For most businesses, cyber attacks threaten their employees, customers, and their bottom line. For contractors to the United States Government, cyber attacks threaten national security.
In 2015, attackers breached KeyPoint Government Solutions , granting them the credentials needed to access and exfiltrate personally identifiable information of 4.2 million current and former government clearance holders from the Office of Personnel Management (OPM).
Since that attack, the U.S. government is no longer willing to accept a high degree of risk from its contractors. The Cybersecurity Maturity Model Certification (CMMC) is the government’s play to help protect its data from supply chain attacks.
What is CMMC compliance?
The CMMC compliance program has been developed by the United States Department of Defense (DoD). It’s intended to help protect the important and sensitive government-related information that is handled by non-government organizations. These companies, small, medium and large, are all potential targets of cyber attacks by nations and agents intending to harm the U.S. and steal information.
Who is required to be CMMC compliant?
Once the CMMC program is fully implemented, only those companies with an active CMMC certification will be awarded contracts and allowed to work with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This restriction is significant because if a company doesn’t have a valid certification, they will not be allowed to work with the government’s sensitive information. This is, in fact, where much of the consternation arises. Many companies have been government contractors for many years without having to resource the costs of a robust cybersecurity program . And now, the bill is coming due.
Throughout this article, a number of abbreviations are used. Copious abbreviations are part-and-parcel of working for, and with, the U.S. Government. The first time a new abbreviation appears, it will be spelled out. A glossary is included at the end of this article.
While CMMC compliance is relatively new, it has been in the planning stages for more than five years. CMMC is the result of Executive Order 13556 (2010) which created the Controlled Unclassified Information Program. Unfortunately, CMMC’s full implementation continues to suffer delays as legal decisions and additions to the U.S Code of Federal Regulations suffer from bureaucratic processes and machinations. Based on recent comments by the DoD’s Deputy Chief Information Officer (CIO), David McKeown,” the Defense Industrial Base (DIB) can expect CMMC to be required in new contracts by fall of next year .”
This does not, however, mean that there are no rules already on the books requiring the protection of sensitive government information for the U.S. DoD by organizations that do work on its behalf. Rules have been in place for over ten years that require protection of Controlled Unclassified Information (CUI) by companies working for the government.
Department of Defense Contracts Already Require Protection for FCI
The contract requirement to protect information related to Federal Contract Information has been included in all government contracts for many, many years. This requirement is described in the Federal Acquisition Regulation (FAR) 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. From the FAR rule, there are 15 security controls. These equate to 17 controls in NIST SP 800-171 (1 control was split apart which accounts for the increase).
Department of Defense Contracts Already Require CUI Security
The contract requirement for the protection of CUI is codified in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204–7012. DFARS 7012 has been a required stipulation in every DoD contract since the year 2013. Having DFARS 7012 noted in a contract does not, necessarily, mean that the contract performance actually includes CUI – only that if it does, it must be protected. DFARS 7012 includes requirements for dealing with CUI and the security controls to ensure protections, which come from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, are appropriately implemented.
NIST SP 800-171 is the Basis for CMMC
NIST SP 800-171, now in revision 2, includes 110 basic controls, each of which has additional objectives to meet those controls. This puts the number of specific control actions at over 300 items which must be implemented and verified.
The CMMC standard is primarily based on NIST SP 800-171 and its 110 controls, as of revision two. Revision three of this publication has been released publicly in draft form, but is not yet finalized. CMMC may receive another update to accommodate this new version once it is published, there is no timeline for this as of yet.
Why is CMMC important?
Ok, so if there were already rules in place, why is another ‘New’ set of rules needed?
Previous rules for protecting CUI didn’t include any real validation measures, other than self attestation . Data breaches and compromises of government and other sensitive information, held by non-federal organizations, have occurred with frightening regularity with these original rules in place. This doesn’t necessarily mean impropriety on the part of those that suffered data loss. Rather, without a more rigorous verification process compliance seems to falter. The National Defense Industrial Association (NDIA) report linked below exemplifies the challenges the government and its contractors face.
BEYOND OBFUSCATION: The Defense Industry’s Position within Federal Cybersecurity Policy
FCI vs CUI – What’s the Difference?
Federal Contract Information (FCI) is the information that companies exchange with the federal government routinely in meeting their contract obligations. Things like billing, invoicing, and labor rate information are examples of FCI. FCI is not intended for public release and has protection requirements.
CUI is the sensitive information that the government has decided requires extra security and protection from release. CUI is designated by the government agency sponsoring the contract and is categorized due to government-wide policy, regulation, or law. The designation of CUI requires government agencies, and their contractors, to provide extra security and control of dissemination.
A nuance: Most information associated with a government contract can be considered FCI – only that information requiring additional security is CUI. So, CUI can be considered a subset of FCI.
The distinction between FCI and CUI is important because the level of CMMC certification required by a given government contractor is based on the type of information they handle.
CMMC Compliance Levels
CMMC comprises three levels, each with more numerous and rigorous control requirements. The majority of organizations will comprise levels 1 and 2, while only a small number will require level 3.
The major differences between each level are:
The sensitivity of government information the company holds
How many security controls they need to implement
How rigorous the certification process is
CMMC Level 1
The first level, CMMC Level 1, is for companies that work with the Federal Government and FCI, but will not process, store, or transmit CUI as part of their contractual obligations.
Level 1 comprises a smaller subset of security controls, only 17, from NIST SP 800-171. Initially, CMMC Level 1 certifications may be granted via self attestation. It is not clear if this will remain the case for the duration of the program, or just initially while the program gains traction.
CMMC Level 2
Level 2 is for those companies that will normally handle CUI as part of their contract work and requires implementation of all controls from NIST SP 800-171 – 110 in all.
Level 2 certification requires an audit by an authorized 3rd Party Auditor Organization.
CMMC Level 3
The highest level, CMMC Level 3, is for organizations that process, create, store and/or transmit CUI associated with highly sensitive government programs ; this level requires implementation of all controls from both NIST SP 800-171 and NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.
The number of security controls totals 145, including the 110 from NIST SP 800-171 and an additional 35 from NIST SP 800-172.
As with Level 2, CMMC Level 3 certification requires an audit. The audit, however, may be conducted jointly by both an authorized 3rd Party Auditor Organization AND representation by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). There remains discussion on which organization will bear the responsibility for conducting or leading CMMC Level 3 audits. Due to the higher sensitivity of information, the government has increased interest and may choose to remain involved. However, if the number of contracts and organizations needing level 3 certification is larger than expected, it may fall more to the C3PAO’s.
Cyber Accreditation Body, C3PAO, and CMMC
Organization and implementation of the CMMC program is aided by a non-profit organization called the Cyber Accreditation Body (the Cyber AB ). The Cyber AB organizes and accredits the CMMC 3rd Party Auditor Organizations (C3PAO). These C3PAO’s will conduct audits of organizations aspiring to gain CMMC certification. CMMC certifications are valid for three years, after which a new audit is required. Visit the Cyber AB website to learn more about authorized providers and review the marketplace of CMMC support services and organizations.
Note for those of us that use ChatGPT and other Generative AI tools:
Above, I note that there are three levels of compliance in the CMMC. If you were to ask ChatGPT to explain CMMC compliance, it would describe five levels. Why the dichotomy? The initial release of the CMMC standard (version 1) did, indeed, include five levels. After industry feedback and U.S. Congressional involvement, the CMMC standard (version 2) was compressed into three levels. This change occurred at the end of 2021. The corpus of information used to train the ChatGPT models apparently didn’t include data after 2021. The majority of articles and documentation talking about the new CMMC version occurred outside of the training model data sets. So, ChatGPT doesn’t know that a change occurred and unfortunately uses the old information. Be careful out there generative AI users, sometimes those tools aren’t as accurate as we might hope.
CMMC Compliance Requirements Are Coming
The CMMC is an important step in the DoD’s effort to protect the nation’s defense industrial base from cyber threats. It is designed to help organizations protect their critical information and systems, while also ensuring compliance with the DoD’s information security requirements. Beyond being necessary to continue doing business with the DoD, by pursuing CMMC compliance, organizations can reduce the risk of a cyber attack and protect their sensitive data.
Have a question about the CMMC, CUI, NIST SP 800-171, or other aspects of U.S. Government compliance? Please contact us and we’ll try to address it either in an email response or in a future article in this series. The next article in this series will be about the Supplier Performance Risk System (SPRS) and Scoring NIST SP 800-171 Implementation Compliance.
If you want to get more great cybersecurity content delivered to your inbox, click here to sign up for our monthly newsletter, Tales from the Click.
Glossary
CMMC: Cybersecurity Maturity Model Certification CMMC-AB: CMMC Accreditation Body CDI: Covered Defense Information CTI: Controlled Technical Information CUI: Controlled Unclassified Information DCMA: Defense Contract Management Agency DFARS: Defense Federal Acquisition Regulation Supplement DIB: Defense Industrial Base DIBCAC: Defense Industrial Base Cybersecurity Assessment Center DOD: Department of Defense FAQ: Frequently Asked Questions FAR: Federal Acquisition Regulation FCI: Federal Contract Information FedRamp: Federal Risk and Authorization Management Program FISMA: Federal Information Security Modernization Act NDAA: National Defense Authorization Act NDIA: National Defense Industrial Association NIST: National Institute of Standards and Technology POAM: Plans of Action and Milestones SBU: Sensitive but Unclassified SP: Special Publication