The DoD's new cybersecurity maturity model certification demands that each of the 300,000 businesses, universities and organizations it works with level up — or stay out of the game
Since its first volume, in 2006, this publication has followed the story of the F-35 Joint Strike Fighter, which, through trial and sometimes painful error, has gone from a daring design to a distributed manufacturing supply chain to, finally, a warplane in service around the globe. The total estimated cost of the program—all of that hard-won innovation in design and execution—is estimated to be $1.5 trillion. It reportedly costs $40,000 an hour to fly the F-35. That’s a lot of taxpayer dollars, but the result is a uniquely flexible warplane.
But less unique than it once was.
In 2014, China demonstrated a new fighter of its own—the J-31. And the J-31 looks disturbingly familiar. In fact, in the words of Katie Arrington, chief information security officer (CISO) for acquisition in the Office of the Under Secretary of Defense for Acquisition and Sustainment, the J-31 is “almost an exact copy” of the F-35. (Turn the page to see photos.)
It is worth mentioning that no F-35s have gone missing or have been captured in some military action: Nobody has physically taken one under the cover of darkness or combat to reverse-engineer it. The planes themselves are all accounted for.
So, the explanation must be exfiltration of pertinent data as the result of a cybersecurity breach—or, more likely, breaches. (“Exfiltration” is a common cybersecurity term. It means sneaking out, as opposed to the sneaking in of infiltration.)
That’s just one glaring example of what an international adversary like China can do in the Information Age.
“Cyber attacks offer adversaries low-cost and deniable opportunities to seriously damage or disrupt critical infrastructure and capability,” Under Secretary of Defense for Acquisition and Sustainment Ellen Lord warned at a press conference in January.
About $600 billion, or about 1 percent of global gross domestic product, is lost each year through cyber theft, she said.
Why hasn’t the defense industrial base (DIB) been able to stymie the cyber incursions of foreign adversaries? Certainly, major manufacturers have invested millions of dollars and hours in cybersecurity programs. So, what’s been going wrong?
A Level-Headed Approach
The U.S. Department of Defense (DoD) believes it knows—and has a new response.
In development since March 2019, the Cybersecurity Maturity Model Certification (CMMC) program is a unified standard for implementing cybersecurity across the 300,000 businesses, universities, and organizations the DoD works with.
Released in January, it is designed to ensure that controlled unclassified information (CUI) used and stored by any DIB systems and networks is protected from access by unauthorized users.
The CMMC manages the trick of being all-encompassing while at the same time not being a “one size fits all” solution. The DoD has defined five different levels of CMMC compliance, each with a set of supporting practices and processes. To meet a given level, a contractor needs to meet not only its specified criteria but also the criteria of any levels below it.
Here is the DoD’s summary of each CMMC level:
- Level 1: Basic cybersecurity
- Level 2: Inclusive of universally accepted cybersecurity best practices
- Level 3: Coverage of all National Institute of Standards and Technology (NIST) 800-171, rev 1 controls
- Level 4: Advanced and sophisticated cybersecurity practices
- Level 5: Highly advanced cybersecurity practices
Beginning in the fall of this year, CMMC compliance will be a prerequisite in new DoD contracts.
Any supplier storing or transmitting controlled unclassified information (CUI) will need to achieve at least Level 3 compliance, which is already the current and stringent standard for such contractors.
Certifications are valid for three years.
According to CISO Arrington, CMMC was developed as a direct response to cybersecurity failures in past years. At a cybersecurity conference cosponsored by the Aerospace Industries Association (AIA) and the National Defense Industrial Association (NDIA), she explained what the new program is by contrasting it with what has gone—and gone wrong—before.
Changing the Cybersecurity Landscape
One big difference is that pretty much every organization that does business with the DoD needs to be certified to at least Level 1.
The only exception—for now—are makers of commercial, off-the-shelf (COTS) products. In other words, if a warfighter uses a commercially available seat assembly, the plane’s manufacturer can order a seat from a commercial seat-maker without requiring that vendor to be certified.
That being said, The DoD advises even COTS providers to consider implementing Level 1 security controls simply as good business practice. And it’s possible that while the DoD isn’t requiring it, one of its contracted manufacturers may require it of them anyway.
The DoD perspective is that it’s reasonable to expect a minimum level of cybersecurity competence from even the far edge of the supply chain, according to Arrington.
The reason is that foreign adversaries know they can expect top-tier manufacturers to have a strong cybersecurity program in place, and so prefer to target downstream suppliers.
Arrington points to the F-35 as a prime example: “Don’t you think the prime in that case [Northrop Grumman] worked really hard to keep F-35 info classified? Because I can tell you, its security is good.” (Prime is shorthand for a primary contractor.)
Foreign adversaries, however, “look at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain. They wait patiently,” she said. “Once inside a network, they pull the data slowly. And they have the capability of compiling data from various sources.”
That’s why every DIB organization needs to meet that minimum level—Level 1.
“Level 1 reflects the basic cyber hygiene skills that we should be using every day, regardless,” Arrington said. “I’ve been asked, ‘Ma’am, I do landscaping for the government. Should I have CMMC certification?’ And my answer has actually been, ‘Yes, I want you to at least get to Level 1’.”
The goal is not just a new credential but a new culture, she said.
“Fifty years ago, you could walk onto a manufacturing floor and up to a lathe, and maybe you’d have safety goggles or glasses and maybe you wouldn’t.” Now, however, you wouldn’t be allowed on the floor without goggles and ear plugs. “That’s because we’ve made safety a foundation,” she said. “We now need to make sure we do the same with security.”
In other words, the primary defense against the cyber spy isn’t a counterspy drawn from characters in the 1960s TV series “The Man from U.N.C.L.E.” but rather basic security competence on the part of each employee at every single supplier.
No More Self-Attesting
CMMC’s other levels reflect cybersecurity prowess beyond Level 1’s “basic hygiene.” There are 17 steps needed to be met in order to reach that first level, but by Level 3, an organization will need to show it can meet those and an additional 93 steps.
As mentioned, Level 3 maps completely to NIST 800-171, rev 1—the NIST standard needed for handling controlled, unclassified information (CUI)—but here’s another important difference between past practices and all levels of the CMMC: Before now, organizations were expected to self-certify that they met the 800-171 requirements.
Yes, the DoD entrusted its contractees—generally speaking, the primes—to assess themselves and their suppliers.
No more: CMMC levels will be assessed by third-party auditors.
To this end, a non-profit organization named the Cybersecurity Maturity Model Certification Accreditation Board (CMMC AB) has been set up and recognized by the DoD as the stand-alone organization responsible for qualifying, training and certifying CMMC third party auditors (C3PAOs). The CMMC AB will publish a publicly available list of C3PAOs after the training is developed and C3PAOs are certified to provide CMMC certification. Once this list of C3PAOs is published, organizations seeking CMMC certification can contact a C3PAO directly.
Those organizations can expect to pay somewhere between $3,000 and $5,000 to go through the certification process for Level 1, and the costs will progressively increase for higher CMMC levels.
And CMMC certification is not going to be a one-time event but rather a recurring renewal requirement. However, it is categorized as an “allowable cost” in a contract by the DoD.
The reliance on third-party auditors does a couple of important things.
In the past, the terms of DoD contracts made the contracted primes responsible for ensuring the NIST CUI security standards were met. That has meant that the primes had to not only stay on top of their own cybersecurity but also that of their suppliers. Putting the burden onto a third party takes it off the backs of the primes. The prime’s task becomes that of finding a supplier at the appropriate certification level for what, specifically, the supplier’s task will be—and not taking on the due diligence of making sure the supplier is living up to that level.
The third-party auditing also gives a more objective assessment. Even the most well-intended organizations can be affected by internal bias.
“We need to trust but verify,” Arrington said. “Because if we were really always doing everything asked for in the standard, our adversaries wouldn’t be flying planes that look suspiciously like ours.”
Advantages for Smaller Businesses
The CMMC system is designed to make it easier for suppliers, including smaller, downstream suppliers, to know what is expected of them in regard to cybersecurity.
Until now, along with that NIST 800-171 certification, a supplier could be asked to comply with a range of other cybersecurity programs, whether from ISO, AIA or individual countries and companies. It’s an amazingly dense patchwork of practices to learn and implement.
For smaller companies, the time and cost of navigating these could be prohibitive. The CMMC, made up of codified levels and developed from best practices and with NIST 800-171 rev 1 at its center level, takes away a lot of ambiguity from what any given company might need to know.
“If a DoD program has CUI, you would immediately think the first level would have to be CMMC Level 3 for the prime. But the subsequent flow-down of that information to the prime’s suppliers is really important,” Arrington said. “We shouldn’t burden small businesses that aren’t prepared or expecting to get CUI. If they’re not touching the controlled unclassified information, they would only need to be at Level 1.”
Third-party assessment will also benefit smaller firms.
“People ask me, ‘Will the CMMC prevent small businesses from fair competition and work?’ Quite the opposite,” she said.
Arrington offered this illustration: Imagine two small businesses bidding on DoD work. They both have CUI on their networks, so they both used to self-attest that they were doing the 110 controls required by the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204.7012.
“Company A may only really be doing 80 of those controls, with a plan of action to do the other 30 that they haven’t implemented. Meanwhile, Company B is actually doing all 110 controls. In this situation, Company A’s rates are generally going to be lower because they’re not doing those additional 30 controls,” she said. But because both companies were self-attesting their compliance, both were in the running for the contract. But one—the dishonest one—was more likely to get the contract.
“The CMMC is going to change that,” she asserted. “We need to make sure that our industry partners are prepared to take on the work, and the third-party auditors will ensure that they’re implementing the practices that we need in place to secure the national defense and our industrial base.”
The Need for Urgency
The CMMC program was scheduled to be a part of new DoD contracts by the time you read this. But COVID-19 may have slowed down the schedule.
Corbin Evans, principal director for strategic programs at the National Defense Industrial Association, told participants in a May NDIA webinar on CMMC progress that for CMMC requirements to go into DoD contracts, a relevant DFARS rule needs to be changed first. The problem has been that such rule changes are obliged to include a public hearing before being decided. And social-distancing requirements have made public hearings problematic, he said.
In spite of that holdup, the CMMC AB is moving ahead with plans for recruitment and training of those C3PAOs.
Evans and Arrington both recommend that organizations start getting ready for the implementation of CMMC now.
A good first step would be to check out the FAQ at the CMMC Web site: https://www.acq.osd.mil/cmmc/faq.html.
Arrington said that while the DoD has taken pains to get the details right, she wants companies to feel the need for urgency too, because while cybersecurity improves, so do the capabilities of cyber attackers.
For example, quantum computing—which is powerful enough to break standard encryption—is already being developed, and 5G will be much more common in just a few years, she warned.
“Our adversaries are patient and can slowly exfiltrate data from unprepared suppliers. With 5G, they won’t have to be slow,” Arrington said. “A petabyte of data is equivalent to 30 million pictures on Facebook. It [normally] takes a long time to download 30 million pictures. Using 5G, it takes less than five minutes. In five years, adversaries won’t have to worry about standard encryption. And they can take things from you at the speed of light.”
Now is the time to take precautions, she said.