Tag Archives: DOD Cyber Security Maturity Model

Small Business Focus – Cyber Security Maturity Model Certification (CMMC)

Image: DAU.edu


Forthcoming cybersecurity controls are designed to help DoD and small business work together to protect sensitive data and help industry comply in a fairer way depending on the types of systems they’re asked to defend.


“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.

“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.

Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.

The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.

What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.

In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.

“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”

As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.

Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.

“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition,” the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.

“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.

Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would “likely be an impediment” for small companies.

However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.

“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.

She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”

But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe.”

Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.

“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.

“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.

It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.”


DOD Mandates Contractor Cybersecurity Maturity Model Certification (CMMC) In 2020


“WASHINGTON TECHNOLOGYBy Chor-Ching Fan, David Trout

DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare. 

By understanding CMMC requirements, taking advantage of cyber assistance programs, engaging guidance from compliance experts, and leveraging a cloud-based compliance application, small and mid-sized contractors can become CMMC compliant with fewer disruptions and less cost.


“The Department of Defense recently announced that contractors who provide products and services for the defense supply chain will be required to comply with the Cybersecurity Maturity Model Certification (CMMC) process beginning in 2020. This new security standard is designed to ensure that contractors have appropriate security measures in place and begin to prioritizing security with equal weight compared to quality and safety. Because CMMC compliance will be critical to winning business with the Pentagon, DoD contractors need to understand what CMMC is all about.

CMMC Certification Levels and Controls

Representing a unified cybersecurity standard for DoD contractors, CMMC combines a selection of security controls from NIST SP 800-171A, SP 800-181B and potentially other frameworks such as NIST SP 800-53 and ISO 27001. CMMC compliance will be certified by third-party auditors, rather than through self-certification as was allowed for NIST SP 800-171. To address the range of DoD contractors, CMMC comprises five levels of cybersecurity ranging from basic cyber hygiene at Level One to advanced security operations at Level Five for highly sensitive defense assets. 

CMMC pyramid

CMMC’s risk-based framework allows a more nuanced application of DoD cyber defense requirements based on the amount of Controlled Unclassified Information (CUI) being handled or processed.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, has stated, “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Choosing the appropriate CMMC level is critical and all defense contractors must achieve at least Level One certification. Contractors failing to meet any item required for a level certification will be certified at the level below it. For example, failure to meet all required security controls for Level Three would result in a certification for Level Two, effectively barring a contractor from bidding on an RFP with Level Three or higher specified in Sections L and M.

CMMC Third-Party Audits

Under previous NIST SP 800-171 regulations, DoD contractors had the option to self-certify. Any security gaps that were identified were noted in a Plan of Actions and Milestones (POA&M), allowing a contractor to continue to provide products and services without achieving compliance with all 110 security controls. With CMMC, self-certification is no longer an option. In addition, POA&Ms are no longer allowed, which means contractors have to address weaknesses in order to achieve compliance and certification. The DoD plans to engage a non-profit organization to certify third-party auditors in late 2019. Once CMMC auditors are certified, they will be responsible for conducting third-party assessments of DoD contractors beginning in mid-2020.

CMMC Timeline

DoD is moving quickly to roll out CMMC. The current timeline for CMMC indicates that contractors will need to be certified by late 2020 in order to bid on contracts. In order to prepare, contractors need to determine where they stand regarding NIST 800-171 controls and the CMMC level they want to achieve as soon as possible. CMMC requirements might encompass controls from other frameworks i.e. NIST 800-53, ISO, etc. but 800-171A and 800-171B controls make up the core and thus a good starting point. Even a relatively short delay may jeopardize achieving CMMC certification by the deadlines set by the DoD or those established by your internal business development team.

Budget Concerns for CMMC

Recognizing that the cost of implementing security controls represents a barrier for small and even mid-sized defense contractors, DoD and other federal and state agencies are considering how to provide financial assistance for some CMMC compliance and certification costs. Targeting small and mid-sized DoD contractors, several financial support resources have been discussed or announced.

Kevin Fahey, the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment, gave permission to Katie Arrington to inform DoD vendors that security is an allowable cost.

The Small Business Cybersecurity Assistance Act, recently introduced in the Senate by Marco Rubio (R-FL) and Gary Peters (D-MI), would provide cybersecurity education to SMBs at Small Business Development Centers (SBDCs) that are funded by Small Business Administration (SBA) grants.

Some states offer cybersecurity assistance programs for small businesses. These programs are typically coordinated through the state’s Manufacturing Extension Partnership Program (MEP). For example, Maryland’s program covers 75 percent of remediation costs up to $10,000, based on the results of a gap analysis.

CMMC Expertise and Tools

Effective CMMC compliance efforts require access to security control expertise and easy-to-use compliance tools to organize and track progress. Failure to plan and coordinate compliance efforts can result in excessive costs, distractions to core business, and lost revenue opportunities. Coordinating with contract, business development, and solution teams early in the process results in a smoother path to CMMC compliance.

DoD contractors without access to in-house NIST compliance experts can engage the help of a virtual compliance officer (vCO). An experienced NIST vCO can help contractors determine which CMMC levels are appropriate, decipher the security control requirements, and understand specific control implementation for development and production environments, as necessary.

CMMC compliance efforts can be more effectively managed with cloud-based compliance software that provides CMMC controls, policy management, evidence management, and tracking. Since CMMC compliance includes external assessments and spot audits, DoD contractors can streamline CMMC efforts with a solution that supports secure role-based access for staff, external advisors and third-party assessors.


DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare. DoD contractors can take proactive steps to minimize the time and effort required for CMMC compliance by staying up-to-date on the latest developments by visiting DoD’s site or subscribing to periodic alerts on NIST 800-171 and CMMC developments.”


About the Authors

Chor-Fing Fan is the president and CEO of Rizkly, a firm that helps companies achieve and demonstrate compliance with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies manage global supply chain processes and harness disparate data to improve decision-making. His software product management experience spans global SaaS products for B2B data integration, governance and risk analytics, and self-service cloud analytics.

David Trout is the chief strategy and business development officer for Rizkly, a firm that helps companies comply with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies achieve enhanced security posture and compliance with industry standards such as NIST, SOC and FedRAMP. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).