The Defense Department is implementing new guidelines to certify contractors on cybersecurity preparedness. Learn how the new rules compare to NIST SP 800-171.
Recently approved Defense Department guidelines for cybersecurity are very familiar to existing guidelines. What does your defense contracting company need to know about the new and the old?
The Cybersecurity Maturity Model Certification (CMMC) program is designed to improve selection processes, level the playing field for defense contractors and provide clarity for all parties. Slated to go into effect with RFPs as of June 2020, CMMC is a new series of guidelines defense contractors and subcontractors must meet to be eligible to compete for departmental contracts.
How Does Cybersecurity Maturity Model Certification Program Work?
The CMMC is based on about 173 cybersecurity practices that are bundled into 43 different capabilities, representing processes, policies, solutions and actions contractors must take. The CMMC has created 5 different levels of compliance.
At the most basic Level 1, organizations meet the bare minimum federal regulations regarding cybersecurity protections. Level 2 covers organizations with standard operating procedures, cybersecurity policies and strategic plans.
The upper Levels 4 and 5 cover organizations with more substantial protections in place that provide for adaptive responses to the most persistent and evolving cyberattacks.
It’s the third level, classified as good cyber hygiene, that most closely maps with the existing NIST SP 800-171 guidelines, which have long shaped contractor compliance with DoD cybersecurity expectations. Contractors being certified at Level 3 are able to access Controlled Unclassified Information (CUI) and protect assets and the CUI. However, such contractors may not be able to sustain and protect in the wake of persistent and complex attack vectors.
How Are CMMC and NIST SP 800-171 Similar?
The Defense Department has several FAQs devoted to the relationship between CMMC and NIST SP 800-171. One of the reasons for adopting CMMC is to combine different cybersecurity standards that have been used in the past. In addition to the standards, CMMC is also designed to “measure the maturity of a company’s institutionalization of cybersecurity practices and processes,” according to the FAQ site.
The most common similarity is in the use of grouping categories (called “domains” in CMMC). The 17 categories are:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protections
- System and Information Integrity
Within each CMMC domain are different capabilities in which contractors must demonstrate competency. For example, under the Media Protection domain, contractors must demonstrate that they:
- Identify and mark media
- Protect and control media
- Sanitize media
- Protect media during transport
Under the System and Information Integrity domain, the following competencies are required:
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protections
The CMMC domains are similar to the 14 categories used by NIST SP 800-171. Like with CMMC, there are capabilities in each category that contractors must meet. The new domains are Asset Management, Recovery and Situational Awareness.
Contractors seeking certification will see a few similarities and differences. One of the most critical changes with CMMC is the elimination of self-reported compliance. This closes a loophole that has made it unfair for some contractors that take a more rigorous approach to certification. These contractors have found themselves at a disadvantage in some contract situations when competing against companies with looser, more relaxed interpretations of guidelines.
Instead, organizations will need to be certified by an independent, accredited third-party certifier. Contractors will state at which level they seek to achieve certification. As of early February 2020, the cost of such assessments and a list of certified third parties was pending.
The process is also designed to simplify the bidding process for the Defense Department, both in declaring upfront what level is required for the contract and in unifying the information assessed across bidders.
Preparing for CMMC certification is important for contractors and subcontractors. At HRCT, we help Hampton Roads businesses with assessments and solutions that keep organizations compliant and ready for CMMC. To learn more, contact us today.