What do Target, Wendy’s, and Home Depot have in common? All three were hacked, they suffered losses in the many tens of millions of dollars, and all were hacked through their supply chain. The attackers were not successful in targeting these large companies directly; they were successful in attacking the smaller, less prepared contractors and suppliers. The lessons from these cyberattacks and others are not lost on industry and government. These attacks point to the fact that the weakest link in the cybersecurity defense chain is often contractors and suppliers.
The federal government, large corporations, and industry have spent the last decade working to improve their cybersecurity defense, and as a result, they have become a much harder target to attack. As an example, the federal government has developed a host of regulations and requirements for the cyber defense of federal information systems. In addition, government and industry have developed security standards designed to protect healthcare information, critical infrastructure, financial and personal information, etc. To address the supply chain vulnerabilities in the Defense Industrial Base, in 2017 the DoD set the requirement for all contractors to have a cybersecurity plan. The plan is based on the National Institute of Standards and Technology (NIST) 800-171 standard, titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” However, as a requirement, it was ignored. For most companies, the requirement was overkill; for a few, it was not enough. In response, in January 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC). Unlike the NIST requirement, the CMMC model has five levels of certification, and it will require all defense contractors, prime or subcontractors, large or small, to be audited and certified. The goal of the CMMC program is to have all 300,000 business in the defense industrial based certified to one of the five CMMC levels by 2026. The bottom line is, to work in Defense Industrial Base, as with other industries, you will have to be audited and certified.
The CMMC model has five levels; the most common level will be Level 1, which has 17 practices; the estimate is that 85% of the companies in the industrial base will be Level 1. The second most common level is CMMC Level 3, which is about 14% of all companies, with 130 practices. Extremely few companies, less than 1% will be levels 4 – 5. The question is, then what level will a company be? The answer is driven by the class of information. Within the CMMC model, there are essentially two classes of information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC Level 1 is focused on FCI, which is contract information. This contract information can be cost data, delivery information, part numbers, etc. This is information not in the public domain, information from the government, or what you produce as a matter of the contract. Levels 2 to 5 are CUI. CUI is much like FCI, it is information not in the public domain, and it includes other information that is not to be released publicly. In this example, it could be engineering or manufacturing drawings, software, reports, etc. What will determine CUI will be listed in the contract and marked as CUI. For most companies, the focus will be on FCI and the 17 practices for Level 1.
As with most things regarding requirements, standards, and compliance, the tendency is to address the issue when it is in front of you. This may not be a wise course of action in this case. Though Level 1 has only 17 practice requirements and they are considered basic IT actions, they may require resources and time. Most company networks and systems suffer from benign neglect. This is due to obsolete equipment, out of date software, default settings not changed. Correcting these takes money and time. In the past, there was a checklist approach to security compliance; this changes with the CMMC model. For all CMMC levels, there will be an on-site visit, meaning the auditor will conduct the audit in person at your place of business. Another consideration is context; the CMMC model is not strictly cybersecurity or IT-focused; it takes a system security approach. It is one that addresses physical security; it is one that is focused on practices in terms of how well you follow your plan or instructions.
If you plan to do work for the DoD or if you want to continue to work as a contractor, the CMMC audit and certification are an absolute requirement. The audit is what you will have to pay for, and it is pass/fail. The certification will be good for three years, after which you will need to be audited again and be certified. The best advice is to start now.