Cybersecurity Maturity Model Certification for DoD Contractors

The United States Department of Defense (DoD) supply chain is one of the most critical to both national security as well as the protection of individuals in the armed forces. Regardless of where contractors sit in the defense industrial base (DIB), security is critical to avoid intellectual property theft or worse sabotage from bad actors.

With the rise of digital technologies that many contractors have embraced to increase efficiency and enable business growth has come new threat surfaces. The Defense Federal Acquisition Regulation Supplement (DFARS) clause that went into effect in 2018 was the DoD’s first stake in the ground, indicating that members of the defense industrial base (DIB)’s information systems must be held to a standard of security to protect the nation. The self-certification process though proved too unwieldy to track and verify. The DFARS clause used the controls from the National Institute of Standards and Technology’s Special Publication 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.

Recognizing that there needed to be more structure than the self-certification of compliance with NIST SP 800-171, the Department of Defense began developing what would become the Cybersecurity Maturity Model Certification (CMMC). 

The CMMC is an amalgam of multiple frameworks and standards including NIST SP 800-171, the NIST Cybersecurity Framework, ISO 27001, and others. Developed by the DoD in conjunction with academia (Carnegie Mellon and Johns Hopkins Universities), the CMMC leverages a combination of practices (what most CSPs will recognize as controls) and processes that gauge the maturity level of a given practice. Recognizing that not all contractors need to have the same cybersecurity program maturity as a prime, the DoD will include which of the five maturity tiers a given contract will require at the time of a request for information (RFI). A contractor’s tier score will be assessed and audited via third-party CMMC assessments and auditors. These third-party assessment organizations will be appointed by the CMMC Accreditation Board and the CMMC certification for a given tier will last for three years. 

Get an introduction to the CMMC

The CMMC framework is composed of 17 domains, with each tier layering in more practices and processes for each domain. In this infographic, we’ll be taking a high-level view of each of the domains and what to expect when working to meet your CMMC requirements.

Read more about the CMMC Domains

When the DoD first released version 1.0 of the CMMC and announced that the new Cybersecurity Maturity Model Certification (CMMC) model would replace the DFARS standard in their effort to assess the cybersecurity capabilities of the defense industrial base, many organizations were left scrambling to learn how applicable their previous work on NIST 800-171 was to the new requirements. Thankfully, the CMMC Accreditation Body (AB) has clarified that aligning with the DFARS standard is paramount to the Cyber Maturity Model Certification from small businesses or prime DoD contractors.

The Cybersecurity Maturity Model Certification is slotted to be added to prime DoD contracts in 2020 as a unified standard for “go/no go” decisions at the time of the award. It will require organizations in the DoD supply chain to undergo a CMMC audit by an official CMMC auditor. This program, as outlined by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSDA&S), will serve as verification, ensuring that the defense supplier has adequate cybersecurity practices with good cyber hygiene, processes, procedures, and policies in place. Basic cyber hygiene is a set of precautions utilized to keep sensitive data safe and secure from cyberattacks and theft. The Cybersecurity Maturity Model Certification naturally builds on DFARS cybersecurity requirements by adding the certification piece. Different Cyber security Maturity Model level security requirements, or CMMC levels 1-5, include more advanced practices to reduce cybersecurity risk as more CUI is present, or further up the DoD supply chain up to the prime contractors, denoting a higher certification level requirement.

Learn the differences between CMMC Tier 3 and DFARS and why the DoD is recommending all contractors start with DFARS

At the end of last year, the Department of Defense (DoD) Under Secretary for Defense Acquisition and Sustainment Ellen Lord stated that cybersecurity vulnerabilities in the defense industrial base are most common six to seven levels down from prime defense contractors, hiding in their extensive supply chains.

"This is a U.S. economic security issue as well as a U.S. security issue," Lord said. "When we look at cybersecurity standards, I believe it is absolutely critical to be crystal clear as to what expectations, measurements are, what the metrics are, and how we will basically audit against those."

Across the Defense Industrial Base (DIB), organizations are rushing to translate their compliance from the NIST SP 800-171 cybersecurity controls to the new Cybersecurity Maturity Model Certification standard. These requirements include basic to intermediate cyber hygiene at the low end, like levels 1 and 2, but prime contractor CMMC strategy, and the strategy for those who are higher up in the DoD supply chain in general, needs to focus on higher levels of certification against the CMMC framework to continue doing business with the Department of Defense.

Understand what the flow down of CMMC looks like and what primes need to do for their sub-contractors