FEDERAL CYBERSECURITY MATURITY MODEL CERTIFICATION
Per Federal Acquisition Regulations (FAR), federal contractors must comply with a list of cyber-security best practices. Any contractor computer systems that interact with Controlled Unclassified Information (CUI) as part of the contractor’s services or sales are in-scope.
The information below details this new federal initiative.
The Department of Defense plans to conform their control environment to the CMMC framework in order to improve the cybersecurity posture of the Defense Industrial Base (DIB). Adopting the CMMC will validate multiple levels of cybersecurity controls and supporting processes. Adoption of the CMMC will provide assurance that controls are adequate to protect controlled unclassified information (CUI).
According to the Secretary of Defense for Acquisition and Sustainment, “the aggregate loss of CUI from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.
The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime - No Slowing Down” in February 2018].”
September, 2019 update:
Draft .4 release, noting 18 cybersecurity domains, initial capabilities/maturity scale examples (1-5) and feedback request.
Domains/control families include:
- Access ControlAsset Management
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Cybersecurity Governance
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- Situation Awareness
- System and Communications Protection
- System and Information Integrity
How does NIST SP 800-171 rev.1 relate to the CMMC:
It is expected that the CMMC will combine frameworks such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 (and others) similar to other consolidated frameworks. The CMMC will be built with scalability using a maturity model/tiers in order to measure cyber posture against practices and processes. This is much different than the current version of NIST SP 800-171 which has no maturity tiers. In addition to assessing the maturity of implementation of cybersecurity controls, the CMMC will also assess maturity/institutionalization of cybersecurity practices and processes. The DOD will also determine the appropriate tier/maturity level (to be determined).
In January, we expect version 1 of the CMMC to be publicly available and RFI requests from the DOD will begin in June of 2020.
Certification must be performed by an accredited and independent third party. The Mako Group is in the process of becoming a certifying body as evaluations are conducted (expected January 2020). Business requirement will be used to validate the certification requirements. Certification is awarded at that CMMC level after appropriate control compliance and maturity is demonstrated to the assessor and the certifier. While final guidance has not yet been issued, it is expected that controls will need to be operating effectively for a period of time (6 months, for example) to achieve certification. According to the Secretary of Defense for Acquisition and Sustainment, “Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).”
Still under consideration:
Cost of certification
Details of the 5 maturity tiers
List of certifying bodies
Period of operating effectiveness