General

What is the Cybersecurity Maturity Model Certification?

CMMC – Introduction

What does it stand for?

“Cybersecurity Maturity Model Certification”

What’s its purpose?

To create a standard and measure maturity of cybersecurity hygiene within DoD contractors/partners. In 2016 it was estimated that malicious cyber activity cost the US economy between $57 billion and $109 billion. The United States Defense sector is a large target for malicious parties, potentially backed by foreign governments in the new age of cybercrime and cyberwarfare. The model unifies cybersecurity standards in 17 capability domains, with 5 processes across five levels to measure process maturity, and 171 practices across the five levels to measure technical capabilities. See the image below for a better visual on how things are broken up.

Image source: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf

Why?

Well prior to this the over 300,000 companies included in the DoD’s supply chain were held individually responsible for their security even though they contain sensitive and confidential DoD information by being affiliate with the DoD. The DoD being the DoD is targeted by more malicious third parties then anyone could imagine, just based on the fact of how strong the United States treats national security and our military. In doing so malicious third parties might see the opportunity and ease of attacking from outside the DoD but within the DoD supply chain to gain access to DoD documents and information. Although a toilet paper vendor might have documents containing billing or shipping information, and not items of national security the DoD is aiming to protect all boundaries and connections with enforcing such standards with all its contractors/partners.

Image Source: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf

Why break up the processes into different domains?

Great question, the simple answer is so it can better tailor and more accurately set these standards.

What are the 17 capability domains?

Within the CMMC model and it’s 5 levels what does the maturity measuring look like?

Image source: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf

As seen above the 5 levels of processes are performed, documented, managed, reviewed, and optimizing with the 5 practices levels being basic cyber hygiene, intermediate cyber hygiene, good cyber hygiene, proactive, advanced/proactive.

Image source: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf

The levels designed to be progressive and flexible are aimed so such a toilet paper supplier contractor may only need to meet level 1, maybe level 2 of this model. Whereas an electrical contractor or airplane engineering firm may need to meet level 5, due to the DoD materials and documents that they’re handling. The above image shows the increase and differences of practices for each level.

The certification levels match directly to the reliability and maturity of the company’s cybersecurity infrastructure to safeguard government information. Each tier above one requires all such tiers below it, ex: level 5 requires certification of levels 1-4 in addition to level 5.

What does this look like? – For a full list of capabilities and practices check out the DoD document here

Let’s look at Awareness and Training (AT). MediaPro[1] defines Awareness and Training as the process of providing formal cybersecurity education to your workforce about a variety of information security threats and your company’s policies and procedures for addressing them. An example could be setting up phishing campaigns with GoPhish[2] to test employees’ knowledge of phishing and email policies. (Great tool, highly recommend)

So within the AT domain there are two capabilities laid out, C011 – Conduct security awareness activities and C012 – conduct training.

Image source: https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf

Image Source: https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf

As seen above we can view the practices for each level, included are NIST and CIS controls that can be implemented. An in-depth look at AT.2.056 shows NIST SP800-171 section 3.2.1, a brief look and lot of scrolling later and we have the following control.

Image source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

Searching through more and more NIST and CIS controls within the model will result in definitions and discussions of controls for certain domains that lie within CMMC.

What does this mean now?

Well for the massive number of DoD contractors and partners, preparation should begin now to meet such standard. Moving forward DoD has stated that this certification will be a minimum requirement to be eligible for DoD contract awards.

One key takeaway from this that is important: cyber compliance is never complete[3]. What does this mean? Just because you meet the standards now and can get a contract award does not mean that you will stop security practices or ease up restrictions, the model is designed to be persistent and enforced at all times. Flexibility and resiliency are crucial in this model, threats are evolving everyday and its very likely that this model will change over time to meet the new threats DoD and its contractors are facing.

Good, bad?

Good. Or so on paper it looks. Safeguarding connecting firms connected to the DoD in varying fashions will help create an end to end secure picture for the DoD. I think that this is great for DoD and showing that we’re finally taking some steps to improve our cybersecurity aspect, should this have existed 5 or more years ago? Yes, however I’m just happy that this at least has been implemented. Timeline wise this was announced back in January of this year and took effect for contractors in late September, with the requirement for new contracts taking effect by fiscal year 2026. 6 years ahead, yikes. But then again, we’re speaking about the government, so nothing moves at light speed. “Security is not one size fits all.” – Katie Arrington[4], DOD’s chief information security officer for acquisition.

On the flipside contractors and businesses will in the end be more secure from adversary cyber-attacks, but at the cost of having to fork over some money in order to meet these standards, but these standards should already be met for most if not all contractors.

  1. https://www.mediapro.com/security-awareness-training/

  2. https://github.com/gophish/gophish

  3. https://www.csoonline.com/article/3535797/the-cybersecurity-maturity-model-certification-explained-what-defense-contractors-need-to-know.html

  4. https://www.defense.gov/Explore/News/Article/Article/2071434/dod-to-require-cybersecurity-certification-in-some-contract-bids/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.