VantagePoint: Securing the DoD Supply Chain through CMMC
by Steve Raia, Member, InfraGardNCR Board of Directors
Like many of you, I have spent a lot of time thinking and working on CMMC compliance over the past year. I thought this would be a good time to share some lessons I have taken from this process. Hopefully they will be helpful to you as you prepare your firms for compliance.
For those of you who are not familiar with CMMC, here are a few quick facts:
CMMC (the Cybersecurity Maturity Model Certification) was established by the U.S. Department of Defense (DoD) to provide a baseline set of cybersecurity requirements for companies that want to supply products and services to DoD.
It defines five levels of maturity, ranging from a basic Level 1 to a more robust Level 5, and more than 250 requirements that are mapped across the 5 Levels.
These requirements include technical controls (i.e. passwords, network defenses, and cryptography) as well as non-technical controls (i.e. plans, procedures, and policies). Many, though not all, of the requirements in Levels 1-3 are aligned to the requirements of NIST 800-171.
Beginning in 2021, some DoD opportunities will specify a minimum level of certification that must be achieved by contractors intending to bid.
Now that we are all acquainted with the basics, here are some ideas to consider:
First, make sure you start preparing early. There is a good chance that your company has many of the required controls in place, but some of the requirements are not trivial. Depending on the level of maturity you are seeking to achieve, you may be required to implement a SOAR platform or a 24x7 SOC. Anyone who has implemented these knows that they cannot be done in a few days or weeks.
Second, although CMMC contains many references to NIST 800-171 and the DoD leaders responsible for CMMC will tell you that any firm that is compliant with 171 has already finished 110 of the CMMC controls, the devil really is in the details. Make sure you read the CMMC specification, including the appendix. This document has detailed guidance about what CMMC means by each control. The CMMC guidance is sometimes subtly different than 171, so you may need to adjust your response accordingly.
Third, remember that CMMC requires an audit by an independent third-party auditor. Even with the best of intentions, it's possible that you graded yourself on a curve when you self-assessed your compliance with 800-171. An independent auditor will not do that, so make sure your controls, documents, and evidence are sufficient to convince an auditor. Has your internal audit team or quality management department assessed your CMMC controls? Are your processes repeatable? Do you have evidence that your controls are in place and that your policies and processes are being followed?
As we all work to help improve the security of our critical defense infrastructure with CMMC, there are still a number of questions that need to be answered. If you have questions, please submit them to the DoD (specifically to the OUSD(A&S) office) or the CMMC-AB and share the answers you receive with the community. Here are a couple of questions that I am currently trying to get answered:
When (and how) can a company sign up for a CMMC assessment? Can we be audited in early 2021, or will our work have to wait for 6 months, a year, or more? This is the $64,000 question that I and many others would like to get answered.
How will the CMMC framework be maintained and refreshed over time? As you all know, things change quickly in this field. One simple example of the challenge relates to passwords. CMMC includes multiple controls about passwords -- length, complexity, reuse, multi-factor authentication, etc. It does not say anything about the password requirements in NIST 800-63B (which were published in 2017 and are described by NIST as being mandatory). CMMC also says nothing about passwordless authentication. Surely this does not mean that DoD wants its suppliers to stick with 6-character passwords that expire every 90 days when the entire cyber community knows that we can do much better.
CMMC has the potential to help transform the DoD supply chain, but it doesn’t stop there. Other federal agencies are also talking about requiring CMMC certification for their future procurements. CMMC shows us that a baseline level of cybersecurity is becoming table stakes for participating in this industry, which is a good thing.
Although every company wants to get certified early in the hopes that this will give them a market advantage, we should remind ourselves that we are all in this business to support the U.S. Government as it delivers citizen services and helps protect us from foreign threats. We should compete primarily on the value we can provide to the government, not on the security of our corporate systems and data.
As the recent SolarWinds hack reminds us, compliance may be necessary, but it is not sufficient for an organization to be secure. CMMC provides a baseline of minimum controls for firms that engage with DoD, but we need to build on that baseline by focusing on active defense and the effectiveness of our security programs. The more effectively we do that, the safer we can make our nation's critical defense infrastructure.