USA: CMMC 2.0
The U.S. Department of Defense ('DoD') recently released a revised version of the Cybersecurity Maturity Model Certification ('CMMC'), designated as CMMC 2.0. Alex Sharpe, Principal at Sharpe Management Consulting LLC, who consults on cybersecurity, privacy, digital transformation, disruption, and other areas, discusses this development while also guiding the reader towards additional resources1.
The DoD used a risk-based approach to allocate the finite resources of the defence industrial base ('DIB'), where they will do the most good. At the same time, the streamlined approach shortens the time to value while also reducing the barriers to rolling out the program to other parts of the U.S. Government and its allies.
Those of us familiar with other Governance, Risk Management, and Compliance ('GRC') programs will recognise some familiar elements designed to meet the operational needs of the warfighter while mitigating cyber risk.
The CMMC's mission remains focused on protecting the warfighter by improving the cyber hygiene of the DIB. Controlled unclassified information ('CUI') remains at the core. The recognition of some CUI being more sensitive than other CUI is reinforced throughout the CMMC program.
The most visible change in 2.0 is the coalescing of five levels to three. The second most obvious change is how assessments will be performed at each of the three levels. Again, reinforcing the concept, the required level of Cyber Hygiene tracks with the sensitivity of the data.
Like CMMC 1.0, NIST 800-171 remains the nucleus.
The new model
DoD provides an excellent graphic comparing versions 1.0 and 2.0, entitled 'Key Features of CMMC 2.0'2.
As you can see from the graphic:
- Maturity Level 5 (ML5) is now known as 'Expert'.
- Maturity Level 3 (ML 3) is now known as 'Advanced'.
- Maturity Level 1 (ML 1) is now known as 'Foundational'
Maturity Level 4 (ML4) and Maturity Level 2 (ML2) have been collapsed into levels Expert and Foundational, respectively. In practice, this is not a significant change. It is visible and does promote simplicity.
Finishing each short title with 'Cyber Hygiene' helps to put each level in perspective:
- expert cyber hygiene;
- advanced cyber hygiene; and
- foundational cyber hygiene.
The model remains tiered, based on the sensitivity of the data. The most sensitive data is protected at the expert level. The least sensitive data is protected at the foundational level. The expert level is for the most sensitive CUI like covered defense information ('CDI')3 and controlled technical information ('CTI')4. The foundation level is for federal contract information ('FCI').
At the top of the tiered model is the expert level, which is for the highest priority programs and the most sensitive data. With the most sensitive data comes the requirement for the strongest cyber hygiene because of the greatest risk. The practices and controls are based on a supplement to NIST Special Publication 800-171 entitled 'Enhanced Security Requirements for Protecting Controlled Unclassified Information' also known by its short title, NIST 800-1725.
For the expert level, third-party assessments are required. In a slight departure from CMMC 1.0, expert level assessments will be conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center ('DIBCAC'). The certification is good for three years.
Reading between the lines, the DIBCAC will likely be leveraging the CMMC ecosystem to scale instead of increasing its full-time staff. All of this tracks with the philosophy of focusing resources to do the most good. The most sensitive data should be protected by the most robust controls and assessed by the best-trained staff.
In contrast to the expert level, the foundational level (aka the old ML1 and ML2) is designed for the least sensitive, non-public information in the DIB; that is, FCI6. Like CMMC 1.0, the FCI is protected by 17 Practices based on 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations', also known as NIST 800-1717.
The most notable change at this level is who can perform the assessment. A different type of self attestation is allowed and is only valid for one year. This is not your father's (or mother's) self-attestation. Unlike previous self-attestations, this attestation must be completed by a corporate executive, not an individual lower down in the organisation. This is more akin to what we see in the private sector, as we saw with the Sarbanes-Oxley Act of 2002 ('SOX') that was put in place in 2002 after the financial crisis.
Business owners will most likely want to consider having a third-party assessment before completing the self-attestation. While the third-party assessment is not required by DoD, that does not mean it is not a good idea.
From a risk management perspective, we can see how the DoD came to this conclusion. The CMMC ecosystem has limited resources, and FCI is our least sensitive information. The nation is better served by focusing our limited resources on the most valuable data. At the same time, we put some more wood behind the self-attestation arrow.
Historically, self-attestations have been considered perfunctory. We know they do not work. Even though subject to the False Claims Act of 2011, organisations knew there was little chance there would be a knock on the door. That may have changed. About a month before the release of CMMC 2.0, the U.S. Department of Justice ('DOJ') launched its new Civil Cyber-Fraud Initiative8.
'The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches'9.
Being sandwiched in between, the advanced level is the most nuanced and is where I suspect we will see the most clarification over the coming months. Like the expert level, the advanced level is based on CUI but not the most sensitive CUI. Also, like the expert level, it is based on NIST 800-171. The critical distinction is the assessments are bifurcated.
Basically, based on priority and the sensitivity of the data, some organisations seeking certification will be assessed by a member of the ecosystem (e.g. C3PAO). In contrast, others will be allowed to self-attest. Like the foundation and expert levels, self-attestations are good for one year, and third-party assessments are good for three years.
At the writing of this article, guidance, selection criteria, process, and the like for determining who must get assessed by a third party and who can self-attest needs to be developed.
What is brand new in the model?
Two new features have been incorporated into the model that did not exist in 1.0 - plan of actions and milestones ('POA&Ms') and waivers. Both are regularly seen in similar programs in both the public and private sectors. At the time of writing of this article, the DoD just released additional guidance which we will explore in a future article.
CMMC 1.0 allowed for very limited POA&Ms within a stringent set of rules10. CMMC 2.0 loosened the rules so companies may receive a contract award with open POA&Ms, provided the POA&Ms are bound both in time and scope. POA&Ms are not allowed at the foundation level.
According to the DoD, it is necessary to:
'[…] specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline'11.
Waivers are also new to the model. Waivers may be granted based on operational need, priority, and, most importantly, an acceptance of risk.
According to the DoD, there is a requirement for:
'[…] limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. Waiver requests will require senior DoD leadership approval and have a limited duration. The specifics of the waiver requirements will be implemented as part of the rulemaking process'12.
Again, we see an acceptance of cyber risk for a limited period of time, based on operational need by those authorised to make that decision.
While new to CMMC, POA&Ms and waivers are accepted practices in both the public and private sectors. The DoD has similar accommodations for the accreditation of systems handling classified information. The equivalent of POA&Ms and waivers are very common in commercial organisations. Similar practices are used to make go/no-go decisions before promoting a system or an upgrade into production.
What is no longer in the model?
Two notable items are missing from the model - the 20 delta practices and the processes. The DoD has been clear. CMMC 2.0 is keenly focused on the most important and the application of resources where they will have the greatest impact. CMMC 2.0 was developed using a risk-based approach with participations across the Government and the private sector, including members of the intelligence community.
It is likely the 20 delta practices have not gone away. They are just regarded as less critical and will most likely reappear in the future as the DIB matures and the threat environment evolves. They will probably appear in future versions of NIST 800-171.
While not baked into the model like they were in CMMC 1.0, the processes, policies, and the like have not lost their usefulness and still play a role in developing your cyber hygiene. They are also useful as objective evidence. They are, however, not required like they were. Moreover, they exist indirectly in NIST 800-171 Appendix E, under tailoring actions for 'Policies and Procedures.'
The DoD has opened the door for incentives to foster adoption. History shows us that the most effective programs with checks and balances incorporate carrots and sticks. Potential incentives are further evidence the DoD and the Cybersecurity Maturity Model Certification Accreditation Body are serious about fostering adoption.
The CMMC Industry Advisory Group has suggested potential incentives in public forums, including:
- the DoD to pay or refund the cost in whole or in part;
- extended validity date or grandfathering for subsequent versions of CMMC;
- extending the validity period; and
- provide for dual certification (e.g. CMMC with 27001) during an assessment.
Some other suggestions have been put forward that seems to be geared more towards rewarding organisations who go past the minimum:
- the award of extra points when a technical proposal is scored;
- preferred selection, set-asides, or being designated as a directed subcontractor;
- increase certification validity period;
- special recognition in the Contractor Performance Assessment Reporting System; and
- additional margin when contracts are awarded.
The sticks are more obvious. Near-term, you run the risk of:
- lost contracts; and
- losing the potential to bid or team on contracts.
The longer-term risks are scarier - we can fail in our mission to protect the warfighter. Worse, we can allow our adversaries access to our intellectual property and our operational plans, thereby placing our economy, our national security, and your businesses at risk.
What is a business to do?
Cyber risk is a recognised business risk. It is a board discussion. It is a systemic risk that is not going away. Rather, it will only continue to grow.
According to a study reported by CyberCrime Magazine, 60% of Small Businesses go out of business after being hacked13.
Even if you wonder if staying in the defence business makes sense because of the CMMC requirement, you may not answer the question. Efforts similar to CMMC are popping up in other sectors and other countries. A driver behind 2.0 is to simplify the program to foster adoption across the rest of the U.S. Government and our allies. Let us not forget, CUI is not just the domain of the DoD. CUI applies to all of the departments and agencies. Defence is only one of 20 categories.
Much interest in CMMC is being expressed globally in both the public and private sectors. It is likely you will see CMMC or something similar pop up more and more.
In parallel, there is a groundswell for proof of cyber hygiene as part of commercial contracts. Different organisations are looking to understand your cyber hygiene before making a business decision. Investors, banks, trading partners, insurance companies, and buyers are looking to assess your cyber hygiene before choosing to do business with you. Any investment you make in achieving CMMC certification will not go to waste.
Business owners have both a fiduciary obligation and a duty of care. They have an obligation to their stakeholders – investors, employees, customers, or suppliers – to protect the business against cyber risk. CMMC 2.0 is a good way of doing that while also growing your market share.
CMMC 2.0 is about protecting sensitive data necessary to national defence at its core. Being based on widely recognised standards (e.g. NIST 800-171) and common GRC principles, those same tools can be used to protect your business, whether focused on defence or not. As cyber risk continues to grow, cyber hygiene and the value of third-party assessments will continue to grow as well.
CMMC 2.0 is more evidence the U.S. Government is focused on increasing the cyber hygiene of the nation using a risk-based approach based on accepted GRC principles. CMMC 2.0 is designed to allocate the finite resources of the DIB to protect the most sensitive information sooner rather than later. At the same time, the model was simplified to foster adoption across all of the Government and our Allies. It is now a three-tiered maturity model incorporating a combination of assessments and self-attestation. The level of maturity maps directly to the sensitivity of the data and priority to the warfighter.
The cyber hygiene of your organisation is not only a conversation for your board but also the members of your ecosystem who are the lifeblood of your business – customers, employees, suppliers, banks, trading partners, and the like. The demand for CMMC and similar efforts are only going to increase. It should be viewed as necessary for ensuring the long-time defence of the U.S. and our allies. It is also just good business.
Alex Sharpe Principal
Sharpe Management Consulting LLC
1. The CMMC 2.0 Model can be found here: https://www.acq.osd.mil/cmmc/model.html. A series of FAQs can also be found here: https://www.acq.osd.mil/cmmc/faq.html. The quality of resources and website content is much higher than we have seen historically.
2. Available at: https://www.acq.osd.mil/cmmc/about-us.html
5. Available at: https://csrc.nist.gov/publications/detail/sp/800-172/final
6. See: https://isoo.blogs.archives.gov/2020/06/19/%E2%80%8Bfci-and-cui-what-is-the-difference/
7. Available at: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final