The US Department of Defense released version 0.6 of its Cybersecurity Maturity Model Certification program on Thursday, November 7, 2019.
More Ratings Clarity
As we have previously discussed, the CMMC will use a maturity rating system to assess not only the technical controls that are in place (which the DoD refers to in the CMMC as “practices”), but also the policies and procedures that the contractor has implemented to help guide the use of that technology.
The maturity ratings will range from level 1 to level 5, and the contractor will be rated separately for the controls and the polices. This rating system is used for each of the seventeen (17) different “domains” defined within the CMMC.
The DoD recognizes that many of its contractors are likely to still be rushing to get themselves to at least an overall rating of level 3 for each domain (which the DoD appears to suggest as a “reasonable” baseline for security), and thus this version focuses on the requirements to meet levels 1-3. Requirements for levels 4 and 5 are left for a later version.
It should be noted that a contractor’s overall maturity rating in each domain will be equal to the lowest of the two maturity ratings. That is, an contractor that has superior technical controls in a particular domain (i.e., one deserving a 5 rating) but which has yet to implement any policies and procedures (i.e., one deserving a 1 rating) will only be given an overall maturity rating of 1 for that domain.
Ratings Requirements in Government Contracts
It remains unclear how the DoD will specify the maturity level required for a given contract. For example, we know that the contractor will be rated across each of the domains, but it is not yet clear whether a contractor will have a single, aggregate rating that will be used for assessment on a particular contract, or if the contracts are expected take a more granular view, specifying each of the ratings across all of the domains. From earlier comments by the DoD, it would appear that they are likely to use a single, aggregate rating and that it will be the lowest rating across all domains. Clarity on this issue would be beneficial because it will allow contractors to prioritize their remediation and enhancement efforts within their Plan of Action and Milestones (“POAM”).
As discussed above, the CMMC divides cybersecurity into seventeen (17) domains. These domains are:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AA)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IDA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PP)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (SAS)
- Situational Awareness (SA)
- Systems and Communications Protections (SCP) and
- System and Information Integrity (SII)
Much like the NIST Cybersecurity Framework’s Functions (Identify, Protect, Detect, Respond, Recover) and their corresponding controls categories, at a high level, the CMMC domains can be useful for organizations’ management, including boards and the C-Suite, as a means for organizing discussions around issues to be addressed by, or being addressed in, their organization’s cybersecurity strategy. This can allow for a more granular discussion between the security/technology teams and the contractor’s senior management without the senior management having to become experts in any particular domain. For self-assessment purposes, these domains and the corresponding maturity within them can be very useful for contractors as they assess how to invest their hard-earned IT and security budgets.
A Missing Domain
However, as is common with many cybersecurity strategies, the DoD has overlooked a key domain: legal and regulatory concerns. While it appears from the comments in Appendix B that the DoD may intend the legal and regulatory aspects to be included across all of the domains, many organizations are not aware of their legal and regulatory exposure. Forcing contractors to explicitly address this as part of their maturity assessment will be beneficial. For example, many organizations’ incident response plans focus on data privacy reporting obligations and do not address their cybersecurity incident reporting requirements, such as those imposed by the Securities and Exchange Commission. The failure to address the full spectrum of legal and regulatory requirements as part of an incident response plan is a strong indicator of the overall maturity of the contractor’s approach to its cybersecurity strategy. Thus, legal and regulatory domain should be incorporated into the CMMC’s requirements.
Capabilities and Practices
Version 0.6 adds additional clarity within each of the domains as to what the DoD expects of its contractors. There are now a set of 40 defined capabilities, or achievements to ensure cybersecurity objectives are met within each domain. Each of these capabilities has associated with it at least one practice that is to be implemented to demonstrate compliance with that practice. Different practices are assigned to different maturity levels. Each practice also has associated with it one or more external references. These external references are provided to help practitioners understand how the practices are to be implemented, but strict compliance with the external references is not required to achieve CMMC certification.
While the CMMC represents a significant improvement over most organizations’ approach to cybersecurity, version 0.6 of the CMMC still misses the boat. The NIST Cybersecurity Framework and the Cybersecurity & Infrastructure Security Agency’s “Cyber Essentials” for small and medium businesses both encourage businesses to conduct a thorough business assessment before making any significant technology investments. However, CMMC v.0.6 encourages contractors to treat cybersecurity primarily as a technological problem. This is evidenced in part by the way the technical domains are prioritized over more business-oriented domains like risk management. For example, organizations can achieve a level 2 rating without ever even considering risk management, which is a mistake as it forces the DoD’s contractors to invest in technologies that may not be necessary and prioritizes doing something over doing the right thing. Even within the Audit and Accountability domain, a domain which by its title should be focused more on business-level issues, the proscribed practices are purely technology focused. The US Government, and especially the Executive Branch agencies entrusted with protecting our nation, should be providing consistent messaging and prioritization to everyone on this very important topic.
We believe the NIST/CISA approach to be the approach that will provide the best value to both the contractor and the DoD, and is also the approach that is more likely to result better cybersecurity as the contractor will have business-oriented reasons for maintaining and enhancing the programs rather than it being treated as a compliance-type expense from which the business derives limited value. In addition, under the CMMC’s current approach, contractors are likely to spend money on practices that will have only a marginal improvement on their actual security while ignoring other controls from which they would greatly benefit. The DoD needs to bring the level 1 requirements more in line with the NIST Cybersecurity Framework and CISA’s guidance.
We also want to stress that we support the DoD’s efforts with respect to the CMMC. Requiring contractors to change the way they view and address cybersecurity is a long overdue change. However, there are some fundamental issues that need to be addressed. We hope the DoD will reassess its approach and address these issues before version 1.0 is released.