“The concept of a Cybersecurity Maturity Model Compliance (CMMC) framework arose in response to a series of high-profile breaches of DoD information.”
This quote from Susan Cassidy, a US Government Contracts Attorney writing for Covington, signals an imminent change in how US defence contracts work.
If you are outside of the cyber security community you can be forgiven for missing this development, as it hasn’t received much attention as yet. Hints were contained in a Stars & Stripes article in August of this year.
The article pointed out that from January 2016 to February 2018, nearly six per cent of US military and aerospace contractors reported data breaches. This is roughly one data breach for every 17 companies that are active in the supply chain.
More than 50,000 US companies actively contract through the defence supply chain in any one year. So six per cent equates to 3,000 data breaches across that two year period.
Essentially, the CMMC has arisen out of the US DoD’s frustration with the ongoing, damaging leaks of military technical data and confidential information.
What is the CMMC?
Here’s the condensed version to keep things simple. The CMMC is intended to “be a unified cybersecurity standard for DOD acquisitions to reduce exfiltration (theft) of Controlled Unclassified Information (CUI) from the Defence Industrial Base (DIB).”
The CMMC is intended to improve protection of US Federal Contract Information (FCI) and Controlled, Unclassified Information (CUI), as both exist and move through the supply chain. It combines various cybersecurity standards and ‘best practices’, and maps these practices and processes across five maturity levels that range from basic cyber hygiene to advanced. These maturity levels build upon the requirements of the levels below them, similar to the Australian Defence Industry Security Program (DISP) model.
The CMMC effort also builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. This is a “Trust, But Verify” model where the intent is for certified independent 3rd party organisations to conduct audits and inform risk. Audits will provide a “Go/No-Go on compliance” for each level of maturity. The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
The expectation is that upwards of 90 per cent of all supply chain businesses will fall into the basic cyber hygiene maturity level at levels 1 to 3. It is inferred that CMMC will apply to all contractors involved in future US DoD contracts, regardless of nationality.
The full 90-page CMMC Draft V0.6 can be found here.
From June 2020, CMMC will become a hurdle that businesses will need to address in RFIs for contracts of US origin. Businesses will need to be certified by an independent assessor who will use a CMMC specific tool to determine compliance.
Initial discussions regarding the certification of independent 3rd party assessors will not take place until November 19th. This doesn’t leave a lot of time to determine how extraterritorial 3rd party assessors (those outside US) are going to be vetted and monitored. There are also questions surrounding the legal and treaty implications of such a model.
The structure of the CMMC means that contractors who cannot demonstrate compliance to the model, cannot participate in US contracts.
With Minister for Defence Linda Reynolds banging on doors in Washington to get more Australian content into the current F-35 program, the CMMC could present a significant obstacle.
In Part Three of this series, we’ll analyse how CMMC is structured and in Part Four, what immediate steps you can take to be prepared.
Note: Ray Harvey works as a Custodial Information Security Specialist, BDM Defence/Aerospace/Space at Cider House ICT in Melbourne.