The latest draft version (0.7) of the Cybersecurity Maturity Model Certification (CMMC) was released by the Department of Defense (DoD) Office of the Undersecretary of Defense Acquisition and Sustainment [OUSD(A&S)] in December of 2019. An ongoing effort to continually provide more accurate and more effective insight into modern cybersecurity best practices for organizations involved with DOD operations, the CMMC is a valuable resource – but only if you understand it.
Do you know what this latest version entails, and what it means for you?
What Is The CMMC?
Just in case you aren’t up to date, the CMMC is the DOD’s way of certifying their contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain.
This builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DoD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DoD has implemented a basic set of cybersecurity controls through DoD policies and the DFARS. The DFARS rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI). These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”
As a U.S. DoD contractor who collects, stores, or transmits Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance. If you don’t, you can’t bid on DoD contracts, and you may lose the ones you have. The CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.
What Is Covered In CMMC Draft Version 0.7?
The CMMC is broken into multiple levels, any of which a contractor can endeavor to meet basic and advanced cybersecurity standards:
| CMMC Level | Total | CFR 52.204-21 | NIST 800-171r1 | NIST 800-171B |
| Level 1 | 17 | 15 | 17 | – |
| Level 2 | 55 | – | 48 | – |
| Level 3 | 59 | – | 45 | – |
| Level 4 | 26 | – | – | 13 |
| Level 5 | 16 | – | – | 5 |
| N/A – Excluded | – | – | – | 15 |
| Total | 173 | 15 | 110 | 33 |
Table 1 – CMMC Model Version 0.7 Practices per Reference
The latest version of the CMMC offers further detail on levels 4 and 5, which are based primarily on information laid out by with NIST 800-171. Of the controls added to the CMMC in draft version 0.7, the following are those most important for your organization to note:
- P1053
“Automate log analysis to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.”This essentially calls for a SIEM solution, which includes a monitoring service, with adaptive threat protection that identifies active cyberattacks and takes action in real-time to protect your business.By integrating intelligence from global threat monitoring feeds, this solution responds to network-based zero-day exploit attempts, drive-by downloads, and advanced malware that routinely bypass conventional firewall and antivirus technologies.
- P1060
“Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.”Cybersecurity awareness training is becoming a more and more common part of modern IT services. The fact is that users are a key target for cybercriminals; the more they know about cybercrime tactics, the better defended your organization will be.
- P1101/1107
“Establish and maintain a Security Operations Center (SOC) during relevant business hours (Level 4) or 24/7 (Level 5).”A Security Operations Center (SOC) is a team of people, employing a range of proven processes and using carefully implemented technologies (such as SIEM) which are often centralized, and that – at the very least – gather and analyze user reports and a range of data sources – such as logs — from information systems and cybersecurity controls.Typically, the main point of a SOC in the business setting is to identify, address and eliminate cybersecurity events that could negatively impact an organization’s information systems or data.
- P1227
“Periodically perform red teaming against defensive capabilities.”You can’t just assume your cybersecurity is effective – you need to test and find out for sure. Red-teaming is a valuable exercise in which white-hat hackers attempt to break through your organization’s cybersecurity defenses, determining precisely where your vulnerabilities may be.
- P1171
“Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.”You need to do more than actively prevent a data breach – you also need to act as though you may have already been breached. In assuming as much, you’re expected to constantly watch for any signs your defenses may have been penetrated.
What Isn’t Covered In CMMC Draft Version 0.7?
This latest draft version still fails to dictate precisely which data needs to be protected at Level 4 or level 5. Say, for example, you deal with International Traffic in Arms (ITAR) data – as it’s CUI, you know it’s a minimum of Level 3. But at what point will it trigger a higher level?
This lack of clarity makes it difficult for organizations like yours to know exactly how far they need to go. To be fair, though, the CMMC drafts have so far been released on schedule, which is no small feat, considering the level of governmental oversight it requires. Further detail should follow according to the schedule.
What Will The CMMC Look Like Moving Forward?
The first official version (1.0) of the CMMC is due to be released in January 2020, at which point DOD related organizations will need to make sure everything is put in place. By then, in theory, it will be clear what data will require what protections.
If you’re unsure of how to comply with DFARS, NIST, CFR and the CMMC, don’t risk it – work with a skilled and knowledgeable partner like Hampton Roads Communication Technologies. We work with DoD contractors throughout the United States, Mid-Atlantic Region, Hampton Roads Virginia, north into Williamsburg and south into the Outer Banks of North Carolina.
Need to prepare for a CMMC Audit? CLICK HERE
