This article originally appeared in the May 2022 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Information need not be “classified” (in the government sense) to have value. Unclassified data – from military facilities diagrams for landscapers to bills of materials for rivet manufacturers – can offer important insights for U.S. adversaries, particularly as they gather and piece together more of this data.
While the handling of classified data has always been tightly controlled through the use of clearances and sensitive compartmented information facilities, controls for unclassified information have been far more limited. Exfiltration of important unclassified data has become a critical issue for the U.S. Department of Defense (DoD), costing the U.S. economy as much as $600 billion per year and putting national defense at risk.
Security integrators serving the federal government as a primary or subcontractor have already heard about the pending Cybersecurity Maturity Model Certification (CMMC); however, the program has been completely overhauled since Security Business reported on its initial rollout in 2020. A new, slimmed down version of the CMMC is poised to take effect, and like the first time, integrators will need to be compliant if they hope to do any business with the DoD.
The Winding Road to Certification
The DoD’s first significant effort to solve the problem failed to stem the tide. In late 2017, a new clause in the Defense Federal Acquisition Regulations Supplement (DFARS) for DoD contracts required all prime contractors, as well as their multiple tiers of subcontractors, that store, process, or handle controlled unclassified information (CUI) to comply with the 110 security controls identified in Special Publication 800-171 from the National Institute of Standards and Technology (NIST SP 800-171).
This mandate had a couple of fatal flaws. First, companies did not immediately have to meet all 110 controls; instead, they could create a Plan of Actions and Milestones (POA&M) for those controls they did not address, without requiring a specific time period for remediation. More significantly, they could self-assess their compliance with NIST SP 800-171 and self-attest the results, without fear of DoD audit or consequences for inaccurate reporting.
To account for these deficiencies, the DoD changed course, launching CMMC version 1.0 in early 2020. It consisted of five progressive and increasingly stringent maturity levels, comprising a total of 171 practices (similar to NIST SP 800-171 controls).
Aside from more requirements, CMMC 1.0 differed from its predecessor in three key ways. First, it applied to all of the approximately 300,000 companies that directly or indirectly serve the DoD – no matter how deep in the DoD supply chain they lie and regardless of whether they possess CUI. Second, these members of the Defense Industrial Base (DIB) would not be allowed to self-assess and self-attest CMMC compliance; instead, they would be assigned the appropriate maturity level accreditation following successful completion of an independent audit conducted by a DoD-approved third-party. Third, no POA&Ms would be allowed – either achieve all of a maturity level’s practices and processes, or drop down a level.
Given the breadth and depth of practices and processes, the size of the DIB, and the need for external auditors, the DoD planned to phase in CMMC over a five-year period.
CMMC 1.0, despite tweaks with versions 1.1 and 1.2, never really got off the ground. It represented a well-intentioned but high bar, particularly for small and mid-sized businesses and those not handling CUI – which make up the vast majority of the DIB.
To get accredited, these companies – including security integrators – would have had to invest time, resources, and budgets not commensurate with their roles in the DoD supply chain. This obligation might have caused them to exit the DIB, stifling innovation without substantially improving security.
Thus, DoD suspended the CMMC rollout, and spent much of 2021 revisiting, reviewing, and revising the framework. In November, it unveiled CMMC 2.0, a streamlined successor that incorporates the best attributes of prior efforts.
Take Two: CMMC v2.0
CMMC 2.0 reduces the number of maturity levels from five to three, and it eliminates all processes. Maturity level 1 remains the same, a foundational tier with 17 practices designed to protect FCI. Maturity level 2 now consists of 110 practices, an advanced tier that aligns directly with NIST SP 800-171 to protect CUI. Maturity level 3 represents an expert tier that applies to the select highest-value programs likely the targets of advanced persistent threats, with the 110 practices from maturity level 2 augmented by a subset of practices from the forthcoming NIST SP 800-172 standard.
Typical security integrators would fit into Maturity Level 2. For the most sensitive and/or high-value DoD engagements that involve CUI, integrators would need to be certified at Maturity Level 3; however, that is anticipated to be a very small percentage of all contracts and contractors (less than 5%).
The new version of CMMC also changes the rules for accreditation. Members of the DIB seeking maturity level 1 accreditation no longer must undergo a third-party audit; they can conduct annual self-assessments and report results. At maturity level 2, companies handling CUI deemed critical national security information will need to pass a third-party audit every 3 years to receive and maintain their CMMC accreditations. For others with less critical CUI, an annual self-assessment and reporting will suffice. Those requiring maturity level 3 accreditation must pass a triennial government-led audit. At all maturity levels, POA&Ms will be allowed for select practices, subject to a well-defined remediation deadline, likely limited to 180 days.
Compliance Timeline Accelerated
With the release of CMMC 2.0, the DoD announced a new implementation timetable. Rather than reinstituting and resuming the five-year rollout, CMMC will not appear in any contract solicitations until the completion of a formal rulemaking process – which is anticipated to be completed within the next 18 months.
While many viewed this as a reprieve and more time for accreditation; in fact, it will speed up the process. Under the old plan, CMMC would become reality for most companies in 2024 or 2025. Now, CMMC may be included in all new solicitations as early as August 2022, and no later than November 2023.
Furthermore, DoD has raised the compliance stakes. By directly aligning CMMC 2.0 maturity level 2 with NIST SP 800-171, members of the DIB that handle CUI will have no excuse for not being ready when the rulemaking process concludes. After all, by that time, the NIST SP 800-171 mandate will have been in place for at least five years and the updated reporting requirements for at least two years. Expect the DoD to aggressively audit CMMC 2.0 self-assessments, reported scores, and POA&M remediation plans, with little tolerance for errors or excuses.
The DoD added one more wrinkle that should convince DIB companies that self-assessments can no longer be considered a cakewalk. A corporate executive will have to sign a document attesting to the validity of the submission. An audit gone bad means not only might organizations face penalties under the False Claims Act, but individuals at those businesses risk personal liability.
Simply put, CMMC 2.0 will be here in a heartbeat, accompanied by high DoD expectations. Even at maturity level 1, practices will take time and expertise to implement. For those lacking cybersecurity acumen or budgets for high-priced consultants, lower-cost products can do everything from define each practice and explain how to comply, to calculate accurate scoring and create the necessary policies and POA&Ms.
Companies that have not already started the accreditation process should get started, before they lose DoD business. The rest of government and the private sector may soon follow the DoD’s lead.
Tony Farinaro is Chief Revenue Officer for Exostar (www.exostar.com), a provider of trusted, secure business collaboration tools in the aerospace and defense, life sciences, and healthcare industries.