The Cybersecurity Maturity Model Compliance (CMMC) is a US Department of Defense (DoD) certification process intended to improve cyber security practices across the entire Defence Industrial Base (DIB). It designates five levels of maturity ranging from “Basic Cybersecurity Hygiene” to “Advanced.”
Unlike many existing frameworks, the CMMC includes compulsory certification by a third-party auditor before a contractor can be designated as compliant. Each one of the five security levels builds upon the capability requirements of the level below. As of June 2020, new US Requests For Information (RFIs) will begin to specify the CMMC Compliance Level that contractors must possess to participate.
The intention of CMMC is to protect US Federal Contract Information (FCI) and Controlled, Unclassified Information (CUI), as both exist and move through the supply chain. All companies conducting business with the DoD, including subcontractors, must be certified.
So how will this affect Australian contractors? That’s the $64 million question.
To date, there has been no mention of extending compliance requirements to supply chain partners outside of the US. However, given that Australian contractors hold and work with US Technical Data (TD) and CUI, that almost certainly guarantees it will.
Furthermore, the following description of specifically relevant regulation hints at the scope of impact: “The CMMC effort builds upon existing regulation, specifically, 48 Code of Federal Regulations (CFR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and incorporates practices from multiple sources such as NIST SP 800-171 rev 1, Draft NIST SP 800-171B, the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight.”
Currently, the standard has just passed Draft V0.6, which defines the first three levels. This provides a fairly insightful view into the final operational version of the standard (CMMC Rev 1.0) due for release in January next year. The DoD expects ninety per cent of the Defence Industrial Base (DIB) to sit within these first three levels.
The important takeaway is that companies will have to demonstrate compliance with the required practices and processes of a specific CMMC level before they will be certified as compliant. Companies will have to be certified as compliant to the CMMC Level of a particular contract (or sub-contract) in order to participate.
The CMMC Schedule sheds light on the serious intent behind the standard:
• CMMC Rev 1.0 will be released in January 2020
• It will be included in RFIs starting in June 2020
• It will be included in RFPs starting in Fall (September/October) of 2020
The scope of CMMC and the potential implications are significant. In order to fully discuss what the Model is and how it works, we have broken the analysis into four parts.
In part two of this series, we’ll look a little deeper into what the CMMC is intended to do, and in part three, we’ll analyse how it’s structured. Our fourth and final article will suggest some practical, immediate steps Australian contractors can pursue in getting ready for CMMC.
Note: Ray Harvey works as a Custodial Information Security Specialist, BDM Defence/Aerospace/Space at Cider House ICT in Melbourne.