The US Department of Defence is planning to implement ‘Cybersecurity Maturity Model Certification’ (CMMC) in 2020. The new framework comes as the Department of Defence (DoD) plan to push defence industrial base (DIB) organisations to improve their cybersecurity infrastructure and procedures.
In this blog post, we’ll discuss the details of the new legislation, what it means for you and show you how to prepare your organisation for its rollout planned later this year.
What is the CMMC legislation?
The DoD has created new legislation to encourage a high standard of security when DIB firms distribute controlled unclassified information (CUI) within the supply chain; as breaches of confidential information pose risks to national security and cost the U.S. economy $600 billion a year.
CMMC aims to create a unified standard or cybersecurity throughout this industry, outlining the security requirements to trade within the aerospace and defence sector.
The legislation will work on a tiering system with five levels of CMMC approval, certifying organisations with a rating from ‘basic cyber hygiene’ to ‘advanced’.
The five levels are comprised of 171 practices (technical capabilities) and five processes (employee and team procedures) that span 17 domains. This means that if a firm aims to reach a maximum CMMC certification, they must adhere to all practices and processes within tier one to five.
What does this mean for NIST SP 800-171 contracts?
The National Institute of Standards and Technology (NIST) special publication 800-171, governed the security capabilities of organisations which handle and share CUI documents.
Due to the large number of contracts listed within NIST SP 800-171, there will be a large crossover period where both CMMC and NIST SP 800-171 will coexist. Once these contracts have come to their conclusion, NIST SP 800-171 will be terminated, replaced by CMMC.
Whilst CMMC is being implemented for DIB organisations, you’re required to adhere to guidelines outlined within NIST SP 800-171 until the DoD retire that legislation when CMMC is fully adopted. So, any company that accesses and handles CUI, is still required to self-assess their cybersecurity capabilities – confirming that they meet all 110 security controls of NIST SP 800-171 or must have a Plan of Actions and Milestones (POA&M).
How is CMMC different to NIST SP 800-171?
The key difference is that NIST SP 800-171requires firms to follow a number of security procedures mainly related to infrastructure, to achieve accreditations. CMMC however, will work on a tiering system with five ranking levels that aren’t just infrastructure requirements but practice and policy-related. CMMC will also require organisations to test their cybersecurity procedures and risk mitigation practices, recording how well they work, and to provide optimisation plans.
When is CMMC going to be implemented?
The DoD has announced that a elements of CMMC will be mandatory as early as June 2020 – and in certain requests for proposals (RFP) by September 2020.
Due to varying cybersecurity requirements for unique RFIs and RFPs, the CMMC tiering system allows you to specify to what tier contractors in your supply need to adhere to. Initially, the DoD is planning to roll out the first contracts with mandatory CMMC certification for those with low-security requirements.
What do I need to do to get CMMC certification?
All CMMC accreditations will be conducted by independent third-party organisations, requiring your organisation to organise and conduct CMMC inspections themselves. Before these reviews take place you must specify which level of certification you need, based on the type of contracts you aim to deliver.
Here, we’ve detailed the top-level requirements for each of the CMMC rankings:
Level one (Basic Cyber Hygiene):
Organisations operating with a level one certification perform security measures with an ad hoc manner – only using a predefined system that addresses the 17 practices that are required for the basic security safeguarding specified in 48 CFR 52.204.21.
Level two (Intermediate Cyber Hygiene):
To achieve level two, organisations must have all of the infrastructure listed in tier one but will need to provide policy and documentation of their cybersecurity practices.
Level three (Good Cyber Hygiene):
Level three certification is very similar to the previous level as it is still based around providing documentation of policies and practices surrounding cybersecurity in your organisation. However, you are required to show how employees and stakeholders intend to comply with CMMC. A plan must be prepared to outline how staff training is conducted, teaching criteria around your missions, goals, project plans, resourcing, required training, and involvement of stakeholders.
At this stage you also need to have all 110 control requirements of NIST SP 800-171, to achieve a level three certification. There are also 13 new practices adopted from various other security standards that are focused around:
- CUI data handling
- Risk assessments and risk mitigation
- Cyber threat response procedures
Level four (Proactive):
The next level is focused on testing and practicing your procedures that you show in levels two and three; running mock scenarios to measure the effectiveness of your plans. Mediators will be examining whether all the correct actions are taken to communicate between the team and appropriate upper-level management.
Level five (Advanced/Progressive):
Once you have passed all of the prior tests, level five will require your organisation’s processes to be standardised throughout the company and regular efforts are committed to optimise your procedures. Level five also requires all the practices and infrastructural requirements listed within CMMC to be in place.
Get prepared with eProcurement
Modern eProcurement technology has widely been out of the reach of Aerospace and Defence companies, because of the inability of these tools to meet government regulations and cybersecurity requirements. Through our close partnership with Exostar we’ve enhanced our eProcurement platform, creating a secure eProcurement platform that’s in meets the stringent requirements of defence organisations.
The powerful functionality of web3 can help you to drive huge cost savings throughout the procurement lifecycle, but it’ll also help to centralise your purchasing activities required for CMMC certification.
If you’re conducting research to start your preparations for CMMC, be sure to get in touch with our industry experts who will give you clear guidance on how eProcurement can help. And if you have found this blog post useful, be sure to share it with your colleagues on Twitter and LinkedIn.