The Department of Defense released the highly anticipated final version of its cyber certification framework Jan. 31, finally solidifying the compliance efforts military contractors will have to tackle if they want to keep doing business with the government.
In this final version (dubbed Version 1.0) of the Cybersecurity Maturity Model Certification, the DoD filled gaps in the Version 0.7 draft and — more importantly — confirmed there’ll be a phased rollout of cybersecurity requirements for companies who handle its sensitive information.
By October, the DoD will require companies to prove they meet at least basic cybersecurity standards to bid on some government contracts. By 2026, all prime contractors and lower-tier subcontractors will have to undergo a third-party assessment of their cybersecurity practices and handling of controlled unclassified information, or CUI.
The CMMC requirements have been a long time coming, and were propelled by damaging cyber attacks on federal contractors.
In 2019 it was revealed that sophisticated Iranian-backed hackers stole vast amounts of data from a major government contractor — a software company that handles sensitive computer projects for the United States military, the FBI and the White House communications agency. It’s believed the hackers lurked in the system for years before being discovered in December 2018.
In late 2018, the DoD’s travel record system was breached in an attack that exposed the personal information and credit card accounts of about 30,000 personnel. And in another 2018 incident, Chinese spies hacked a Navy contractor to steal a trove of highly sensitive data on U.S. submarine technology.
The CMMC is a response to high-profile breaches like these. It represents a major shift in the way the DoD manages cyber risk in its supply chain, building a unified standard for cybersecurity and fine-tuning compliance requirements, with five levels of certification. In El Paso County — where, according to the Colorado Springs Chamber & EDC, 40 percent of the economy is tied to the defense industry — contractors are paying attention.
The Pikes Peak Small Business Development Center hosted a TechSource Cyber: CYA program Feb. 18 for contractors to learn about the requirements and rollout, led by Shawn Murray, chief academic officer and president/CEO at Murray Security Services and lead cyber expert at Pikes Peak SBDC.
The overarching message: Keep prioritizing cybersecurity. DoD is pushing for rapid adoption of the new certification levels and, while the phased rollout gives industry a bit of breathing room, contractors and subcontractors need to prepare for CMMC now. It’s essential to the security and viability of the defense industry and every business in its supply chain.
Cyber attacks on contractors and subcontractors are a significant national security threat, Under Secretary of Defense for Acquisition and Sustainment Ellen Lord said at the Pentagon news briefing on Version 1.0, so the CMMC is “a critical element of DoD’s overall cybersecurity implementation.”
“Secretary Lord noted cyber attacks are low cost to conduct, but that in the past year alone cyber attacks resulted in approximately $600 billion of global GDP loss through cyber theft,” Murray told contractors at the SBDC event. “That is just one year’s worth of theft. … That’s over a half a trillion in one year.
“You’ve seen probably over the last 10 years [with] China, Russia, you see very similar models of aircraft, spacecraft, Navy vessels — things that have been sensitive unclassified, plans, procedures, diagrams, engineering diagrams — that have been stolen,” he added. “And that [stolen] technology is being used to develop these similar products in adversary states.”
That means more stringent guidelines for every company in the DoD supply chain are needed to stop data theft and protect the U.S. defense industrial base.
Until now, proving cybersecurity compliance has never been a contractual obligation, Murray said. The DoD requires contractors to comply with NIST SP800-171 cybersecurity standards, but there’s no audit or accountability for protecting CUI. All that’s required of contractors, he said, “is just self-attestation: ‘Yeah, we’re good to go.’ The DoD’s saying, ‘We’re not going to allow them to do that anymore.’ Now they’re going to make it a contractual obligation.”
CMMC aims to help contractors “become more mature in your IT capabilities, understand where your vulnerabilities are, what the threats are — and then, based on that assessment, come up with a plan to mature your cybersecurity hygiene so that it’s acceptable enough to DoD or any other federal government agency to do business with you.”
Moving to third-party assessment and certification ensures that only companies that actually meet cybersecurity requirements can compete for contracts.
CMMC “third-party assessment organizations,” known as C3PAOs, will do the audits and certification. DoD has not designated any C3PAOs yet, but a new 13-member CMMC accreditation body will oversee their training and administration.
“The purpose of standing up the steering committee … is to assure there is no conflict of interest,” Murray noted. “There’s nobody pressing to try and make this a cash cow for commercial industry.”
As CMMC evolves, “the idea is to give enough time for it to be cost effective and affordable for small businesses to implement at the lower levels,” he said, where it’s recognized that CMMC requirements and costs could be a burden.
“DoD representatives explained that DoD is now taking a ‘crawl, walk, run’ approach,” Murray said. “When it was [Version] 0.6, it was, ‘You will be [certified at CMMC] Level 3 or you’re done.’ Companies said, ‘OK, no problem. Here’s the keys, we’ll find somewhere else to go.’ DoD wasn’t expecting that. It wasn’t a reasonable approach anyway.”
While the phased rollout has eased some immediate anxiety among contractors and subcontractors, Murray said it’s critical for businesses to keep working toward the controls and processes to reduce cyber risk — especially as those standards could be adopted more broadly in the future.
“Like I said: Don’t slow down. You still have to do this for your business anyway — but it might be a strategy for your organization, especially if the state, county and city governments catch up to what DoD and the rest of the federal government’s doing,” he said. “You don’t want to be saying, ‘Well, I don’t do business with the federal government.’ You do business with a lot of other state governments and county governments, and it’s just a matter of time before they jump on the bandwagon. And you know what they’re going to do? They’re not going to create something new. They’re going to say, ‘DoD already created something — we’re going to jump on that.’”