On June 24th, the Potomac Officers Club hosted their virtual CMMC Forum for executives from the federal government and its industry partners to discuss the Cybersecurity Maturity Model Certification (CMMC) and its impacts on the U.S. Department of Defense (DoD) supply chain – the 300,000 businesses collectively known as the Defense Industrial Base (DIB), which handle R&D, design, production, delivery, and maintenance of the products and services essential to mobilizing and sustaining military operations.
In her keynote at the Forum, Katie Arrington, the DoD’s chief information security officer for acquisition and sustainment, addressed some of the more recent news about the CMMC, provided context for why it’s essential at this point in time, and acknowledged the need for government and industry to work in concert to improve the national defense.
What is the CMMC?
Before we recap the takeaways from her keynote, a reminder about what the CMMC is: a unified standard for implementing cybersecurity across the DIB. As Ms. Arrington called it, CMMC is “the DoD standard for all contracts,” and is based on the National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. NIST 800-171 was specified by the DoD’s CIO Dana Deasy, and is a shift away from ISO 27002, an internationally-recognized cybersecurity framework that provides coverage for many common requirements like PCI and HIPAA. Ms. Arrington’s role as she described it is to “find ways to implement the standards and make them accountable in the DIB.”
A key component is the third-party audits suppliers must go through to get certified to work at progressively higher levels of DoD contracts. The auditors are known as CMMC Third Party Assessment Organizations, or C3PAOs – a term used throughout the session as shorthand for the auditing process.
The CMMC has been alternately praised and criticized: praised for codifying measurable processes and practices that standardize contractors’ defense postures, and criticized not only for its cost to the US economy (more than $100 million dollars), but for presenting additional hurdles to working with government, especially for small businesses and startups.
In her keynote, Ms. Arrington reiterated her commitment to “getting it right,” and shared her own experience working in industry and having to jump through past program-specific hurdles — hence the shift to organization-wide certification with the CMMC. “We learned; we built the model differently. CMMC needs to be about the enterprise, one and done.” She reminded the group of the tremendous amount of visibility and oversight this program has had from the entire US government, and clarified its priorities:
“The CMMC is about level setting and making the industry get where they need to be to protect themselves and us. It’s about giving you the right resources to be able to provide that security, helping you to help us.”
She was clear that the national defense needs industry as its partner. “We don’t exist without you…you are how we defend ourselves.” And, “we aren’t trying to make it hard for you to do work. We need to ensure you’re there in the long term.”
Ms. Arrington framed the discussion around COVID-19, explaining that while some delays have occurred as the department navigated the limitations it faced in light of the pandemic, it’s now “the new normal.” She explained, “the way we’re communicating now is the string that holds us together; for example video platforms like the one we’re on now that transcend geographic location. COVID has underscored the need for basic cyber hygiene,” referencing the Level 1 CMMC certification – confirmation that 17/110 controls are being met.
Level 1 is meant to ensure that the vast majority – 280,000 out of 300,000 companies in the supply chain – can simply respond to the question, “Have I done the basics to secure myself, my company and my nation?” Ms. Arrington explained, Level 1 is “not a barrier that is too high to get to,” specified that the price of the audit should be no higher than $3,000, and shared that grants will be available to assist smaller businesses.
More than 1,000,000 credentials belonging to employees in the DIB are in the hands of criminals. Click for an infographic [PDF] of stats pulled from the SpyCloud database of third-party breach data.
The audit process itself was a hot topic. Training for auditors opens this week, a bit behind schedule due to COVID-19. Some insights that were shared:
- With the CMMC baked into Requests for Information (RFIs; the starting point for DoD contracts) this month, in tandem with C3PAO training, the companies being certified right now for these RFIs will get a non-attributional audit. This means that the cost of the audit will be covered by the government, but the company won’t own it. It will only be good for the specific contract.
- However, the information the company gets from the non-attributional audit can be used to prepare for the RFP, at which point the company will need to pay for a new audit that they will own for the next 3 years. This is the standard auditing process that will be in place for the CMMC.
- With RFPs releasing in the October/November timeframe this year, Ms. Arrington reminded the audience that CMMC certs are not required until the time of contract award. She is skeptical that any work will be awarded in 2020, leaving time to achieve the required certifications before work begins in 2021.
- While most suppliers will only need Level 1 certification for the work they do with the DoD, those requiring Level 3 certification (which means attesting to all 110 controls in NIST SP 800-171) need in-person auditing because “we can’t take proprietary security information off-site.” The department is reviewing how this can be done sustainably in the long term if COVID continues to impact the country for several more months (or more).
- The goal now is to train enough auditors and ensure they are geographically accessible to all supply chain companies.
Ms. Arrington bookended the discussion with some context, explaining that the CMMC is backed by governmental and non-governmental bodies. She referenced:
- The Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, established in 2018 and composed of government and industry representatives. It recently published several resources about securing the supply chain. Three of the task force’s six pillars speak directly to the intent and standards of the CMMC.
- The March 2020 release of the US Cyberspace CyberSolarium Report from a commission composed of legislators, industry, and academia. Essentially endorsing the CMMC outright, it suggests that there should be a national cybersecurity certification center, set up wholly for the purpose of cybersecurity and run as a non-profit (a la the CMMC Accreditation Body).
It’s clear Ms. Arrington sees the CMMC as inevitable, the latest in a long line of shifts made during and after difficult times. She reasoned that just as WWII fundamentally changed US manufacturing principles toward quality and safety with the implementation of ISO standards, and 9/11 changed how we travel and transport people and product, COVID-19 is changing the way we interact and has resulted in increased awareness of the need for strong cybersecurity. The CMMC and its continued development after the release of version 1.0 is influenced by our current cultural shift.
Ultimately, the DoD is one of the biggest buyers in the world, and as such, she assessed, has a right to dictate how products should be sourced. That includes ensuring standards and practices among its suppliers in the US and globally.
Some have predicted that the CMMC will eventually go well beyond the Department of Defense to supplant ISO, SOC2, and HITRUST certifications. What it has already done is shift the DoD’s own culture toward a cybersecurity-first mentality, and it’s beginning to do that same for even the smallest DIB suppliers.
Recommendations for DIB Suppliers Awaiting CMMC Audits
Later in the event, a panel of experts from the Defense Counterintelligence and Security Agency, Expanse, WhiteHawk, and SpyCloud provided some recommendations for DIB suppliers at all levels of sophistication while they wait for their CMMC audits:
- Ensure the C-suite is educated on cybersecurity and is prepared to measure and manage it from the top down.
- Join one of the many resource and knowledge-sharing groups like the National Defense ISAC or the Department of Defense Cyber Crime Center (DC3).
- Implement continuous monitoring for real-time visibility into cyber threats, security misconfigurations, and other vulnerabilities.
- Track and report on any/all cyber events, and share the TTPs with fellow DIB suppliers.
- Implement a Zero Trust framework, which practically speaking means always verifying users’ identities, and only granting access once proof has been established that users are who they say they are. It’s all too easy for adversaries to pose as legitimate users. The panel referenced the Verizon Data Breach Investigations Report, which highlights that stolen credentials have been the #1 attack vector for the last 4 years, with no signs of slowing down.
- Leverage automation where possible in order to scale, such as automated remediation of employees’ compromised credentials, ensuring passwords in use are not part of any breach corpus (per NIST password guidelines).
- View the CMMC as an important milestone, but not something to fear. It presents an opportunity to shore up vulnerabilities, and train staff on the risks their behavior can present to the organization.