How a Cybersecurity Maturity Model Can Light the Way for State and Local Agencies

The Department of Defense is instituting a new certification to determine how well its contractors are handling sensitive information.

The Cybersecurity Maturity Model Certification is the Defense Department’s effort to verify adherence to an important pre-existing cybersecurity standard created by the National Institute of Standards and Technology, published in NIST SP 800-171. The CMMC requirement was codified in a 2017 rule, the Defense Federal Acquisition Regulation Supplement (DFARS) 7012.

Though state and local organizations don’t yet have to comply with the CMMC, they’d do well to embrace the standard. Plus, it’s likely this model will trickle down to the state and local level in the future.

The impetus for the creation of the CMMC was to nudge federal and defense contractors to adhere to NIST’s requirements.

“Contractors are supposed to be doing this already,” says Noël Vestal, compliance officer for PreVeil, an encrypted email and file-sharing platform.

To ensure compliance, the DOD decided to put more attention on DFARS 7012. Thus, the original version of the CMMC was introduced in 2019. Now, version 2.0 is on the horizon.

Click the banner below for more on how to stay ahead of cyber attacks.

What Is the Cybersecurity Maturity Model Certification (CMMC)? 

According to the Defense Department’s CMMC website, “The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for [defense industrial base] partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”

CMMC 2.0 has three levels of assessed requirements for certification (reduced from five in CMMC 1.0):

• Level 1 applies to companies that focus on the protection of federal contract information. According to Federal Acquisition Regulation 204-21, “Basic Safeguarding of Covered Contractor Information Systems,” federal contract information is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” This entry-level certification is based on 17 controls found in FAR 52.204-21.
• Level 2 is for companies working with controlled unclassified information (see below for more on CUI). Here, the requirements are based on NIST 800-171, which spells out exactly how companies should protect this kind of data.
• Level 3 is designed to reduce the risk from advanced persistent threats. According to the Cybersecurity and Infrastructure Security Agency, an ATP is “a well-resourced adversary engaged in sophisticated malicious cyber activity that is targeted and aimed at prolonged network/system intrusion. APT objectives could include espionage, data theft and network/system disruption or destruction.” This level applies to companies working on the Pentagon’s top-priority programs.

What Is Controlled Unclassified Information? 

The Pentagon defines it this way: “CUI-protected information is unclassified, but requires control to prevent release of unclassified information that, if publicly associated with defense missions or aggregated with other sources of information, often will reveal exploitable information to adversaries or violate statutory requirements.”

In other words, it’s the sea of information that the DOD and its contractors share back and forth in the course of doing regular business. The Pentagon has created 108 categories of CUI. They include patent applications, archeological resources, pesticide producer surveys, national park system resources, general procurement and acquisition information, international agreement information and water assessments.

LEARN MORE: Why cyber incident response requires multiple tactics to succeed

There are also plenty of categories that have clearer national security implications: critical energy infrastructure information, ammonium nitrite, chemical-terrorism vulnerability information, export-controlled research, intelligence financial records and DOD critical infrastructure security information.

To clarify the issue, the DOD has established an additional 199 subcategories of CUI. Because it’s so robust, the Pentagon wants to be sure its contractors are tracking and protecting this quotidian knowledge stream.

“There are so many opportunities for bad actors to get to CUI,” says Vestal.

Contractors also need to identify the CUI they create themselves as part of working with the defense department.

Now Is the Time for State and Local Agencies to Get Started

The Pentagon is still in the process of rulemaking on CMMC. Most expect it to be a contracting requirement by 2025. 

“There is no reason, if you are handling government information, that you should wait,” says Andrew Stewart, a senior federal strategist for Cisco Systems. “CMMC requires a lot of controls, organizing, a strategic approach and a commitment of resources.”

The Defense Department has hinted that companies performing voluntary cybersecurity appraisals will get a leg up on the CMMC.

“DOD is implying that if you have a satisfactory Joint Surveillance Audit, it will transform into a CMMC [level 2],” says Tony Bai, executive vice president for public sector at security and compliance company A-LIGN. There, he oversees the team that conducts FedRAMP, FISMA/RMF, NIST 800-171 and CMMC assessments for clients.

Bai expects the new framework to seep down the information security chain eventually. State and local cloud providers have already adopted FedRAMP cybersecurity requirements, he says. “A lot of people are watching the DOD as a guinea pig.”

The best way to prepare for the CMMC is to follow the NIST 800-171 standard, Bai advises. “That gives you a firm idea of how controls should be implemented.” The controls include access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, and media protection. Like the CMMC, the 800-171 rubric requires independent, third-party assessment.

READ MORE: How strong asset management is a key component of continuous monitoring

Third-Party Assessors 

Levels 2 and 3 of the CMMC will require oversight by third-party assessors vetted by the government. Writing up the assessment and stopping at that won’t be enough, says Thomas Graham, vice president and CISO at Redspin, a division of Clearwater, which was the first to be certified as a CMMC Third Party Assessor Organization (C3PAO).

“You need to have muscle memory. We can ask for live screenshares and evidence of objectives. Struggling to pull those up won’t give assessors a warm, fuzzy feeling,” Graham says.

Another pitfall is documenting compliance. “Assessors will look for policy, a procedure, additional artifacts and evidence,” says Vestal. “That’s where contractors slip up. They write a policy and don’t follow it.”

In April, the Defense Industrial Cybersecurity Assessment Center released a top 10 list of contractors’ most common failures of NIST 800-171 requirements. It’s a good indicator of where the vendors will need to improve to pass the CMMC. Trouble areas include lack of multifactor authentication; failure to identify, report and correct system flaws; failure to periodically assess risk; not scanning for vulnerabilities; and inadequate test incident response capability.

There is clearly a lot of work to be done, and state and local governments will want to watch how the effort pans out.