DOD contractors have been asked to implement NIST SP 800-171 to comply with DFARS 252.204-7012 for “Safeguarding Covered Defense Information and Cyber Incident Reporting”. Given serious cybersecurity issues in the defense industrial base with adverse impacts to national security, DOD has been evolving the guidance. In March 2019, the Office of the Assistant Secretary of Defense for Acquisition started the process of creating the Cybersecurity Maturity Model Certification (CMMC).
DOD’s Cybersecurity Maturity Model Certification (CMMC) is a significant evolution and maturation of attempts to harden the defense supply chain. CMMC has primarily three key components:
- security standard that leverages NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others
- maturity level definition that allows for tailoring the implementation based on risk, and
- well-defined certification program executed by accredited independent assessors.
The evolution of CMMC appears to mirror the FedRAMP program. The Federal Risk and Authorization Management Program (FedRAMP) is based primarily on the NIST SP 800-53 security standard and includes a FedRAMP PMO (Program Management Office) responsible for accredited independent Third-Party Assessment Organizations (3PAO). CMMC helps clarify and mature some of the challenges associated with the initial DFARS 252.204-7012 guidance around certification and assessment. One of the biggest unknowns was how and who will actually assess DOD contractors and vendors whether they are compliant with implementing NIST SP 800-171 or not. CMMC v1.0 is expected to be released in January 2020 and DOD contractors should expect to start seeing RFI’s and RFP’s in mid 2020 seeking compliance with CMMC.
Highlights of CMMC 0.4 Released August 30, 2019
DOD recently released version 0.4 of the CMMC model available here for download and analysis. It is important to understand the vernacular associated with CMMC. The draft release proposes 18 domains or what we normally refer to as control families as defined in NIST SP 800-53 and NIST SP 800-171, which only had 14 control families.
CMMC explicitly defines capabilities, practices and processes as well as defines levels of maturity against the capabilities and processes. The maturity levels allow for tailoring and flexibility to meet specific cybersecurity risk and threat levels. Levels of maturity have been introduced based on the CMU’s CMM model. DOD or Government contractors in the software development space should have an understanding of the new CMMC process if they have gone through CMM appraisals. Also, organizations that have gone through a FedRAMP assessment would have a headstart.
Roadmap and Guidance for DOD Contractors
Clearly, the guidance and implementation guidelines are still being developed and will continue to mature. DOD contractors, however, should not wait till CMMC v1.0 is released in early 2020 to begin preparatory activities. The current guidance for implementing NIST SP 800-171 is still in place and contractors should continue down the implementation path. DOD continues to emphasize the requirement for cybersecurity maturity within the supply chain and will continue to roll out measures to ensure compliance. CMMC is just another expression of cybersecurity best practices, which are fairly well codified and reasonably mature frameworks already exist.
DOD contractors implementing NIST SP 800-171 are well-positioned to rapidly incorporate new elements and requirements as part of CMMC v 1.0 when it comes out. The bulk of the preparatory work is in creating cybersecurity processes, technologies and policies. Aligning with a well understood US Government security standard such as NIST SP 800-53 and FedRAMP is a great way to get ahead of the curve. We at stackArmor continue to advocate using FedRAMP accredited cloud services such as Amazon Web Services and Amazon Web Services GovCloud for DOD contractors looking to meet current and emerging DOD cybersecurity guidance. Leveraging FedRAMP accredited cloud services that already meet NIST SP 800-53 security requirements allow DOD contractors the ability to accelerate compliance, lower cost and implement world-class security capabilities using native services.
Learn more about stackArmor’s DFARS, FedRAMP and FISMA compliance solutions for DOD Contractors, Federal Agencies and Public sector organizations.