What is the Cybersecurity Maturity Model Certification (CMMC)?
CMMC is an acronym that stands for “Cybersecurity Maturity Model Certification”. The CMMC effort builds on existing regulations DFARS 7012 / NIST 800-171. The key word here is “Certification”, because like a vehicle safety inspection or a food safety inspection, there will be a formal process of Certification and Accreditation (C&A). Meaning — no certificate, no work with the DoD or within its’ supply chain. About 300,000 US companies are expected to fall under the umbrella of the CMMC. Per the official FAQ verbiage:
The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.
Why is this necessary?
To put it bluntly, the United States is being robbed blind of our intellectual property by not only China, Russia, and Iran, but in some cases our own allies. This isn’t just a problem for the Defense Industrial Base (DIB) either — it is a problem for all US manufacturers and any other enterprise which creates and maintains valuable information.
Take a look at China’s Y-20 aircraft, vs. the Boeing C-17. Flat. Out. Robbery.
And here is Russia’s Su-57 vs. its American counterpart the Lockheed F-22.
Our information systems in the United States today are about as safe as our factories were 100 years ago (no fire exits, no machine guards, poorly lit, etc.) In terms of information, anything and everything is being stolen from us. China will even steal the color white from DuPont. We at Stronghold believe that the CMMC will ultimately become like the National Electric Code of cybersecurity in that it will gain widespread adoption. According to the Commission on the Theft of American Intellectual Property, “Total theft of US trade secrets accounts for anywhere from $180 billion to $540 billion per year.” At the upper end, that amounts to nearly 3% of our total economic output (GDP). The enormity of this problem cannot be overstated.
How is the CMMC different than DFAR 7012 / NIST 800-171?
Like the Doolittle Raid following Pearl Harbor, NIST 800-171 was simply the first counter-offensive in a much larger conflict. 800-171, while robust and comprehensive, had one massive flaw — its “one size fits all” approach. As different types of information have different values, a more flexible approach was needed. If your business is excavation on a military base, that information does not need the same level of protection as highly advanced data fusion algorithms.
To that end, the CMMC will have 5 levels:
From the FAQ:
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
At this time, all indications are that most of the Defense Industrial Base will be Level 3, which includes some enhancements but is overall very close to where NIST 800-171 is today. This is good news for those who are compliant or on their way to becoming so. Layers 4 and 5 will look like NIST 800-171B, and apply to the less than 1% of companies who deal in highly advanced defense technology. We recently published a detailed white paper on NIST 800-171B that can be downloaded directly here. There isn’t a lot of information available yet about who layers 1 & 2 will apply to, but we suspect those will apply mainly to companies who are simply reselling products and services to the DoD.
When will the CMMC be required?
If your company does any defense work at all, the CMMC will apply to you, so start planning for compliance now as only CMMC audited companies will be allowed to continue working with the government. However, unlike NIST 800-171, this is not a self-certification – audits will only be performed by approved, third party CMMC auditors. For those companies that already fall under NIST 800-171, there may be additional requirements that must be met before they can become CMMC certified.
The CMMC is currently in draft pending stakeholder feedback. CMMC version 1.0 will be released in January 2020. The CMMC will be included in Requests for Information (RFI’s) starting June 2020, and included in Requests for Proposals (RFP’s) starting in September 2020.