U.S. Developing New Cybersecurity Maturity Model Certification

U.S. Developing New Cybersecurity Maturity Model Certification

Public invited to comment on standardized requirements

Last March, the United States government began the process of creating a new set of compiled cybersecurity standards for businesses of all sizes that contract with the Department of Defense (DoD). Additionally, the government and specifically the DoD, will also include a new certification process to go along with the compiled standards.

Known as Cybersecurity Maturity Model Certification (CMMC), the government is working to combine various cybersecurity standards. The process is still underway and members of the public, including business owners, have an opportunity to voice their thoughts on the requirements. That is particularly important now as the CMMC will become the new cybersecurity standard to which businesses contracted with the government will be held.

What is the CMMC?
Led by the Office of the Assistant Secretary of Defense for Acquisition, the CMMC is meant to combine various cybersecurity standards and “best practices” for businesses that contract with the DoD, according to the CMMC Overview Brief released on Aug. 30, 2019. The goal is to reduce the loss or threat of loss of Controlled Unclassified Information (CUI) by third party vendors contracted with the U.S. government.

According to the brief, the CMMC will map out the best “practices and processes in cybersecurity across several levels that range from basic cyber hygiene to advanced.” When implemented properly, the associated practices and processes for a given CMMC level “will reduce the risk against a specific set of cyber threats.”

How will the CMMC Impact Businesses?
The CMMC will have a major effect on businesses that contract with the U.S. government, especially with the DoD. The CMMC effort, according to the brief, “builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” What that means is that businesses will be required to prove that they have met the requirements outlined in the CMMC before they are able to become certified and conduct business with the DoD.

With that said, the government is aware that regulation compliance is difficult if not impossible for many small and medium businesses due to the cost affiliated with compliance. Most SMBs don’t have their own IT department or the resources to hire someone to handle that internally.

“The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels,” according to the CMMC Overview Brief. “The intent is for certified independent third-party organizations (such as Dox) to conduct audits and inform risk.”

When will the CMMC be Implemented?
The final version of the model, according to the aforementioned brief, will be released in January 2020. Right now, the model is still being refined and reduced in size without losing scope in order to make it more user friendly. Work also continues on integrating “best practices” at all levels.

Developers of the model are also still working out a methodology to handle maturity level trade-offs (i.e. moving businesses from one level to another based on their size, contracts, and resources, etc.). A detailed assessment guide is also under development.

What Exactly Will It Entail?
The precise practices and procedures are still under development, but in looking at the proposed draft CMMC model, it’s clear that it will cover several aspects of cybersecurity from access control and asset management to audit and accountability practices and employee awareness and training. The public process is still open for another week and the Office of the Under Secretary of Defense anticipates providing an updated draft of the CMMC Model for public review in November 2019.

What we do know by looking at the draft that different levels in the CMMC will have different requirements. For example, the requirements at CMMC Level 3 are expected to match NIST SP 800-171. That means DoD contractors will need to have achieved DFARS regulation compliance when the various government requirements are combined under CMMC. Doing so now will ensure they achieve CMMC certification more quickly and easily.

The Office of the Under Secretary of Defense has collaborated on the development of the CMMC with Johns Hopkins University, Carnegie Mellon University, and others. The office has also worked with industry experts such as the National Defense Industrial Association (NDIA), the Aerospace Industries Association (AIA), and the Professional Services Council (PSC) as well as the Office of Small Business Programs in addition to others.

How Can I Have a Voice?
The public is being asked for feedback during the development process but there isn’t much time left to share your thoughts. The deadline for contacting the Office of the Under Secretary of Defense with your comments is 5 p.m. EDT on Wed., Sept. 25, 2019. You can email your comments to osd.pentagon.ousd-a-s.mbx.cmmc@mail.mil.

The government is asking for your assistance by reviewing the currently proposed draft CMMC and answering the following questions:

1. What do you recommend removing or de-prioritizing to simplify the model and why?
2. Which elements provide high value to your organization?
3. Which practices would you move or cross-reference between levels or domains?
4. In preparation for the pending easy-to-use assessment guide, what recommendations might you have to clarify practices and processes?

You can read the CMMC Overview Briefing, review the Draft CMMC Model, and download a comment matrix to email with your responses and comments at the Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC page.

If you have any questions about CMMC, regulation compliance, or cybersecurity for your business or organization, Dox is here to help. Connect with one of our experts now by contacting Dox online or calling us at (585) 473-7766.