CMMC – Staying Ahead of the Bow Wave
Written by: Aaron West
A bow wave is formed at the bow of a ship as it moves through the water and can be a risk to other boats in the harbor. The Department of Defense’s new cybersecurity standard is about to create a similar “bow wave” that could catch businesses off guard if they are not ready for it. The DoD published version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) in January 2020. The CMMC is a unified cybersecurity standard for DoD acquisitions that will be in effect starting soon. Whether you’re a manufacturer, a software developer, or a consulting firm – this standard will apply to your business if you have or seek DoD contracts. The Office of the Under Secretary of Defense for Acquisition & Sustainment and the CMMC Accreditation Body are expected to provide more information about how it will be implemented in the coming months. Regardless, with version 1 of the model, we have the standard upon which the certifications will be based and can use it to prepare accordingly. However, understanding the critical differences in the levels of maturity, as it relates to specific DoD supplier actions, can be challenging to discern. We’ll review the first three levels of certification, the purpose for each, and what it means for you as a current or future DoD supplier. In a future article, we will examine Levels 4 and 5.
When you study the graduated levels of cybersecurity maturity in the model (see Figure 1), you understand that there are increasingly more controls required. One starts at the “basic”
Figure 1 – CMMC Levels of maturity by number of practices
level and then moves to “intermediate” and so on, but what does this mean for you, the DoD supplier, in real terms?
First, what classified information do you have and therefore need to protect? Second, what threat will you likely face based on the sensitivity of the information you possess? The Department of Defense will use these criteria to determine the maturity level required in the contract. It’s projected that most contracts will require achieving Level 3 maturity if there is Controlled Unclassified Information (CUI) to be processed.
CUI is unclassified, but it still requires safeguarding. Examples include data that could reveal the state of U.S. critical infrastructure or disclose details of unique parts under export control restrictions. Federal Contract Information (FCI) is less sensitive than CUI and typically consists of scheduling and sales-related data. The CMMC model considers that if you meet the Level 1 requirements, your business is adequately protecting FCI and that at Levels 2 and 3, you are “transitioning” to safeguard CUI and protecting CUI, respectively. With Level 2 labeled a “transition” state, one can infer that Level 3 will be required more often in defense contracting than Level 2 when there is CUI involved. What is required of you, the contractor, to meet the transition to “good” cybersecurity at Level 3?
Figure 2 – comparing CMMC processes and practices
Figure 2 above shows a progression from Level 2 at “documented” to Level 3 as “managed.” Looking more closely at the processes specifically, we can see that the significant difference between Level 2 and Level 3 is the plan (see figure 3). Level 2 is about performing basic cybersecurity functions and documenting them. Level 3 outlines for your organization a path to create a security plan and subsequently implement that program along with generating the ability to sustain and support. Moreover, the CMMC puts particular emphasis on a managed plan by citing the inherent planning characteristics of goal setting, project planning, resourcing, training, and the “involvement of relevant stakeholders.” In short, Level 3 maturity is about establishing an organizational cybersecurity program.
Figure 3 – The Plan is the key to Level 3 and a “managed” cybersecurity program
Programs require leader commitment, and their contribution is critical to achieving the stakeholder involvement cited in the CMMC standard (see figure 3). Relevant stakeholders could include groups such as third-party vendors with access to CUI to the executive leadership of the company. It’s incumbent on those seeking the CMMC stamp of approval to understand
the overarching “why” behind your security needs to drive the necessary buy-in to build your security program. Achieving Level 3 means your information security program is no longer one that is primarily technical – Level 3 certification must be executive-led and systems-based.
Is it better to wait until the CMMC is officially in effect before preparing for the certification? There’s not much of an argument for waiting for the “bow wave” to arrive before taking action. Businesses can’t receive the official seal of approval as yet but understanding what you need to do to achieve a particular level of maturity can put you ahead of the competition – and the proverbial bow wave. Moreover, as we showed with the Level 3 requirements, security programs take time to design, develop, and implement. Last-minute security tool purchases won’t be sufficient to make the grade for most contracts. More importantly, it’s the right thing to do for the security of your business and our country’s industrial base. Have specific questions about CMMC and how it affects your particular organization? You can reach us at info@revealrisk.com
