In April, at a NSW Defence Readiness Panel, I was asked to explain the implications of NIST800-171 on ITAR/EAR compliance. As I said then, all of my top-level discussions implied that it was a question of ‘when’, rather than ‘if’, contractors begin encountering it.
We know the ‘when’ and we know the ‘what’. So now we’ll look at the ‘how’.
Like Australia’s Defence Industry Security Program (DISP), CMMC (Cybersecurity Maturity Model Compliance) is a multi-tiered framework where each level of capability builds upon the one below it.
There are 17 Domains, or categories of cybersecurity best practice. Some examples of which are “Access Control”, “Identification and Authentication”, “Media Protection” and “Risk Management.”
Each Domain is defined by a set of Capabilities, intended to ensure security objectives are met. These Capabilities have activities called Practices and Processes that enable them to be achieved. Practices will measure the technical activities required to achieve compliance with a given capability requirement, and Processes will measure the maturity of a company’s processes.
There are five Maturity Levels (ML) in the CMMC framework, but only three have been defined in draft form to this point.
CMMC ML 1
This aims for basic cyber hygiene using US 48 CFR 52.204-21. These are 15 fundamental practices that form the foundations for higher levels of maturity. Although there are 17 Domains in CMMC, not all of them have Level 1 practices. The 15 practices in US 48 CFR 52.204-21 map to 17 of the practices in NIST SP 800-171 and define ML 1. A large proportion of all supply chain businesses will begin their CMMC journey here.
CMMC ML 2
This aims for intermediate cyber hygiene. Organisation is expected to establish and document standard operating procedures, policies, and strategic plans. ML-2 is a maturity transition level to assist in reaching ML-3 where Controlled, Unclassified Information is handled. ML-2 also introduces FIPS-validated cryptography to protect information confidentiality. There are 51 NIST SP 800-171 practices that define ML 2.
CMMC ML 3
This requires that organisations have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organisations that require access to CUI and/or generate CUI should achieve CMMC Level 3. There are a number of documents referenced that define the first three maturity levels of the CMMC; ML-2 and ML-3 benchmarks are challenging.
Not every organisation is going to get certified the first time around, which will cause delays as remedial work is done. Then it's back in the queue for a second assessment.
NIST SP 800-171r1 - Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations. This NIST guidance does most of the heavy lifting required to meet CMMC.
48 CFR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems. This US Gov guide lays out the 15 basic security controls that define ML-1. Draft V0.6 maps these to the UK’s Cyber Essentials, and Australia’s Essential Eight where applicable.
Essential Eight Maturity Model, Australian Cyber Security Centre (ACSC). The Essential Eight forms part of Australia’s Defence Industry Security Program (DISP).
National Cyber Security Centre’s (NCSC) UK Cyber Essentials. The Cyber Essentials form part of the UK’s Cyber security for defence suppliers (Def Stan 05-138).
The significance of these four documents will be explored in part four of this series, where we will explore ways businesses can get a head start on some of CMMC’s low hanging fruit.
Note: Ray Harvey works as a Custodial Information Security Specialist, BDM Defence/Aerospace/Space at Cider House ICT in Melbourne.