The Department of Defense is set to release the final version of its cyber certification framework for contractors Jan. 31, and military contractors will have to step up compliance efforts if they want to keep doing business with the government.
Once the Cybersecurity Maturity Model Certification goes into effect, all defense contractors and subcontractors will be required to undergo third-party assessment of their cybersecurity practices and handling of controlled unclassified information.
CMMC will become part of the DoD’s requests for information in June, and will be included in requests for proposals in the fall.
The U.S. defense industry is a prime target for rogue states — in one 2018 incident, Chinese spies hacked a Navy contractor to steal massive amounts of highly sensitive data on U.S. submarine technology — so the federal government has focused increasingly on vendor supply chains and contractors.
The DoD spent 2019 planning the cybersecurity certification framework for contractors who handle its sensitive information, a step it says is critical for protecting the defense industrial base, stopping data theft and fending off nation-state attacks.
CMMC measures compliance with NIST SP 800-171, a set of 110 cybersecurity controls and reporting standards mandated by Defense Federal Acquisition Regulations System, and goes further — combining NIST SP 800-171 with other cybersecurity control standards (NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS993) to build a unified standard for cybersecurity.
It also takes compliance requirements to a new level. Until now, contractors only needed to self-assess and self-attest their compliance.
How effective was that?
“Not very,” said Shawn Murray, chief academic officer and president/CEO at Murray Security Services. “The government came out and said, ‘… We can no longer self-attest because we’ve had too many breaches. We’re still seeing our information getting out there.’ The government now needs to assure what you’re doing — and if you’re part of that supply chain, we want the prime contractors and subcontractors to all be measured on their level of maturity for cybersecurity.”
WHO DOES IT IMPACT?
The defense supply chain winds around a lot of companies.
“If I’m a Northrop Grumman, a Lockheed Martin, L3Harris — a big prime contractor — and I develop an aircraft or a space system or a vessel for the Department of Defense, I don’t build all of it. I have subcontractors that develop specific parts,” Murray explained. “Colorado Springs is the second-largest military community outside of the National Capital Region, so we have a lot of manufacturing between Denver, Pueblo and Colorado Springs. When you get a contract as a subcontractor to build a specific part, you’re now considered part of that supply chain.”
Katie Arrington, the DoD chief information security officer spearheading the changes, acknowledged in a June 12 webinar that the CMMC is “a major undertaking,” but said it’s essential.
“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are,” she said. “We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene.
“Only 1 percent of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology.
“We need to get to scale where the vast majority of DIB partners can defend themselves from nation-state attacks.”
According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, each CMMC level — from basic cybersecurity hygiene (Level 1) to advanced (Level 5) — will require controls and processes to reduce risk against a specific set of cyber threats.
Version 0.7 of the draft CMMC was released Dec. 6, following versions 0.3 and 0.6. Defense contractors still have unanswered questions about implementation and cost.
“They’ve introduced all of this discussion over the last several months, and the industry — contractors, primes, subs — they’re all throwing their hands up in the air going, ‘There’s no way,’” Murray said. “I mean, some subs are saying, ‘That’s it. I’m not doing business with you anymore because I don’t have the money, the resources, the time, to be Level 3 right now.’
“… A lot of feedback has come back to DoD and to the primes from the subs: ‘Look, either I’m gonna bail or you’re going to help me or we’ve got to come up with a reasonable time frame.’ That message has been received by DoD and now the Under Secretary of Defense for Acquisition, she has actually come out and said, ‘OK, we get it. We don’t expect you to be Level 3 [immediately].’
The DoD has assured contractors that the cost of certification will be considered an “allowable, reimbursable cost” — although it’s unclear at what percentage. And while the process for becoming CMMC- certified will be rigorous and time-consuming, the Office of the Under Secretary of Defense for Acquisition & Sustainment says the cost “will not be prohibitive.”
Also up in the air, Murray said, is exactly what’s considered controlled unclassified information, or CUI, in any given contract.
“If I’m a defense contractor, you have to tell me what needs to be protected,” he said. “For the small contractors, if [DoD work] is their bread and butter, they’re trying to figure it out and trying to get there.
“That’s a risk for a small organization, because they don’t know anything about how to do this, so they go and hire a company … and if it’s a fly-by-night company, they may not be familiar with CMMC or [NIST SP 800-]171, or the government standards, and they come in and do a vulnerability assessment and tell you you’ve got to spend a gazillion dollars.”
Subcontractors had questions at the Colorado Springs Chamber & EDC’s Cybersecurity Summit & Industry Day Jan. 15, which aimed to give an update on local cybersecurity resources and growth, as well as “those next big hurdles that you should be prepared for,” said Cybersecurity Programs Director Vinnie Persichetti.
“CMMC was certainly one of those things coming down the pike that really was the top of that list,” he said. “… The message for the community is: Start to prepare yourself so that you’re not caught trying to catch up at the last minute.
“There are things you can do now to try to help get ahead of the game, things like 800-171 controls — if you’re not already implementing those, it would be wise to get a head start and take a look at those controls.
“CMMC will go beyond just 800-171, so you can look at version 0.7 and get an idea of some of the things that they are considering. But there’s no need to dive headlong into an actual certification just yet, because there are no assessors.”
A cybersecurity company can apply to become a CMMC assessment firm or it can work with military contractors to build their cybersecurity capabilities — but not both. Once CMMC assessors are certified, they’re expected to start assessments in June.
At the same time, Murray said, the DoD is standing up an independent steering committee to oversee the CMMC process.
“We’re flying the aircraft as we’re building it,” he said. “It’s the way the government works.
“My message to everyone is, ‘Look, don’t stop. Just slow down,’” he added. “You still have to do this for your regular business. You have to put firewalls in, you have to have vulnerability management. You should be doing this anyway.
“It’s that level of maturity that you’ve never invested in, that you’re going to have to — so you should have a plan moving forward, while they iron out all the details.”
AN OPPORTUNITY, NOT AN OBSTACLE
Georgianna Shea, department chief engineer for defense acquisition and policy with The MITRE Corporation, who spoke at the summit, said she sees CMMC’s requirements for handling of CUI as “the tip of the iceberg with what companies can be doing, because they can do the same things for non-CUI.
“They can go through and look at the organizations [they’re doing business with] themselves, not just the contract information with the government,” she said. “They can go through and look at their suppliers as well.”
It’s a valuable opportunity for contractors to gauge their cybersecurity posture, Shea said.
“Within the test community, for a lot of systems we will have cyber tabletop exercises — a war game exercise of, ‘OK, this is what’s going on, these are the operators, these are attackers,’ and then you kind of walk through the whole scenario,” she said. “And usually the operators walk away with, ‘Oh, I didn’t realize we had a vulnerability here until the hacker came and said, “Yeah, this is how I can exploit your system.”’
“It’s the same thing with these companies. If a third party comes in and says, ‘Hey, did you realize you’re vulnerable here?’ then they’re like, ‘Great, good to know. Now we can fix this.’”
It’s also a real opportunity to better protect the defense industry as a whole.
“The supply chain itself is so difficult to get a hold of what’s going on and who’s actually providing what,” Shea said. “The government gets things from their contractors who get things from their suppliers, who get things from their suppliers, who get things from their suppliers. I think up until now it’s been, ‘Well, we’re just going to do what’s required of us’ — but companies really need to embrace cybersecurity and practice due care and due diligence, and they need to start imposing their own requirements on their suppliers… .
“For companies to really have a cybersecurity strategy in what they’re doing, and then communicate that to the government, that’s extremely beneficial.”