By Janet Himmelreich, CIPP/E/US, CMMC RA, RPA, formerly CCEP
If you are a compliance professional for a company with federal contracts, you’ve likely heard the term “CMMC,” or Cybersecurity Maturity Model Certification.[1] It is one of those terms that seems to trigger almost immediate high anxiety with executives and IT leaders no matter the organization’s size. It does not have to be this way. Understanding what it is, what it means to your organization, and what you can do about it is essential to protecting the company—now and well into the future. It is not just a “thing to fuss about”; it is essential business practice today.
CMMC is not new
Primarily associated with the U.S. Department of Defense (DoD), CMMC has been discussed as a requirement for almost every contractor to the DoD, at least since the National Institute of Standards and Technology (NIST) SP 800-171 became a requirement in December 2017. The NIST special publication (SP) is now on its second revision (NIST SP 800-171 Rev. 2).[2] CMMC is simply a validation that provides an independent confirmation that the controls are implemented correctly and operating as intended and the required outcome can be evidenced. Other federal government agencies are planning to adopt the same or similar requirements as well. While originally designed as a maturation model, today’s iteration of CMMC is now 2.11 and focuses on the status of implementation of the controls. It is important to recognize that validating the controls put in place is specifically designed to protect controlled unclassified information (CUI). Thus, if you are in the supply chain for the DoD, even if you do something as seemingly minor as manufacturing a special screw or something similarly small, the DoD requires that your company have appropriate controls in place to protect DoD CUI. Rapidly reporting cybersecurity incidents is another key mandate. These requirements stem from the Defense Federal Acquisition Regulations Supplement procurement clause 252.204-7012.[3]
Regrettably, many members of the Defense Industrial Base (DIB) have not even attempted to figure out how the controls prescribed in NIST SP 800-171 Rev. 2—the controls that CMMC must validate—apply to their business. This is unfortunate because if that procurement clause has been in your contract—perhaps directly or as a flow down from the contractor you deal with—you have technically been responsible for implementing the 110 controls of NIST SP 800-171 Rev. 2 since December 2017. There is not only substantial risk of breach of contract but also of having submitted false claims to the federal government.
As a fundamental starting point, the most vital thing for any company is to establish whether your organization operates within the federal government supply chain. (Hint: Make double sure you know that answer.) There could be that sneaky contract that is flying under the radar for the DoD or a member of its supply chain, and it is a major concern for cybersecurity compliance. As noted, CMMC currently only applies to the DoD. However, many executive branch agencies have now established their own cybersecurity frameworks. For example, if your company is publicly traded, you must ensure you meet Securities and Exchange Commission cyber reporting requirements already going into effect. The Departments of Homeland Security and Energy also established their own requirements.
Even as a private company that does not have a DoD contract, the controls required under CMMC are the basic ones that every company should have in place. This is not “special” anymore; it is fundamental. The vulnerabilities and threats that are being controlled and protecting the company from cyberattacks may also reside with your outsourced providers, such as managed service providers, managed security service providers—known as external service providers (ESPs) under CMMC—and software-as a-service providers, commonly known as SaaS. These ESPs are in a company’s supply chain. If a CMMC requirement has flowed through a contract to you, then you must flow it to your supply chain members, including ESPs.
All supply chains are at risk today
Cyberattacks and incidents have increased exponentially since 2013, when these rules were initially proposed. As a result, there is far greater concern about the DIB today than 11 years ago. A few statistics reported by Cybercrime Magazine in May 2023 give an idea about how massive cybercrime has become:[4]
Table 1 is instructive of the threats across industries.
This means that your company’s supply chain—with or without a federal contract—is at risk of cyberattacks. Table 1 indicates the top 10 industry segments currently being attacked. However, at the end of the day, cyberattackers want everything they can possibly get their hands on.
Software and applications are a big cybersecurity risk
There is an advanced persistent risk concerning software and application vulnerabilities. Several large-scale incidents that happened in 2020 and 2021 highlight this risk. The Colonial Pipeline—a major supplier of oil and gas—was attacked. Solar Winds—a software infrastructure application used by the U.S. government and many private sector organizations—was compromised through a software vulnerability. Hackers from China infiltrated Microsoft Exchange Servers in the U.S. This prompted the release of the May 12, 2021, Executive Order (EO) 14,028 entitled “Improving the Nation’s Cybersecurity.”[5] The first part of the order directed the Cybersecurity and Infrastructure Security Agency to establish an improved public/private relationship to clear obstacles to sharing information. A significant change (found in Section 4 of the EO) was specifically aimed at software providers—those who develop, produce, sell, and/or distribute it. The EO specified that software or applications sold to any agency of the Executive Branch must have been developed using a “secure software development framework” that must meet the practices NIST was required to develop, now known as NIST SP 800-218 Rev 1.1. The final form for attestation was released and put into effect by CISA on March 11, 2024.[6] A senior official of the organization providing the software must sign an attestation that the software was developed with a Secure Software Development Framework; the attestation must be provided to a central repository established by CISA and ready to receive forms at the end of March 2024. The applicable agency will have wide latitude in requesting additional information, including a detailed Software Bill of Materials.
The EO 14,028 initiative that most directly impacts CMMC is that the U.S. Department of Justice (DOJ) was directed to develop an initiative to combat cyber issues from its perspective. It most assuredly did that, as on October 6, 2021, DOJ announced its “Civil Cyber-Fraud Initiative.”[7] In it, DOJ announced it would use the civil False Claims Act (it can always make a referral to the criminal side) to prosecute organizations that submit claims or invoices for payment that warrant a company is in full compliance with the cyber requirements and is found not to be in compliance. Several cases have already been brought, payments in the millions have been made, and one business has ceased operations. Once the CMMC rules are fully in place (projected for the first quarter of 2025), we can expect to see even more activity in this arena.
You cannot substitute for CMMC
One of the questions people have continually raised since CMMC was proposed is whether other certifications (ISO 27001 and SOC 2 are the most common) can be substituted for CMMC. The DoD has heard these questions and decided they are not adequate. Since both these activities allow the organization to choose its controls for assessment based on an internally performed risk assessment, coverage is limited. ISO 27001 focuses on developing an information security management system, or ISMS, that manages infrastructure, not assets. SOC 2 is an iterative maturation process that allows an organization to select its controls from the five trust centers, with security as the only one that is mandatory. A certified public accountant conducts SOC 2 and comes with a letter attesting to the selected controls, whereas ISO 27001 comes with an actual certificate.
Alternatively, CMMC is definitive in that at Level 1, it assesses the 15 practices for protecting federal contract information and is focused on the assets used. At Level 2, any data that qualifies as covered defense information, controlled technical information, or similar is considered CUI and must be protected in each identified asset. As a result, all 110 controls and 320 objectives are in scope for the assets enumerated in the defined system boundary—which is established in advance of the certification assessment. This is both broader and more intensive than the other activities.
Because the design of the certifications is so different, the DoD does not allow ISO or SOC certificates/reports to replace the CMMC controls and objectives for validation. However, meeting these external requirements, or similar, means that the organization has already made substantial progress toward meeting the CMMC controls and objectives. Accordingly, meeting the requirements will not be as challenging as it would be for an organization starting from scratch. Additionally, controls put in place to enhance privacy—for example, to comply with the various state laws in the U.S. or General Data Protection Regulation in Europe—will also contribute to the enhanced compliance status. Conversely, putting the NIST SP 800-171 Rev. 2 controls in place will improve privacy protections. Keep in mind that you can’t have privacy without security!
It’s always about the people
Where should the responsibility for CMMC compliance lie? Many organizations have assumed it is an IT security responsibility since it is about cybersecurity. However, experience argues that it is not the best or most appropriate place to reside. Depending on the organizational structure, of course, the overall responsibility should be in the compliance organization, partnering with security, privacy, and internal audit. At the end of the day, it is all about the training, the interviewed persons, and the processes used by the people to demonstrate evidence of control implementation and compliance. These activities are generally at the heart of the compliance program. Regardless of where the leadership comes from, it’s crucial that it be managed as a partnership.
As is always true, leadership must demonstrate that it can walk the walk. It is clear from Cyber AB (the nonprofit with CMMC assessment authority) training that the CMMC Third Party Assessment Organizations (C3PAO) are going to expect leadership to be involved in the assessments. Having just the security person available for the assessment most definitely will not be enough. The entire organization is expected to be able to show that it is running according to the documented controls.
As the compliance officer or similar, it falls to you to manage these risks or bring them to the attention of whomever “owns” the risk register. If senior leadership has taken a hands-off approach or has followed the technology pathway of buying or investing mainly in technology solutions, a vital part of the requirements will remain unmet. Keep in mind that there are people, process, and technology requirements under any of the frameworks for cybersecurity. This is also true for frameworks other than NIST; if you have achieved any ISO certifications, you will also be familiar with these requirements.
Therefore, the compliance team should advocate for oversight and involvement in the CMMC compliance program. This will ensure that this regulatory regime is treated the same as any other and is consistent with internal compliance standards and methods already in place. Long term, the discipline of standard approaches, monitoring procedures, and reporting is critical to the success of the CMMC program.
As cyberattacks continue to proliferate and there is clearer and clearer evidence that adversaries are keen to disrupt our country’s operations and steal the intellectual property of businesses throughout the supply chain, the “fuss” will continue. The DoD acknowledges significant deficiencies in how it has policed its contractors and subcontractors; it also has made clear it “got the message.” If CMMC applies to your company, the time to get started to prepare has now passed. Get a team together and begin to take the steps needed to understand the requirements and get compliant today.
Look for more details about the proposed final rules in a future CEP issue.
Takeaways
1 GRC Academy, “CMMC 2.11,” accessed March 7, 2024, https://grcacademy.io/cmmc/.
2 National Institute of Standards and Technology, “NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” updated January 28, 2021, https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final.
3 Acquisision.gov, “252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting,” February 15, 2024, https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
4 Steve Morgan, “2023 Cybersecurity Almanac: 10 Facts, Figures, Predictions and Statistics,” Cybercrime Magazine, May 24, 2023, https://cybersecurityventures.com/cybersecurity-almanac-2023/.
5 Improving the Nation’s Cybersecurity, Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
6 Cybersecurity & Infrastructure Security Agency, “Secure Software Attestation Form,” March 18, 2024, https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form.
7 U.S. Department of Justice, Office of Public Affairs, “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative,” news release, October 6, 2021, https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
Send a message to comply@3comply.com, call us at 401.252.1800
Comments