT Acquisition Advisory Council (IT-AAC), sponsored and hosted public/private partnership that will be the focal point for coordination, communication, and collaboration in support of entities seeking to achieve the Cybersecurity Maturity Model Certification requirements, to improve and enhance the cybersecurity and overall security of the supply chain for the defense industrial base and the US Department of Defense.

The COE and its partners, of which CREST is one, provides DIB companies sub-contractors, technical suppliers and the broader business community with the necessary education, mentoring, solution architectures and tools needed to improve cyber hygiene by promoting adoption of cybersecurity implementation best practices across the CMMC eco-system.

CREST involvement in this partnership will comprise delivering service provider accreditations alongside certification of their individuals and maintaining a register of suitably credentialed individuals.  The accreditation of service providers will be in line with criteria established and agreed with DFARS.  CREST will also provide all the administrative processes for the on-going requirements of re-accreditation, changes to the accreditation criteria, the management of company codes of conduct compliance, compliant investigation, and other management processes.  These activities combine to give assurance that the services being provided are being delivered by companies with robust data handling procedures, quality assurance processes and technical methodologies and are provided by skilled, knowledgeable and competent individuals.

In parallel, CREST is looking at the establishment of quantitative assessment to support the DFARS process.  This is intended to provide a means of sampling those who have stated that they have reached the declared level of maturity that supports the audit and performance of the maturity modelling process.