DoD Releases Draft CMMC Guidelines
The Department of Defense is probably the largest software development (and hardware development) organization in world but unlike say Microsoft or Cisco, almost all of the development is performed by third parties – the so called defense industrial base or DIB.
It is also likely the number one target of nation state hackers since a major weapons system like the F-35 might cost a trillion dollars over its lifetime and it is way cheaper for countries like China to steal the tech than to develop it. For example, China stole the plans for the F-35 and built the J-31 (see news item here). Unfortunately, that is far from an exception.
The DoD has been trying to tighten up security among the base of hundreds of thousands of contractors (there are 300,000 + contractors that handle sensitive unclassified information called CUI and that is just one category of information).
The government wrote a security spec called NIST SP 800-171 but enforcement has been weak.
This year, working with Carnegie Mellon, Johns Hopkins and Mitre, the DoD is developing a “Cybersecurity Maturity Model Capability” (CMMC) very similar in concept to the model Carnegie Mellon developed for software developers (CMM) back in the 1990s.
The plan is that all DoD suppliers will be required to be certified by a third party. Every year,
While the model is only at version 0.4 and will not be finalized until next January, here is what it looks like right now.
- There are 18 domains
- The domains are comprised of capabilities
- The capabilities have processes and practices
- Certification runs from level 1 to level 5
- Level 1 requires basic cybersecurity in an ad hoc manner and is designed for small companies who are not working on very sensitive projects
- Level 5 is advanced security practiced in an optimized fashion
- There are 35 practices for level 1
- For level 5, which includes levels 1-4, there are 370 practices – all subject to change at this point
- Very few companies will need to be certified at level 5
Click here to review the overview document for version 0.4.
For those people who are familiar with the NIST Cyber Security Framework (CSF) or NIST SP 800-53, this will all look very familiar.
The problem is that a large number of defense suppliers are small businesses that have no security program at all. For these companies, they will be required to get to at least CMMC Level 1 and be certified annually by a third party. This could come as a shock to some.
While DoD messed around with enforcing NISP SP 800-171, there have been a number of serious DoD breaches over the last few years which have embarrassed the Pentagon brass, so it APPEARS that they are serious about this. WE. SHALL. SEE.
The plan is for the standard to be done by January – warp speed for DoD, be included in RFIs by June and be included in RFPs by September. Assuming they don’t blink (and it would be easy to put it into selective RFPs as opposed to making it a mandatory requirement), that would mark a huge change for the Department.
A complete copy of the draft can be found here.
My suggestion – if you are anywhere in the DoD supply chain – is to start learning about the CMMC and begin implementing basic cybersecurity practices now. If you are at the more sensitive end of the DoD food chain – Secret, Top Secret and SCI – start looking at CMMC Levels 3 thru 5.
DoD has also said that they are going to start including security along with cost, schedule and function in contract awards and Katie Arrington has publicly said that DoD understands that they are going to have to pay for some of this. Katie is the special assistant for cybersecurity, reporting up to Ellen Lord, who is the Undersecretary for Acquisition and Sustainment – the person who is responsible for buying tens of billions of dollars of weapons every year.
Read these documents and get started now because if DoD actually does what it says, it will be a scramble to comply and if they actually make security an award criteria, doing it later won’t matter – you won’t get the award.