Cybersecurity Maturity Model Certification

Last updated

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology. [1]

Contents

The CMMC framework and model was developed by Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) of the United States Department of Defense through existing contracts with Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc. [2] The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. [3]

CMMC, which often requires third party assessment if a contractor handles Controlled Unclassified Information, will impact the $768bn Defense industry – 3.2% of the Gross Domestic Product of the United States of America. [4]

The purpose of the CMMC is to verify that the information systems used by the contractors of the United States Department of Defense to process, transmit or store sensitive data are compliant with the mandatory information security requirements. [5] The goal is to ensure appropriate protection of controlled unclassified information (CUI) [6] and federal contract information (FCI) that is stored and processed by partner or vendor.  

Model

The framework provides a model for contractors in the Defense Industrial Base to meet the security requirements from NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Some contracts will also include a subset of requirements from NIST SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171. [7]

CMMC organizes these practices into a set of domains, which map directly to the NIST SP 800-171 Rev 2 and NIST SP 800-172 families. There are three levels within CMMC—Level 1, Level 2, and Level 3 [8]

LevelDescriptionPracticesObjectivesAssessmentFocus Area
1Foundational14 based on FAR 52.204-21 cross referenced to NIST SP 800-171 rev 259Annual Self-assessmentSafeguard Federal Contract Information (FCI)
2Advanced110 practices aligned with NIST SP 800-171320Triennial third-party assessments for critical national security information. Annual self-assessment for select programsProtection of Controlled Unclassified Information (CUI)
3Expert110+ practices based on NIST SP 800-171 plus a subset of the security requirements in NIST SP 800-172320+ Total objectives waiting for final guidance from DoD (which controls from NIST SP 800-172)Triennial government-led assessmentsEnhanced Protection of Controlled Unclassified Information (CUI)

CMMC will not be enforced on federal contracts until the final rulemaking has completed and incorporated into the 32 & 48 Code of Federal Regulations (CFR). . [7]

Upcoming guidance has been promised from the CMMC office to help set expectations for companies in the Defense Industrial Base as to what level accreditation should be sought, depending on their role as a prime or sub on various contracts.

History

In 2002 the Federal Information Security Management Act required each federal agency in the United States to develop, document, and implement an agency-wide program to provide information security for the information and information systems.

In 2002 Cybersecurity Research and Development Act authorized appropriations to the National Science Foundation (NSF) and to the Secretary of Commerce for the National Institute of Standards and Technology (NIST) to establish new programs, and to increase funding for certain current programs, for computer and network security (CNS) research and development and CNS research fellowships. This led to the development of security requirements in the Cybersecurity Maturity Model Certification framework.

In 2003 FISMA Project, Now the Risk Management Project, launched and published requirements such as FIPS 199, FIPS 200, and NIST Special Publications 800–53, 800–59, and 800–6. Then NIST Special Publications 800–37, 800–39, 800–171, 800-53A.

In 2010 Executive Order 13556 – Controlled Unclassified Information rescinded a previous order and created a standard for labeling data across the government.

In 2011 Defense Federal Acquisition Regulation Supplemental (DFARS) the proposed rule 7000 to enact requirements for safeguarding unclassified information specifically as it related to fundamental research got proposed in Case 2011-D039.

In 2013 DFARS 252.204-7000 Rule goes into effect which required the protection of sensitive data on non-federal systems.

In 2016 DFARS 7012 clause goes into in effect requiring all contract holders to self-assess to meeting the security requirements of NIST SP 800-171.

In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to transition from a mechanism of self-attestation of an organization's basic cyber hygiene which was used to govern the Defense Industrial Base. Since 2017 all defense contractors were required to self-assess and report their cybersecurity readiness against the NIST SP 800-171 standard.

After a series of breaches in the supply chain, [9] the Department of Defense working in partnership with industry created the CMMC model.

In 2019 interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041, was published on September 29, 2020, with an effective date of November 30, 2020. [10]

On December 8, 2020, the CMMC Accreditation Board and the Department of Defense released an updated timeline [11] that has the model fully implemented by September 2021.

On December 8, 2020, the Department of Defense releases seven pathfinder grants that will pilot the CMMC framework and require any contractor on the grant to have a certified third-party assessor measure a company's compliance. [12]

On December 31, 2020, the General Services Administration released a Request for Proposal for their Polaris program that noted while CMMC currently applies only to the Department of Defense all government contractors, civilian or military, should prepare to meet CMMC requirements. [13]

On November 4, 2021, the Department of Defense announced the release of CMMC 2.0. [14] This new version was designed to streamline its requirements.

On September 29, 2022, the Cyber AB (the accreditation body for the CMMC for the Department of Defense), established a subsidiary to manage the training and certification entitled the "Cybersecurity Assessor and Instructor Certification" (CAICO). [15]

On October 25, 2022, the Cybersecurity Assessor and Instructor Certification Organization (CAICO) announced the launch of the Certified CMMC Professional (CCP) exam. This exam verifies a candidate's knowledge of the Department of Defense's CMMC framework and the roles and responsibilities of the various positions within it. [16]

On January, 5th, 2023 RedSpin a CMMC third party assessor announced they had successfully assessed a client as part of the Joint Surveillance Voluntary Assessment Program (JSVAP) assessment. [17]

On December 26, 2023, the Department of Defense issued the Proposed Rule, Cybersecurity Maturity Model Certification (CMMC) Program, to the Federal Register establishing the updated requirements for CMMC 2.0. [18]

Criticism

Industry professionals have voiced significant concern over the lack of centralized official communications and the accelerated timeline for roll-out. The sheer number of companies affected in the Defense industrial base create a level of volume for the still-not-yet accredited CMMC Third Party Assessment Organizations (C3PAOs) that would appear to be unrealistic by the proposed deadlines and has been discussed heavily on LinkedIn. [19] [20] Arrington has responded by asserting that reciprocity with existing certification programs such as FedRAMP and FIPS 140 will remove duplicative work and keep the work level minimal for companies already in compliance. [21]

CMMC Accreditation Body Chairman Ty Schieber left the board, along with Mark Berman, communications director, amidst an apparently unsanctioned 'Pay to Play' sponsorship program being published to the CMMC-AB website. Karlton Johnson stepped into the Chair role. [22] [23]

See also

Related Research Articles

The U.S. National Security Agency (NSA) used to rank cryptographic products or algorithms by a certification called product types. Product types were defined in the National Information Assurance Glossary which used to define Type 1, 2, 3, and 4 products. The definitions of numeric type products have been removed from the government lexicon and are no longer used in government procurement efforts.

The Federal Information Processing Standard Publication 140-2,, is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on May 25, 2001, and was last updated December 3, 2002.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptographic modules.

<span class="mw-page-title-main">FIPS 201</span> US Federal standard

FIPS 201 is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

<span class="mw-page-title-main">Controlled Unclassified Information</span> US government information category

Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government. The CUI program was created by President Obama’s Executive Order 13556 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data and some data with legacy labels will also qualify as Controlled Unclassified Information. Federal contractors who handle CUI will be required to self-assess with the Cybersecurity Maturity Model Certification (CMMC) under the Cyber AB.

<span class="mw-page-title-main">Department of Defense Cyber Crime Center</span> United States defense organization

The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Digital and Multimedia (D/MM) forensics by DoD Directive 5505.13E, and serves as the operational focal point for the Defense Industrial Base (DIB) Cybersecurity program. DC3 operates as a Field Operating Agency (FOA) under the Inspector General of the Department of the Air Force.

NIST Special Publication 800-53 is an information security standard that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

The Federal Information Processing Standard Publication 140-3 is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on March 22, 2019 and it supersedes FIPS 140-2.

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.

<span class="mw-page-title-main">Risk Management Framework</span>

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

<span class="mw-page-title-main">External dependencies management assessment</span>

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

References

  1. "Cybersecurity Maturity Model Certification (CMMC) Model Overview. Accessed 2022-04-01" (PDF).
  2. "Cybersecurity Maturity Model Certification (CMMC) Model Overview. Accessed 2022-04-01" (PDF).
  3. "Chief Information Officer Department of Defense. Accessed 2023-04-17".
  4. "Stockholm International Peace Research Institute. "Trends in World Military Expenditure, 2019", pp. 2–3. Accessed Dec. 7, 2020" (PDF).
  5. "Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program". U.S. Department of Defense. Retrieved December 27, 2022.
  6. Ross, Ron; Pillitteri, Victoria; Dempsey, Kelley; Riddle, Mark; Guissanie, Gary (January 28, 2021). "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations".{{cite journal}}: Cite journal requires |journal= (help)
  7. 1 2 "Cybersecurity Maturity Model Certification (CMMC)".
  8. "Cybersecurity Maturity Model Certification (CMMC) Model Overview. Accessed 2022-04-01" (PDF).
  9. "FBI Strategy Addresses Evolving Cyber Threat – Federal Bureau of Investigation". Federal Bureau of Investigation. September 16, 2020. Retrieved January 8, 2021.
  10. "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)". Federal Register. September 29, 2020. Retrieved January 9, 2021.
  11. "Update on the CMMC Timeline". CyberDI. January 5, 2021. Retrieved January 9, 2021.
  12. Serbu, Jared (December 15, 2020). "Pentagon reveals first contracts to serve as pathfinders for CMMC". Federal News Network. Retrieved January 8, 2021.
  13. Boyd, Aaron (January 4, 2021). "GSA Releases Draft of New Government IT Services Contract Polaris". Nextgov.com. Retrieved January 8, 2021.
  14. "OUSD". November 4, 2021. Archived from the original on November 4, 2021.
  15. "The Cyber AB Forms Cybersecurity Assessor and Instructor Certification Organization". GovCon Wire. September 29, 2022. Retrieved February 21, 2023.
  16. "The Cybersecurity Assessor and Instructor Certification Organization Launches Certified CMMC Professional Exam". www.businesswire.com. October 25, 2022. Retrieved February 21, 2023.
  17. "Redspin Becomes the First C3PAO to Perform a Successful JSVAP Assessment". www.businesswire.com. January 5, 2023. Retrieved April 17, 2023.
  18. Cybersecurity Maturity Model Certification (CMMC) Program, 88 F.R. 89058 (proposed December 26, 2023) (to be codified at 32 C.F.R. § 170). https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program
  19. "Tech companies tell DoD its new cyber standards are missing the mark". Federal News Network. March 27, 2020. Retrieved January 9, 2021.
  20. "DoD warns vendors about fake third-party CMMC certifiers". Federal News Network. February 24, 2020. Retrieved January 9, 2021.
  21. Williams, Lauren C. (September 8, 2020). "CMMC reciprocity guidelines are still a work in progress". FCW. Retrieved January 9, 2021.
  22. "Cybersecurity Maturity Model Certification Issues". Fedscoop. July 28, 2020. Archived from the original on July 28, 2020. Retrieved January 9, 2021.
  23. "CMMC AB Ousts Chairman Ty Schieber and Mark Berman". Fedscoop. September 16, 2020. Archived from the original on October 1, 2020. Retrieved January 9, 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.