CMMC is a significant and fast-moving compliance model that signals a major shift in the US DoD’s treatment of supply chain security.
Up until now, US suppliers had been required to work toward compliance with NIST SP 800-171 using a self-validation model. The rate of data breaches in the last three years has clearly exhausted the DoD’s patience with the self-validation model, and the “Trust but Verify” CMMC is the result.
US stakeholders have already expressed deep concern with the pace of CMMC implementation. The US DoD has reiterated that the new compliance requirement is coming and in the specified time frame.
In the previous articles we’ve seen a very brief overview of what the new compliance model is, what it is intended to do and some of the required compliance structure. So what are Australian SMEs to make of this?
In light of all the preceding points, it is imperative that defence supply chain businesses take a more serious and immediate approach to their cyber security posture. In the past, contractors have been content to wait for explicit contract requirements before addressing the required levels of cyber security.
CMMC explicitly eliminates that option.
As CMMC explains, organisations will only be included in discussions that involve CMMC Levels that your organisation has been assessed to have attained. In short, if you cannot demonstrate compliance certification to the level required in the RFI, don’t bother calling!
According to the CMMC website, new RFIs after June 2020 will be subject to CMMC. That then will be the price of admission to the game.
The Australian Cyber Security Centre's (ACSC) Essential Eight Maturity Model, the UK National Cyber Security Centre’s (NCSC) UK Cyber Essentials (a prerequisite for meeting the UK’s Def Stan 05-138) and NIST SP 800-171 are principal reference materials used in the drafting of CMMC. This is good news for Australian SMEs because these documents are already linked to the Defence Industry Security Program (DISP) certification.
Therefore, it would seem obvious that certification to DISP (conducted by the Australian Defence Industry Security Office) would be an excellent springboard towards meeting CMMC. If you’ve already jumped on the DISP/NIST train, your journey has already begun!
Contributing factors to consider
The current shortage in competent cyber personnel in Australia is a potential obstacle to achieving CMMC. It is not clear where the Australian certification assessors will be drawn from, other than the Australian Defence Industry Security Office. It is also not clear where SMEs are going to find specialists capable of undertaking the remediation tasks necessary to meet CMMC ML-2 and beyond.
Given the current wait times for DISP accreditation, delays can only increase as more businesses self-nominate to gain the obvious advantage. Acting sooner rather than later is a prudent strategy.
First, implement the Essential Eight Maturity Model, Australian Cyber Security Centre (ACSC).
Second, review 48 CFR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems with the objective of addressing any gaps not covered by the Essential Eight.
More advanced contractors need to embrace NIST SP 800-171r1 - Protecting Controlled Unclassified Information in Non-federal Systems and Organizations
With the final release of CMMC due in January 2020, there are still refinements and tweaks expected to published maturity level requirements. That being said, those contractors who act early will be the ones in the best position to achieve compliance.
To quote a famous saying, “Act now to avoid the rush!”
Note: Ray Harvey works as a Custodial Information Security Specialist, BDM Defence/Aerospace/Space at Cider House ICT in Melbourne.