What do CMMC, FedRAMP and the Executive Order on America’s Supply Chains have in common?
a) Protecting the intellectual property and integrity of the Government and U.S. businesses
b) Supporting the Federal Government (and businesses) in securely processing and handling information wherever it is stored,
c) Preserving the integrity and security of America’s critical supply chains.
Government management of cybersecurity threats in the public sector seems to be the reoccurring theme again this year. As a matter of fact, cyber threats will always be a major concern for all of us given the way the Internet continues to change the way we live, work and play.
The Cybersecurity Maturity Model Certification (CMMC) program was implemented last year by the Department of Defense (DoD) to serve as a framework for the enforcement of the Department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. The current DFARS cybersecurity requirements were implemented in December 2017 to provide security protection for controlled unclassified information (CUI) as provided by the NIST SP800-171 cybersecurity control framework. The goal of CMMC is to improve CUI security by introducing a formal audit program for compliance designed to ensure that cybersecurity controls and processes adequately protect CUI that resides on Defense Industrial Base (DIB) systems and networks. The Defense Industry Base of companies consists of more than 300,000 businesses that provided products and services under contacts that support the Department of Defense initiatives.
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized security framework for cloud products and services in accordance with FISMA and is recognized across all federal agencies. Being FedRAMP certified ensures certain minimum-security requirements are met by the cloud service provider. Currently, there are discussions between the Department of Defense and the General Services Administration (GSA) to work out reciprocity between the CMMC program and FedRAMP. According to Stacy Bostjanick, CMMC’s director at the DoD’s Office of the Undersecretary of the Defense Acquisition and Sustainment, a team is working to align the requirements, methodology, and levels of the CMMC and FedRAMP, possibly by the end of the 2021 fiscal year.
Some of the key differences that need to be addressed are that; FedRAMP allows for a plan of action and milestones (PoA&M) to meet requirements and the CMMC does not; and while CMMC requires an assessment every three years, FedRAMP has continuous monitoring and annual assessment requirements.
The Executive Order on America’s Supply Chain published February 24, 2021 calls for the evaluation of supply chains that are identified in the Order as being essential to our economic prosperity and national security. The order covers supply chains for the following industry segments: semiconductor, high-capacity batteries, critical and strategic minerals, and materials as defined by the Secretary of Defense and pharmaceuticals and pharmaceutical ingredients. While the order does not address cybersecurity directly it does call for recommendations on vulnerabilities within these supply chains. It is safe to assume that the long-term recommendations that come out of these ongoing evaluations will eventually lead to more cybersecurity controls like those detailed in CMMC and NIST 800-171.
According to a recent article written by Lauren C. Williams entitled “DOD eyes CMMC-FedRAMP reciprocity by end of FY 2021” she quotes Stacy Bostjanick (CMMC’s director at the DOD’s Office of the Undersecretary of the Defense Acquisition and Sustainment) as saying the goal is for CMMC to become irrelevant as elevated cybersecurity practices become the norm. I disagree, at least for the foreseeable future.
The recent Executive Order clearly lays the groundwork for identifying an expanded set of public sector businesses that are part of critical supply chains for the United States as well as being the curators and owners of intellectual property that is highly valued and critical to the long-term health of our economy.
While larger business will embrace cybersecurity as something that they will need to maintain as a significant portion of their IT budget, smaller organizations that don’t see themselves as being at great risk may not recognize the threat and therefore not drive their organizations to maintain the effectiveness of their cybersecurity infrastructure as the threat landscape evolves.
Business of all sizes that play a role in these critical supply chains are going to need controls in place similar to those CMMC is placing on the DIB. FCI and CUI aside the Federal Government is already starting the process of leveraging CMMC requirements against FedRAMP and GSA and the recent Executive Order that seeks to protect critical elements of the US supply chains may find its way there as well.