Defense in Depth? An Up-Close Look at the CMMC

The US government recently introduced the Cybersecurity Maturity Model Certification (CMMC) to bolster the defense industrial basis' cybersecurity. Danny Bradbury looks at its impact so far and questions whether it needs to adapt

When the Russian attack on SolarWinds emerged, the US Department of Defense (DoD) was identified as a customer. Officials later told a Senate subcommittee that the Pentagon hadn’t suffered any fallout from the attack. But what of its suppliers?

In May, officials said at a Congressional testimony that almost 40 defense contractors to the US government (known in the industry as the defense industrial base, or DIB) had been hit in the attack, potentially placing their products or services at risk. The DoD relies on thousands of these contractors to supply it with critical products and services. Now, it plans to tighten up its security with a mechanism called the Cybersecurity Maturity Model Certification (CMMC).

Incredibly, the DoD relied on self-attestation for defense contractor security before releasing the first version of the CMMC in January 2020. Based on the existing DFARS 252.204-7012 regulation, this trust-based mechanism called for organizations to map their cybersecurity posture against the National Institute for Standards and Technology’s SP 800-171 cybersecurity framework.

“The current approach of self-attestation to the NIST SP 800-171 security requirements is not working,” says Katie C. Stewart, cybersecurity assurance technical manager in the division at Carnegie Mellon University’s Software Engineering Institute (CMU SEI). “We are seeing supply chain attacks increase at an alarming rate. The CMMC is an approach that will help DIB contractors secure unclassified information throughout the supply chain.”

CMMC is a cybersecurity certification framework that defense contractors must pass to bid for contracts with the Department. It offers five certification levels spanning one through five, with five being the highest. Each level maps to a different level of process maturity. (These maturity levels extend across the technical domains that are listed in the box below.)

Level one shows that a contractor has performed basic cyber-hygiene practices, while level two shows that it has documented them. These two levels would only allow companies to handle federal contract information (FCI). This is non-public information that is subject to minimum information requirements.

Level three shows that those practices are managed, meaning that there’s a plan for establishing and maintaining cybersecurity practices. It is the lowest level, including the 110 security requirements from NIST SP 800-171. Contractors would need this level of certification to handle what the defense community calls controlled unclassified information (CUI). CUI is information created by, or on behalf of, the government that must be handled using more robust safeguards.

CMMC level four requires that organizations regularly review their cybersecurity practices, taking corrective action where necessary. Finally, the highest level, five, focuses on standardizing and optimizing those cybersecurity processes.

“It’s the DoD’s approach to being sure that defense contractors are secure,” explains John Pescatore, director of emerging security trends at SANS, who worked for organizations including the NSA and the US Secret Service before SANS.

Pescatore sees strong correlations between the CMMC and the Capability Maturity Model (CMM), which was funded by the DoD. That model sought to guarantee the quality of software development processes. “It was the first time anyone had done it in a structured way,” he continues. “Now they’re doing the same thing for security.”

CMMC’s scope is vast because it will apply to all organizations that do business with the DoD, explains Stewart. “It’s estimated that the DoD supply chain consists of more than 300,000 businesses and organizations, all of which are targets,” she says. “Most of these organizations are small to mid-size businesses, which are the most vulnerable to cyber-attacks.”

Getting Certified

The CMMC is still in its nascent stages. The DoD began issuing limited information requests containing CMMC specifications in September 2020, explains Tim Campo, director of infrastructure & security for (ISC)². The Department will likely begin including CMMC as a requirement in all RFPs starting in 2026.

“This helps the government ensure that vendors and contractors that work with the DoD meet a level of cyber-hygiene requirements,” he adds. “The contractors will be subject to an assessment by an approved CMMC Third Party Assessment Organization (C3PAO – CMMC third party assessor) to add a layer of objectivity and transparency to the process as well.”

These assessors fall under the CMMC Accreditation Body (CMCC-AB), which will accredit them. This organization has suffered a wobbly start, says Pescatore. In September 2020, the CMMC-AB published a ‘partnership plan’ to its website, offering five paid partnership levels offering different perks, with the highest (diamond) level costing $500,000. It quickly backtracked, revising the page following criticism from multiple parties, including DoD CISO Katie Arrington, the Department’s lead official on CMMC. The worry was that this would create a conflict of interest with assessors. Shortly after the incident, chair Ty Schieber and communications director Mark Berman parted ways with the board.

Certification will last for three years and will be an allowed cost by the DoD. That means it can be passed on as an agreed expense to the DoD. However, the Department requires that organizations get the appropriate level of certification before being awarded a contract, requiring them to make this investment upfront.

How Effective will CMMC be?

It’s too soon to tell how effective the new certification model will be, says Campo, given that it’s not currently an official part of DoD solicitations. “However, the source document standards, including CSF v1.1, NIST SP 800-171, NIST SP 800-53, ISO 27001, and others, have been proven to be reliable standards, both nationally and internationally,” he says. The program’s rollout has also increased cybersecurity awareness across the defense supply chain, adds Stewart.

The CMMC’s success will lie in its implementation detail, warns Pescatore, particularly when it comes to enforcement. Federal agencies have a questionable track record for cybersecurity, and there’s only so much that the executive branch can do to crack the whip.

“Generally, the government isn’t good at self-enforcement,” Pescatore warns. We need only look at the recent Senate report, Federal Cybersecurity: America’s Data at Risk, to see that. It showed that seven of eight federal agencies failed to protect critical data due to inadequate cybersecurity after years of repeated drives to fix these problems.

This is one area where the CMMC’s outsourced certification process could be much more effective than intra-government efforts. The government has a greater chance of enforcing a private sector certification like CMMC, explains Pescatore. “If they don’t comply, you can stop them bidding,” he says. When something threatens your bottom line, you’re more likely to take it seriously.

Could this help mitigate supply chain attacks like the assault on SolarWinds that compromised DoD systems, among many others?

“CMMC will provide the DIB supply chain with a baseline of cybersecurity capabilities, which will increase the current security posture of the DIB,” says Stewart. “Because the model also includes process maturity activities, such as maintaining policies and managing activities, organizations will have enduring capabilities that are better able to adapt to evolving threats to the supply chain. In addition, the CMMC framework will enable the DoD to make risk-informed decisions regarding the information it shares with DIB contractors.”

Pescatore warns that a lot depends on detailed operating procedures, which he says maturity models might not address. He also worries that certification systems relying on point-in-time certification like the CMMC create the danger of compliance drift. Even if all the cyber-hygiene requirements were passed, SolarWinds might still have been hit, he warns.

“It needs a constant update cycle,” he says, suggesting a ‘trust-but-verify’ system where assessors could conduct spot checks to ensure ongoing compliance.

The CMMC-AB seemed to acknowledge the need for ongoing monitoring of cybersecurity posture, with an April 2020 RFP that would enable it to monitor open-source information about companies’ cybersecurity and be alerted if they slip below its standards. Even this drew criticism, though, with commentators pointing to a nine-day response window, no clear indication of who would pay for it, and a lack of accompanying market research. There’s no indication that this initiative went any further, though.

There’s no doubt that a certification model using third-party checks and accreditations will make the vast defense contractor base sit up and take notice. It must surely be better than basing the cybersecurity of the military’s supply chain on what amounts to an honor system. It will doubtless increase cybersecurity awareness in the supply chain, but what isn’t yet clear is how effective it will be at staunching the flow of information from the US military-industrial complex. As weapons systems become increasingly sophisticated and companies move into advanced research areas such as AI, the stakes constantly rise.

Technical Domains

The five CMMC certification levels extend across 17 technical domains:

• Access control
• Asset management
• Audit and accountability
• Awareness and training
• Configuration management
• Identification and authentication
• Incident response
• Maintenance
• Media protection
• Personnel security
• Physical security
• Recovery
• Risk management
• Security assessment
• Situational awareness
• Systems and communications protection
• System and information integrity