In an era where a cybercriminal looks for the weakest link, it is vital to maintain supply chain security. Supply chain threats are varied and include spear-phishing, third-party software vulnerabilities, and state-sponsored attacks. A recent mega cyber-attack traced to SolarWinds software impacted multiple government departments. The attack’s consequences demonstrate how insidious cyber-attacks are and how supply chain vendors are weaponized in the kill chain. In this attack, government vendor SolarWinds released an infected upgrade of a common software tool supplied to government departments.
The U.S. Department of Defense (DoD) takes supply chain security seriously enough to expect that all supply chain vendors use robust security measures. To measure this, the DoD uses the CMMC compliance framework and certification to prove adherence to various levels within that framework.
The CMMC is a vital tool in tackling cyber-threats, but it has many moving parts like many frameworks. This article discusses some of the advanced CMMC considerations.
Steps to readiness in CMMC certification and compliance
A report from systems integrator Accenture, “State of Cyber Resilience 2020“, states clearly how integral the supply chain is as a cyber-attack entry point:
“Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches. “
CMMC compliance measures how hardened supply chain vendor systems are against cyber-attacks and accidental exposure of data. The CMMC program announced on January 31, 2020, provides a framework and a certification route to build and prove that a supply chain vendor is secure enough to transact with the government. A vital part of this is certification-based proof that a vendor meets one of the five cumulative levels within the CMMC framework.
The path to CMMC certification is a process estimated to take around six months to achieve certification.
The following are typical steps when getting ready for CMMC compliance:
Step 1: Understand and Define
An organization begins by understanding the requirements of the CMMC program and certification process. As part of this. An organization should expect to define the CUI (Controlled Unclassified Information) environment they are running, e.g., what data falls under this class, where is it stored, who shares these data, etc.
Step 2: Identify and map
An organization must identify the scope of working towards CMMC certification. This exercise involves mapping your CUI environment and interaction with the government, for example, what type of tenders will you bid on?
Step 3: What level?
The CMMC is split into five levels. Each level is progressively more comprehensive in terms of security measures. Certification is, therefore, increasingly more challenging to achieve as you move through the levels. Determine the baseline level you need to certify to, and what gaps in your security at that level exist.
Step 4: Document
Documentation is a core requirement of CMMC compliance and a core requirement at levels two and above. Documentation comprises two-parts:
- System Security Plan (SSP): Used to document controls that affect the Controlled Unclassified Information (CUI) environment.
- Plan of Action & Milestones (POA&M): Used to track and remediate deficiencies
Both documents are used to collate information and show evidence of adherence to a given CMMC level. The SSP and POA&M are also cross-regulation and used in other areas such as FedRAMP and NIST 800-171, DFARS 7012.
Step 5: Assess
After an internal audit and gap analysis with any remediation to meet level requirements, an organization is ready for the next part of the certification process, i.e., external assessment. CMMC certification requires that an external auditor is used to perform this. An organization must engage the services of an RPO (Registered Provider Organization) or C3PAO (Third-Party Assessor Organization) to complete this process. Any issues found must be resolved within 90 days before re-assessment.
Step 6: Review
A review of the external assessment is performed by a dedicated agency, the CMMC-AB. The CMMC-AB oversees an ecosystem of APOs and C3PAOs. This group is a DoD CMMC accreditation body that governs the training and delivery of qualified assessors of the CMMC certification program.
Step 7: Result!
If your CMMC-AB assessment is successful, a CMMC Certificate at your chosen level is issued. This certificate is valid for three years. After that period, an organization will go through the assessment process again for certification renewal.
Further considerations and notes on CMMC compliance
CMMC certification opens the doors to DoD contracts. But it can be a lengthy process to achieve CMMC compliance and requires time to understand the various nuances of the program. Some further details that are useful to know include:
CMMC certification is a phased rollout
CMMC certification is based on frameworks such as NIST (National Institute of Science and Technology). However, only 1% of DBI (Defense Industrial Base) companies have implemented all of the 110 NIST practices. Companies must act reasonably in advance if they wish to bid on DoD contracts.
The DoD is running a phased rollout of the CMMC program between 2021 and 2025. All DoD suppliers will need CMMC certification as all DoD contracts will contain CMMC clauses by 2026.
Process and practices
It is important to remember that CMMC compliance is not just about technology. CMMC is a regulation that looks at people, process, and technology. Meeting CMMC requirements is about security hygiene and involves people-focused security; all five levels of the CMMC encompass a philosophy of security awareness. This fact is evident when looking at statistics such as:
- 68% of organizations feel moderate to extremely vulnerable to insider attacks (including accidental data exposure)
- 47% of C-level leaders believe that human error was behind a data breach at their organization
Impact on Small and Medium Businesses (SMBs)
CMMC certification applies to both “prime” contractors and their subcontractors. This requirement implies even the smallest organization will need to be CMMC regulated. Verizon’s “Data Breach Investigations Report 2020” makes it evident. The report found that 28% of SMBs suffer data breaches.
CMMC certification costs will be a concern for an SMB. However, the DoD states on its FAQ page that:
“The costs associated with implementing CMMC requirements, supporting the CMMC assessment, and contracting with the C3PAO will be considered an allowed cost.”
Derogations and clarifications
The DoD FAQ page offers several derogations/clarifications to help in CMMC certification:
- If a DIB company does not possess, store, or transmit CUI but possess FCI (Federal Contract Information), it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
- Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
- A cybersecurity incident will not automatically result in a DIB company losing its CMMC certification.
Being cyber-secure is no longer optional, it is an imperative. All IT networks across all sizes and types of the vendor are at risk from cyber-attacks. The supply chain is a target because it is viewed as a weak link by cybercriminals. The DoD recognizes this and is hardening its systems against such attacks by insisting that a DoD supply chain vendor proves it is cyber-secure. As such, if your organization wishes to bid on a DoD tender, then it must be CMMC certified. The DoD will implement the CMMC certification with the certification fully in place by 2025. As the process to certify is a lengthy one, that process requires specialist assessment, and now is the time to begin that process.