“In an OTA, in the technical specs, they can actually call it [Cybersecurity Maturity Model Certification (CMMC)] out and say what they want,” said Katie Arrington, DOD’s chief information security officer for acquisition during an April 29 NextGov webinar on CMMC.
OTAs are meant to speed the government buying process and allow DOD to buy new capabilities faster by allowing officials to sidestep competitive bidding in certain cases. But there’s ample worry of potential overuse, which could invite congressional scrutiny.
Arrington’s comments come as DOD has begun pushing for the use of OTAs to find and execute on solutions that can help treat or prevent the spread of coronavirus. Ellen Lord, DOD’s acquisition chief, issued a memo in early April to ease the OTA process by delegating contracting authorities to heads of agencies and combatant commanders during the pandemic.
For example, the Army issued $100,000 contracts for innovative ventilator solutions that could be deployed in rural settings as part of its xTech COVID-19 Ventilator Challenge. The ongoing contest aims to produce 10,000 ventilators suitable for field operation in eight weeks and uses OTAs.
As for cyber concerns, Arrington said because OTAs operate “outside” the Federal Acquisition Regulation and largely benefit small businesses, which can be the most vulnerable when it comes to cybersecurity, CMMC is even more important.
“That’s where we need to ensure that we’re putting those levels of CMMC in,” she said. “If you’re doing some grant work, we do need to make sure the institution or the department or the network that you’re doing this work on understands the risk…Everybody’s vulnerable.”
“CMMC 1.0 was released at the end of January. The Department of Defense official leading the overhaul of cybersecurity requirements for the Department of Defense contractors sees the model as being in a “constant state of evolution” over the next few years.“
“Katie Arrington, the chief information security officer for the Office of the Under Secretary of Defense for Acquisition and czar for the new Cybersecurity Maturity Model Certification, told Fifth Domain in an interview at the RSA Conference that work on CMMC will be a “perpetual thing.”
After the CMMC requirements are written into contracts around October, Arrington said she wants to “have some data to say ‘okay, these controls — are they really worth the return on investment? Do we need to tweak the model?’
Right now, Arrington said, she is working with staff to create the audit training. One of the challenges in building the training, like creating CMMC itself, is ensuring that it is simple and easy to understand.
Beyond CMMC, Arrington said that the “next big thing” she’s going to work on is supply chain illumination tools and adding continuous monitoring into “… those most vulnerable in our supply chain and the ones that are working on the most critical technologies,” she said. “I need to know how they’re doing acting day-to-day, how their supply chain looks.”
Arrington also told Fifth Domain that she expects CMMC to be adopted internationally in 2020 and 2021.
“Our Five Eyes partners are like, ‘hey, we’re right here with you,’” she said.
With the federal government facing constantly evolving attacks on its supply chain, Arrington said that CMMC needs to be able to adjust to new challenges.
“If it becomes a checklist, we have all failed,” she said. “It needs to become critical thinking about security and understanding that the threat today will not be the same threat that’s here a year or two years from now. And that we have to be constantly looking at how do we tweak? How do we bob? How do we weave?”
“Forthcoming cybersecurity controls are designed to help DoD and small business work together to protect sensitive data and help industry comply in a fairer way depending on the types of systems they’re asked to defend.“
“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.
“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.
Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.
The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.
What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.
In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.
“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”
As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.
Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.
“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition,” the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.
“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.
Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would “likely be an impediment” for small companies.
However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.
“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.
She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”
But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe.”
Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.
“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.
“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.
It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.”
“The Department of Defense’s new cybersecurity certification standards for contractors are officially arriving later this week, and the plan is to have about 1,500 companies certified by next year as the requirements start to pop up in contracts, officials said Tuesday.“
“For now, the program’s newly formed certification board is preparing to train and certify assessors, but it does not have a projection as to how many of the cybersecurity specialists will initially be available and when, board member Mark Berman said. The board, a nonprofit, is housed outside of DOD.
The Cybersecurity Maturity Model Certification process will subject all DOD contractors to third-party cybersecurity assessments, with the goal of protecting the military’s entire supply chain. The program is replacing the DOD’s current reference document — the National Institute of Science and Technology’s standards for cybersecurity — with a five-level rating system.
The vast majority of contractors will need only to meet the first level, but even that level of accreditation will still require an in-person assessment by a certifier, officials said.
Industry must move away from self-assured “checklist” security and have continuous security principles baked into its work, said Katie Arrington, special cyber assistant to the assistant secretary of defense for acquisition who has led the creation of CMMC.
“CMMC is meant to create critical thinking around cybersecurity,” Arrington said during an explanatory event Tuesday hosted by Holland and Knight.
The move away from self-certification is one of the major changes that will appear in the finalized CMMC model after the department has circulated several rounds of drafts and parts of the plans in the past months. Arrington and others admitted the existing reliance on self-certification has been a failure with defense technology being stolen by adversary nation-states and criminal organizations alike.
“They are done because they have not worked,” Arrington said of self-certifications.
Implementing CMMC will be a “team sport,” Ty Schriber, another accreditation board member, said during the panel discussion.
Despite large pushes from Arrington and others to get the word out in Washington, D.C., and on listening tours around the country, a recent study found low recognition of the program from defense contractors. Only a quarter of surveyed defense contractors could accurately identify what CMMC stands for.
The DOD projects a slow rollout of CMMC into contracts but hopes the transition will be smooth as businesses realize the threat from cyberattacks. Arrington assured contractors that the government will work “hand-in-hand” with companies as they start the certification process and encounter contracts with the new requirements.
U.S. allies are also being brought into the discussions, Arrington said. The United Kingdom, Sweden, Canada and others will be incorporated into the model to continue partnerships on defense technologies, Arrington said.”
“Overall, the survey found contractors have “gotten the message” on the importance of cybersecurity, but few have implemented mitigation efforts to the imposing threats, Tier1 Cyber CEO Bret Cohen told FedScoop.
The survey was conducted in November and solicited responses from a random sample of 150 government contractors with revenues of more than $15 million annually. Two-thirds of the respondents were DOD contractors with the vast majority employing more than 1,000 people.
The defense industry is targeted by state and rogue actors seeking to obtain sensitive national security data. To strengthen the military supply chain, the DOD launched CMMC as a top-down cybersecurity review and new framework to ensure compliance with cyber standards for all contractors.
The Cybersecurity Maturity Model Certification will replace the National Institute of Standards and Technology standards for cybersecurity as it is phased into the contracts later this year. Currently, contractors only need to self-certify NIST compliance. That will change under CMMC, with all companies in the DOD supply chain needing a third-party accredited authenticator to certify their level of cybersecurity compliance on a five-level scale. The security level will comport with the type of data contractors are given, with highly classified material only being awarded to high-level certified contractors.
The process could take up to a year, most of which will be while companies assure the “maturity” of their network security, Cohen said. Beyond initial certification, contractors will also need to continuously ensure security compliance; they risk losing certification in the event of a breach, according to the DOD’s frequently asked questions page on CMMC.
The upcoming rules are not the only thing respondents displayed a lack of knowledge on. Cohen was also surprised by the low levels of trust DOD contractors say they have for third-party vendors. Only 12 percent of the defense contractors surveyed said they trust their vendors, an apparent weak link in the chain. Cohen interpreted that as evidence that contractors aren’t concentrating on their vendors’ security or, worse, just don’t know the state of their third-party vendors’ security.
Other contractors surveyed showed little implementation of cyber mitigation efforts beyond “water cooler conversation” about the topic. Many employees’ personal devices lacked security software, and training was not a regular practice for many of the contractors surveyed.
Cohen said he anticipates other government agencies to adopt models similar to CMMC and the DOD’s implementation will likely continue on track, despite his company’s survey finding limited understanding among contractors.”
“The CMMC accreditation body, a not-for-profit and independent group of stakeholders, has been stood up and recently selected its chair.
[It] will take the cyber standards set to be released this month and use them to develop training and certification requirements for the third-party assessment organizations and individual assessors that will evaluate companies.“
“Training of the third-party accreditors for the DOD’s upcoming unified cybersecurity standard will take place from now until June, according to the Defense Department’s acquisition head.
Ellen Lord, the defense undersecretary for acquisition and sustainment, told reporters the final version of the Cybersecurity Maturity Model Certification is set to publish by the end of January, and an independent accrediting body will begin training the auditors.
“The release is the end of this month for the CMMC model version one,” Lord told reporters during a Jan. 14 Defense Writers Group event in Washington, D.C. “The initial training is taking place of the assessors between now and June,” which is when the first requests for information including the standard are expected to roll out.
The CMMC accreditation body, a not-for-profit and independent group of stakeholders, has been stood up and recently selected its chair. The consortium, as Lord referred to it, will take the cyber standards set to be released this month and use them to develop training and certification requirements for the third-party assessment organizations and individual assessors that will evaluate companies.
FCW has reached out to the accrediting body for more information on training.
Ty Schieber, the CMMC accrediting body’s chairman, previously told FCW the organization has several working groups that will help define and strategize around the accrediting body’s functions, including governance, standards, adjudication, organizational structure, change management and budget.
Lord said the accrediting body “will incorporate semi-automated processes” and “include a tool that certified third-party assessors will employ for audits and collecting metrics to inform risk.”
The impending cybersecurity certification has drawn concern among small business advocates, particularly around cost and the required expertise for implementing the standards.
When asked about whether DOD has done an impact study on how CMMC will affect small businesses, Lord didn’t have a clear answer, simply saying that trade organizations such as the Professional Services Council, were looking into it.
“One of my biggest concerns was really about small and medium businesses because that’s where a large part of innovation comes from and we need that. We want to retain them,” Lord told reporters.
DOD has said it is working with the accrediting body, prime contractors, and industry associations to brainstorm ideas on how to make implementing the cybersecurity standard more cost effective. However, Lord said, there won’t be a way around CMMC, and waivers were not being considered at this time.
“I do not anticipate waivers at this point in time,” Lord said. “We have not discussed that because cybersecurity is so critical, it becomes a differentiator.”
Instead of waivers, Lord reiterated that CMMC has multiple levels, the lowest of which adheres to basic cyber hygiene practices and can be tailored to any system.
Ultimately, Lord said it’s an “ecosystem” when it comes to supply chain security.
“We do understand this is an ecosystem, and frankly we often forget that,” she said. “When you look at integrated supply chain, you have six, seven, eight, nine levels down and it’s that six, seven, eight, nine levels that we are really, really concerned about.”
DOD is anticipating to complete the federal rulemaking process for CMMC by the end of 2020.”
“Every contractor, large and small – prime and sub – will be required to be CMMC-certified in 2020. Cybersecurity maturity will be the fourth critical measurement along with cost, quality, and schedule.
This compliance model will ultimately define cyber standards across several maturity levels that range from basic cyber hygiene to advanced cyber maturity.“
The Department of Defense is adding some muscle to the fight. In recognition of growing threats and increasing weaknesses in its supply chain, the DoD has published draft guidelines, the Cybersecurity Maturity Model Certification 0.7 (CMMC), for its more than 300,000 defense contractors – before full implementation in January.
What does this mean for defense contractors aiming to meet CMMC criteria in the new year? Simply put – start now.
Forward-leaning defense contractors who prioritize cybersecurity readiness should initiate these three preparatory steps even before year-end:
Inventory current cybersecurity practices and protocols against the CMMC 0.7 version that spells out criteria for Levels 1-5 certification.
Level 1 is the foundational layer that sets out the basic cyber hygiene practices that contractors must meet, and which upon all other Levels are built.
Beginning at Level 2, intermediate cyber hygiene practices are established, allowing the organization to more effectively respond to cyber threats. Additionally, level 2 introduces the process maturity dimension of the framework, requiring organizations to have standard operating procedures, policies, and plans for all practices.
To achieve Level 3 and beyond, contractors must implement effective controls that meet many of the security requirements of NIST SP 800-171 Rev 1, including for contracts that require access to or generate controlled unclassified information (CUI). Proper endpoint detection and response capabilities, antivirus software, and overall good IT hygiene will help achieve this status.
The new NIST SP 800-171b draft will help address levels 4 and 5. However, even at Level 5, the DoD model indicates that companies will only then have the capability to optimize capabilities in “an attempt to repel” advanced persistent threats (APTs). Clearly, today’s threat environment is rapidly evolving and growing more sophisticated. Maturity frameworks like the CMMC must evolve as well.
Identify gaps and plan improvements in processes and practices to achieve readiness for third-party CMMC assessment.
This step means looking across every company platform for material weaknesses that can be exploited by bad actors. Oftentimes, this can begin with auditing past security missteps and holes in protection from legacy systems. The methods to protect networks that agencies have employed in the past may no longer serve their intended purpose – now is the time to implement a fresh approach to improving organizational security posture.
Research shows that attackers are quick to target smartphones and endpoint devices – in short any connected devices that are generally less protected than government computers. CrowdStrike’s 2019 Mobile Threat Report found a diverse array of adversary groups are increasing attacks on mobile platforms.
Last, and most important, evaluate where your company is on the road to process maturity in each of the CMMC domains.
Each domain requires meeting the appropriate process maturity standards for every level beyond basic cyber hygiene. Most domains are familiar and range from access control, risk management, awareness and training, asset management, recovery, and situational awareness.
Establishing readiness in each of the domains, however, means taking a comprehensive approach to tasks your organization will be carrying out as part of a federal contract.
CrowdStrike studies show that organizations are largely underprepared for new cyber threats. In a recent survey of 1,900 senior IT decision-makers, analysis found U.S. organizations take an average of 101 hours to detect, triage, and contain a data breach. This translates into over four days of round-the-clock work. Remember, the gold standard to combat sophisticated cyber threats is the 1-10-60 benchmark: detect an intrusion in under one minute; perform a full investigation in under 10 minutes; and, remove the adversary in under 60 minutes.
The adoption of frameworks like 1-10-60 and other proactive security technologies, processes, and techniques are critical to getting in front of the ever-changing cyber landscape.
Cybersecurity technologies that harness the power of the cloud, machine learning and artificial intelligence to rapidly detect, prevent, and remediate threats are all critical to shutting down today’s stealthy adversaries. Leveraging these modern tools will also help to achieve the level of cybersecurity maturity that will soon be mandated by the DoD via the CMMC standards.
The bottom line is that CMMC is a vital new DoD initiative, one that is essential to carrying out the important work of the defense industrial base, who in partnership with the government are charged with carrying out a very complex and extremely important mission.
Resolve to start now on a New Year’s resolution to achieve CMMC readiness.”
“WASHINGTON TECHNOLOGY” By Chor-Ching Fan, David Trout
“DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare.
By understanding CMMC requirements, taking advantage of cyber assistance programs, engaging guidance from compliance experts, and leveraging a cloud-based compliance application, small and mid-sized contractors can become CMMC compliant with fewer disruptions and less cost.“
“The Department of Defense recently announced that contractors who provide products and services for the defense supply chain will be required to comply with the Cybersecurity Maturity Model Certification (CMMC) process beginning in 2020. This new security standard is designed to ensure that contractors have appropriate security measures in place and begin to prioritizing security with equal weight compared to quality and safety. Because CMMC compliance will be critical to winning business with the Pentagon, DoD contractors need to understand what CMMC is all about.
CMMC Certification Levels and Controls
Representing a unified cybersecurity standard for DoD contractors, CMMC combines a selection of security controls from NIST SP 800-171A, SP 800-181B and potentially other frameworks such as NIST SP 800-53 and ISO 27001. CMMC compliance will be certified by third-party auditors, rather than through self-certification as was allowed for NIST SP 800-171. To address the range of DoD contractors, CMMC comprises five levels of cybersecurity ranging from basic cyber hygiene at Level One to advanced security operations at Level Five for highly sensitive defense assets.
CMMC’s risk-based framework allows a more nuanced application of DoD cyber defense requirements based on the amount of Controlled Unclassified Information (CUI) being handled or processed.
Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, has stated, “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”
Choosing the appropriate CMMC level is critical and all defense contractors must achieve at least Level One certification. Contractors failing to meet any item required for a level certification will be certified at the level below it. For example, failure to meet all required security controls for Level Three would result in a certification for Level Two, effectively barring a contractor from bidding on an RFP with Level Three or higher specified in Sections L and M.
CMMC Third-Party Audits
Under previous NIST SP 800-171 regulations, DoD contractors had the option to self-certify. Any security gaps that were identified were noted in a Plan of Actions and Milestones (POA&M), allowing a contractor to continue to provide products and services without achieving compliance with all 110 security controls. With CMMC, self-certification is no longer an option. In addition, POA&Ms are no longer allowed, which means contractors have to address weaknesses in order to achieve compliance and certification. The DoD plans to engage a non-profit organization to certify third-party auditors in late 2019. Once CMMC auditors are certified, they will be responsible for conducting third-party assessments of DoD contractors beginning in mid-2020.
DoD is moving quickly to roll out CMMC. The current timeline for CMMC indicates that contractors will need to be certified by late 2020 in order to bid on contracts. In order to prepare, contractors need to determine where they stand regarding NIST 800-171 controls and the CMMC level they want to achieve as soon as possible. CMMC requirements might encompass controls from other frameworks i.e. NIST 800-53, ISO, etc. but 800-171A and 800-171B controls make up the core and thus a good starting point. Even a relatively short delay may jeopardize achieving CMMC certification by the deadlines set by the DoD or those established by your internal business development team.
Budget Concerns for CMMC
Recognizing that the cost of implementing security controls represents a barrier for small and even mid-sized defense contractors, DoD and other federal and state agencies are considering how to provide financial assistance for some CMMC compliance and certification costs. Targeting small and mid-sized DoD contractors, several financial support resources have been discussed or announced.
Kevin Fahey, the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment, gave permission to Katie Arrington to inform DoD vendors that security is an allowable cost.
The Small Business Cybersecurity Assistance Act, recently introduced in the Senate by Marco Rubio (R-FL) and Gary Peters (D-MI), would provide cybersecurity education to SMBs at Small Business Development Centers (SBDCs) that are funded by Small Business Administration (SBA) grants.
Some states offer cybersecurity assistance programs for small businesses. These programs are typically coordinated through the state’s Manufacturing Extension Partnership Program (MEP). For example, Maryland’s program covers 75 percent of remediation costs up to $10,000, based on the results of a gap analysis.
CMMC Expertise and Tools
Effective CMMC compliance efforts require access to security control expertise and easy-to-use compliance tools to organize and track progress. Failure to plan and coordinate compliance efforts can result in excessive costs, distractions to core business, and lost revenue opportunities. Coordinating with contract, business development, and solution teams early in the process results in a smoother path to CMMC compliance.
DoD contractors without access to in-house NIST compliance experts can engage the help of a virtual compliance officer (vCO). An experienced NIST vCO can help contractors determine which CMMC levels are appropriate, decipher the security control requirements, and understand specific control implementation for development and production environments, as necessary.
CMMC compliance efforts can be more effectively managed with cloud-based compliance software that provides CMMC controls, policy management, evidence management, and tracking. Since CMMC compliance includes external assessments and spot audits, DoD contractors can streamline CMMC efforts with a solution that supports secure role-based access for staff, external advisors and third-party assessors.
DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare. DoD contractors can take proactive steps to minimize the time and effort required for CMMC compliance by staying up-to-date on the latest developments by visiting DoD’s site or subscribing to periodic alerts on NIST 800-171 and CMMC developments.”
Chor-Fing Fan is the president and CEO of Rizkly, a firm that helps companies achieve and demonstrate compliance with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies manage global supply chain processes and harness disparate data to improve decision-making. His software product management experience spans global SaaS products for B2B data integration, governance and risk analytics, and self-service cloud analytics.
David Trout is the chief strategy and business development officer for Rizkly, a firm that helps companies comply with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies achieve enhanced security posture and compliance with industry standards such as NIST, SOC and FedRAMP. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).