CMMC bakes security into DoD’s supply chain, has value for all businesses

The Cybersecurity Maturity Model Certification provides a means for the Department of Defense to certify the security capabilities of its contractors, but it's a good way to assess the cybersecurity maturity for all companies.

A virtual checkmark in digital system / standards / quality control / certification / certificates
Vertigo3D / Getty Images

Just as the coronavirus pandemic was getting underway in January, the Department of Defense (DoD) launched an ambitious cybersecurity certification and compliance process called the Cybersecurity Maturity Model Certification (CMMC). This framework has five certification levels of maturity that are designed to ensure that the Pentagon’s 300,000 contractors can adequately protect sensitive information.

The CMMC embraces existing well-known federal cybersecurity frameworks including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, as well as compliance procedures from the Federal Information Security Management Act (FISMA). One of the most significant changes for DoD contractors under the CMMC is the need to undergo external security audits.

“There were some simple things that our communities weren’t doing and we needed to find a way to make them repeatable, accountable and to provide metrics and make them auditable,” Katie Arrington, CISO for acquisition and sustainment, DoD, said at the 10th Annual Billington Cybersecurity Summit, which was held virtually this year. “So, we created this model with collaboration with industry and academia.”

The CMMC “is one piece of a massive cultural reform that’s been going in the department since 2018,” Arrington said, pointing to something called the Adaptive Acquisition Framework, a set of policies designed to introduce innovation into what has long been the sluggish thicket of the federal acquisition process. “It's refreshing to see that acquisition is now understanding the new emerging capabilities and how we need to move through those.”

“CMMC is one piece of the Adaptive Acquisition Framework, what we're doing in supply chain, risk management, and illumination of that capability. [It helps us understand] what is risk and how do we buy it down at a program level, at a supply chain level, at a company level.”

Third-party security services will play a role

Despite launching the CMMC rulemaking process at DOD just shortly ahead of COVD-19 quarantine and the attendant difficulties, the framework is on track for approval by November. Even with the barriers of remote work and difficult circumstances, “I’ll say I’ve never seen a rule move as rapidly through the process” as CMMC has, Arrington said.

Not every organization will have the resources to fully implement the CMMC. Small businesses likely lack the organic capacity to reach, say, level five certification or even level three, according to Arrington. That’s where CSPs, or cybersecurity-as-a-service providers come into focus.

One such CSP is Amazon Web Services (AWS) where it’s “working on solutions for our customers to really help accelerate their CMMC compliance while also helping to reduce costs, time, level of effort and risk,” Samara Moore, security assurance senior manager and global energy specialist, AWS, said.

“These solutions include compliance documentation that really helps customers that are in the cloud understand and be able to demonstrate how they're meeting CMMC compliance. [The solutions also include] an automated environment that [has] been purpose-built to support the needs and the expectations of CMMC. So, the AWS cloud helps customers to quickly develop tests and deploy their CMMC environment.”

“If you put a problem out there, industry will solve it if you give them the opportunity,” Arrington said of the efforts by AWS and other CSPs. “What you're seeing today is exactly that. I applaud the efforts of all the CSPs and product providers that have been out there.”

Karlton D. Johnson, vice chair of the board of directors of the CMMC Accreditation Body, sees CMMC compliance as a business problem. “In the past, cyber security was relegated or delegated down to the IT department,” he said. Going forward, “it is an awareness that if you look at the capabilities you have within the organization, and you also look at the content we have within the organization -- I’m talking IP [intellectual property] -- you have to protect that.”

CMMC one of several contractor security initiatives

CMMC is not the sole government effort to bake security into the contractor process. One program, FedRAMP, promotes the adoption of secure cloud technology across the federal government to provide a standard approach to security and risk assessment. The CMMC seeks to not duplicate what the government has already paid for, Arrington said. “We have to understand that they’re alike but they are not the exact same.”

At least for AWS, some customers can find reciprocity in complying with the CMMC if they meet the FedRAMP requirements through the CSP. “Customers have the potential through finding a pathway for reciprocity. They can even further reduce their compliance effort by being able to leverage those controls that appropriately align with the CMMC,” Moore said.

CMMC certification for all businesses

Yet the larger question remains: Why wouldn’t any business, for their own self-protection, seek CMMC certification. “Why wouldn’t you want to tell your business partners that you understand the inherent risk of doing business? That’s the unit that this is all about, buying down the risk,” Arrington said.

“They’re talking about amending Sarbanes-Oxley [a key law protecting investors from fraud] to include cybersecurity. So, think about it. They’re not kidding around. People say, ‘Oh it’s such a high burden to get there,’” she said. “Your adversary knows you and they’re looking for the absolute weakest link in any supply chain.”

“The art of war? We already have it, right? The easiest way to destroy us is from within.”

Arrington believes everyone should be CMMC certified. “We all need to get CMMC certified. We just don't need to tell the adversary what you're not doing [by placing CMMC certification levels on websites] in order for them to draw a quicker line. Let's buy down the risk and buy up the uncertainty and do our utmost best every day to protect this great country that we live in.”


Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)