If you are a supplier to the defense industrial base (DIB), Cybersecurity Maturity Model Certification (CMMC) may feel intimidating,–even overwhelming–for your small or medium-sized business.
You may be asking yourself:
- “What is required of my business today?”
- “How do I forge a path to CMMC compliance in the future?”
- “Is it possible to develop and implement the appropriate layers of security, polices, practices, and procedures without adding an army of cybersecurity professionals to my payroll?”
This series of blog posts will explore CMMC for small and medium-sized businesses. It will provide some insight into how your organization can identify a path to compliance that satisfies the requirements without crippling your business.
Cybersecurity for Small and Medium-Sized Businesses is What We Do!
Cybersecurity and regulatory compliance, such as CMMC for small and medium-sized businesses (SMB), is a core competency for EXP Technical. Many of our clients work in highly-regulated industries including the defense industrial base (DIB). The road to establishing secure and compliant operations is a familiar one. Our case study, “Stratolaunch Systems Corporation: Defense Cloud Build Out at Mach Speed,” tells the story of a recent example of a divestiture, merger, and network build out in an ITAR regulated, NIST 800-171 compliant environment.
This series will focus on CMMC compliance concerns that are applicable to SMBs and solutions that work well at that scale. We serve people through technology. We’re here to help YOU and your organization succeed!
What is the CMMC Rule?
This blog post will provide a review of recent history of CMMC as well as an overview of the current landscape. (We’ll dive into strategies and tactics in future posts.)
Security Risks in the Supply Chain Necessitate Overarching Standards
All businesses today are exposed to innumerable external threats to cybersecurity. Additionally, sensitive data can be stolen or even inadvertently exposed by internal resources. As a matter of national security, DIB organizations have a responsibility and an obligation to keep sensitive data secure.
A cybersecurity framework has been established by the Department of Defense To combat cybercrime and to minimize other risks or exposure. This framework is derived from multiple standards with the broad intent of protecting Federal Contract Information (FCI) and Controlled Unclassified Data (CUI).
Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041 is an interim rule that establishes the CMMC framework “in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.”[i] DFARS 2019-D041 is often referred to as the “CMMC Rule.”
NIST SP 800-171 and Supplier Performance Risk System Reporting
Within DFARS 2019-041 are two clauses (7012 and 7019) that require DIB companies that work with controlled unclassified information (CUI) to perform a self-assessment of their adherence to NIST SP 800-171 DoD Assessment Methodology and furthermore to report the results of that self-assessment in the Supplier Performance Risk System (SPRS).
NIST SP 800-171 identifies 110 security requirements. A scoring guide is established within the NIST SP 800-171 methodology. Each requirement has a point value assigned. A perfect score on the assessment—effective implementation of ALL of the standards—results in a score of 110.
An organization undergoing an assessment starts with a score of 110 and subtracts points per the weighting schedule for each requirement not met. Several of the 110 requirements have a weight of more than 1. It is theoretically possible to have a negative score on the NIST SP 800-171 assessment.
What are “security requirements”?
The security requirements in the NIST SP 800-171 methodology are controls that protect sensitive data.
For example, Security Requirement 3.1.1 indicates that an organization must “limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).” According to this requirement, users, processes, and devices, must have authorization in order to access systems where sensitive data is stored.
Other security requirements focus on awareness training, encryption, perimeter security, vulnerability scans, and other layers of security that protect sensitive data.
This sounds expensive!
There are costs associated with establishing a secure computing environment—especially if this is an area that has been neglected. However, it is also worthwhile to note that pragmatism can be applied when implementing security controls. In some cases, a security requirement may be met through effective policy rather than deploying an expensive new piece of technology. The NIST SP 800-171 methodology (and NIST SP 800-171A) establishes security requirements but in many instances leaves it up to your organization to decide on the specific tactics employed in order to meet the requirement. A consulting firm with extensive experience managing IT governance, risk management, and compliance (like EXP Technical) can provide invaluable assistance in determining a cost-effective roadmap to success.
What minimum score do I need to achieve on the self-assessment and what do I do with the self-assessment findings when complete?
At this point, the requirement is simply a self-assessment and reporting of the assessment results in SPRS. There is no specification for a minimum or target score specified. It’s an assessment that must be completed and a report that must be submitted.
For every gap identified, an organization must have a corresponding plan of action to describe how and when an unimplemented security requirement will be met. By accepting a plan of action “the current regulation enables contractors and subcontractors to process, store, or transmit CUI without having implemental all of the 110 security requirements.”[ii]
An important note: Clause 7020 of the interim rule, indicates that a contractor that is subject to clause 7012 is also required to “provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level assessment.”[iii]
Cybersecurity Maturity Model Certification (CMMC)
Clause 7021 of the CMMC rule adds the Cybersecurity Maturity Model Certification (CMMC) requirement.
CMMC defines 5 levels to which an Organization Seeking Certification (OSC) must adhere.
Level 1 consists of 15 basic safeguarding requirements from FAR clause 52.204-21. This level of cybersecurity will be required of organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI is typically intellectual property that is developed under a federal contract. It does not include commercial off the shelf (COTS) products and does not include administrative information such as invoices.
The levels in the CMMC Framework are cumulative—each level provides additional requirements on top of the lower levels.
Level 2 consists of 65 security requirements from NIST SP 800-171 as well as 7 CMMC practices and 2 CMMC processes. This level is an intermediary step for contractors that are working towards CMMC Level 3 compliance.
Level 3 is the level that most small and medium-sized businesses, DIB subcontractors, will need to adhere to. This level consists of all 110 security requirements from NIST SP 800-171, plus 20 CMMC practices and 3 CMMC policies.
Levels 4 and 5 add additional CMMC practices and policies to the certification requirement. It is typically prime contractors and tier 1 contractors that will need to adhere to these higher levels of CMMC certification.
When do I need to be compliant?
This is an evolving standard, but current requirements are that a contractor must be compliant at the time of award. Currently, there are very few contracts that include the CMMC requirement, but it’s only a matter of time before this requirement is standard on all contracts. The time to act is NOW.
Can I simply outsource all of this? Cloud services? Outsourced support?
It is true that many IaaS and SaaS providers will deliver CMMC compliant products, and there are many competent cybersecurity consultants that can provide guidance in your journey toward compliance. It is possible to outsource much of the expertise, infrastructure, software, and effort necessary to achieve CMMC compliance. However, responsibility can’t be outsourced. Organizations seeking certification are doing so because they have been entrusted with sensitive data and ultimately it is their responsibility to ensure that appropriate layers of security, policies, procedures, and other controls are in effect.