Escalating Security Across Vendor Contracting

CMMC for government contractors, A shift from a static plan to a dynamic measure of compliance

The Department of Defense (DoD) plans to introduce the Cybersecurity Maturity Model Certification (CMMC) in early 2020. The CMMC will evaluate a vendor’s maturity level based on its technical practices, ranging from ‘Basic Cybersecurity Hygiene” to “Advanced/Progressive.” It also assesses the vendor’s process maturity level based on the institutionalization of the cybersecurity practices, ranging from “Performed” to “Optimized.”

This new certification will set a universal standard for vendors doing business with the DoD. The reach of enforcement and applicability has yet to be defined. However, vendors must meet the specific certification level of procurement at the time of award, and the primary vendors must require any sub-contractors to meet the applicable CMMC requirements. Even if you do not engage directly with the DoD, the CMMC may apply to your business via your suppliers, third-party service providers, or customers.

CMMC filling compliance gaps

Building upon an existing trust-based regulation, the CMMC adds a cybersecurity verification component to guarantee basic cybersecurity hygiene and to safeguard controlled unclassified information. Previously, the DoD required government contractors to have two components of NIST 800-17 in place. Both a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) were required to be recognized as an authorized vendor. Upon review, the DoD found that many active government contractors had been unsuccessful in implementing these measures. In addition to finding areas of non-compliance, the logic behind having a plan to implement security controls is not a strong enough threshold to measure adequate security. This realization highlighted the need for a more standardized review process and criteria to measure vendors.

What’s the CMMC all about?

Beyond filling the general compliance gaps, heavy influencers of the CMMC include the digital infrastructure businesses operate in, and the associated emerging threats. The initiative behind this new certification is to establish security as a foundational element for vendor evaluation. Previously, the DoD focused on

• Cost, how can the budget be optimized?
• Performance, who delivers the highest quality service or product?
• Schedule, can this vendor meet or exceed timeline expectations?

The rise in data breaches and ambiguity in accountability has led to an increased emphasis on security. It doesn’t matter if the project is of the highest quality, ahead of schedule, or significantly discounted if the information is exposed.

The new evaluation process weighs each pillar of vendor criteria against the security measures and practices in place. The CMMC establishes a standardized scoring and vetting process. By measuring the cost, performance, and schedule against security, the CMMC’s dynamic scoring categorizes contractors into 5 different levels ranging from most secure to least secure.  The DoD looks at two angles of security to assign a value.

• What security measures are in place?
• What processes implement, standardize, and optimize these security practices across the organization?

Effectively, what controls are actively monitoring and measuring your routine business practices? And what ongoing initiatives do you have in place to improve operations based on the intended compliance framework?

Quality over Quantity

The CMMC is taking a “best of breed” approach to incorporate controls from several leading frameworks, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and more. The draft CMMC encompasses the following 17 domains, each of which has its own specific capabilities:

Access Control; Asset Management; Audit and Accountability; Awareness and Training; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Recovery; Risk Management; Security Assessment; Situational Awareness; System and Communications Protection; and System and Information Integrity.

To become certified, a vendor must demonstrate the appropriate maturity of its cybersecurity controls and organizational maturity of its cybersecurity practices and processes to an accredited and independent third-party commercial certification organization.

The DoD is expected to release the first live version of the CMMC in January 2020. By June 2020, the industry should expect CMMC requirements to be part of information requests. The OneTrust team is committed to tracking and indexing these changes as they are introduced. The OneTrust DataGuidance research team is following the development of the CMMC.  Stay up to date with auditing and enforcement actions regarding the CMMC, at Free.DataGuidance.com. V.07 is the latest version of the draft available, this document is available for review today at the website for the Office of the Under Secretary of Defense for Acquisition & Sustainment.