CMMC Overview

Protecting the DIB and DoD Supply Chain

The U.S. Department of Defense invests $1.8T every year in new weapons systems such as aircraft, ships, ground fighting vehicles and satellites and in new IT systems and capabilities delivered through prototypes or new procurement pathways. This is in addition to the annual procurement of offensive and defensive systems for front line fighting forces (Air Force, Army, Navy & Marine Corps). These activities create, modify and manufacture existing/new technologies and Intellectual Property (IP) on many diverse digital platforms, residing with over 300,000 suppliers across the DoDs Defense Industry Base (DIB), platforms which are exposed to cyber threats.

Recent cyber events have compounded the view that if this IP gets into the wrong hands it could damage the effectiveness of the offensive and defensive capabilities of the US.  It has been estimated by the Council of Economic Advisers in their 2018 report published by the Office of the President of the USA, that the cost of malicious cyber activity on the US economy in 2016 was between $56B and $109B. At the same time, the intangible costs of cyber-attacks on the DIB will be felt through the loss, damage or destruction of IP. This impact on the US competitive advantage, and the associated economic impact to DIB contractors, affect the flow of products and services through the DoD supply chain as well as the front line fighting forces. The U.S. DoD and the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) have recognized this impact and acknowledge that cybersecurity is a foundation within the acquisition process.

Under DFARS 252.204-7012 regulations, DIB contractors and their subcontractors had been self-attesting to complying with NIST (SP) 800-171 practices since 2017. However, DFARS 252.204-7012 did not fully address the requirement to ensure that suppliers to the DoD had actually implemented the appropriate cybersecurity practices. To address this, the DoD raised a formal DFARS case 2019-D041 ‘Strategic Assessment and Certification Cyber Security Requirements’, initiating the process to implement a methodology for assessing DoD contractor’s compliance with NIST (SP) 800-171 and the protection of Controlled Unclassified Information (CUI).

CMMC – Scope and Applicability

The CMMC model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats. The model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community. This framework is built on four elements – Security domains, Capabilities, Controls (Practices), and Processes and when combined they build best practices for the protection of an organization and associated FCI and CUI.  These elements apply at five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) in the overall CMMC framework, Level 1 being the least mature and level 5 the most mature.

Cybersecurity Domains

The CMMC framework consists of 17 cyber security domains.  A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination.  The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.

Capabilities

Each domain comprises of several capabilities which an organization is expected to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable.  Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviors which when working together enable an organization to protect FCI and CUI.

In total (at Level 5) the CMMC framework identifies 171 security controls, associated with the 17 security domains, mapped across the 5 maturity levels.  Security controls applied at maturity level 1 and level 2 have been referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI).  Security Controls applied at level 3, 4 and 5 are referenced from DFARS 252.204-7012 for the safeguarding of covered defense information and cyber Incident reporting.

Maturity Levels

The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers.  A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity.  Given the depth, breadth and complexity of the products and services being delivered, from footwear through to complex air, land and sea-based systems. A cybersecurity maturity model is the most appropriate solution to achieve this.

The CMMC comprises of 5 levels of cyber maturity. They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers who are actively targeted by threat actors, potentially from a nation state at level 5. To ensure that security domains, capabilities and practices are implemented effectively and institutionalized, the processes are implemented to all security domains and to each of the 5 levels of cybersecurity maturity (Level 1, 2, 3, 4 and 5) from the 17 practices at level 1, through to the 171 practices applied, documented, established, effective and optimized at level 5.