What’s New in CMMC | Column 7
“What’s New in CMMC” is a regular column from MxD explaining aspects of the CMMC 2.0 framework.
With the U.S. Department of Defense aiming to get Cybersecurity Maturity Model Certification (CMMC) requirements into contracts by next May, manufacturers and suppliers who will need Level 2 compliance are being urged to prepare now. And that includes getting ready to pass a third–party assessment.
As Defense Department officials note, CMMC 2.0 details are not yet final. The three-tiered manufacturing cybersecurity program is still making its way through the federal rulemaking process.
But the DOD has warned that thousands more companies will likely need third-party assessments to comply with CMMC Level 2 than previously estimated. And waiting to get started is not a good idea, officials say.
Many small and medium-size organizations in the defense industrial base have never done such an assessment, said Laura Élan, MxD’s senior director of cybersecurity, “which is why preparing now is absolutely necessary.”
CMMC 2.0 Level 2, which is for contractors that handle controlled unclassified information (CUI), currently has 110 requirements. That compares to fewer than 20 requirements in CMMC Level 1.
The Level 2 requirements are aligned with NIST SP 800-171, the NIST Special Publication on requirements to protect CUI. To demonstrate compliance, most Level 2 contractors will likely need to pass a third-party audit every three years, plus pledge annually that they are complying.
To pass an auditor’s assessment, manufacturers must be able to do three things, Élan says:
- Declare that they comply with each requirement.
- Have the evidence, like logs and policy documents, to back up their statements.
- Demonstrate the effectiveness of any mechanism used for compliance.
For example, a contractor may have to prove that all employees with access to CUI use multifactor authentication. That means having policy documents available as well as audit logs that show network access. And in some cases, it would mean actually demonstrating that the multifactor authentication works as it’s supposed to — blocking anyone who does not provide additional verification.
Or a contractor may have to prove the effectiveness of an intrusion-detection system that relies on sensors. Who manufactures those sensors? Who monitors those sensor logs? If it’s a security service provider that does the monitoring, companies should be prepared to securely share the type of reports received. To prove the system works, a contractor can show that there have been no security incidents over a set time period, like a year.
To get assessment-ready, Élan recommends creating a checklist with each requirement and the name of the staff member responsible for it. An information technology employee may be responsible for multifactor-authentication applications. A facilities manager may be responsible for ensuring building security. There may be more than one person responsible for protecting removable media.
“This checklist allows you to enrich your proof by making sure you have an individual identified in your organization who really is a subject matter expert on that compliance activity,” Élan said.
“The effort to get audit-ready,” she said, “increases the likelihood of audit success.”
Meanwhile, manufacturers are expected to learn in March if a CMMC interim rule has been granted, allowing its inclusion in contracts 60 days later. If that interim rule is not approved, CMMC would not be in contracts until May 2024.
Despite the possible long runway, Defense officials say that waiting to start on cybersecurity readiness and CMMC compliance is a bad idea.
“I don’t think it’s prudent to wait,” David McKeown, deputy Department of Defense chief information officer for cybersecurity, said during a June webinar hosted by cybersecurity company PreVeil. The NIST 800-171 requirements that align with CMMC 2.0 Level 2 “have been around for a long time. … Full adoption should have begun long ago, and I don’t think [contractors] should wait any longer to get rolling on this.”
Stacy Bostjanick, who heads CMMC implementation for the Department of Defense, echoed McKeown’s comments on the “Countdown to CMMC Compliance” webinar.
“We need to get on top of this right now,” Bostjanick said, adding that cybersecurity measures don’t just protect Defense Department data. They protect individual companies as well.
Cybercriminals are attacking U.S. companies “on a daily, hourly, moment-by-moment basis,” she said. “Companies need to be secure.”
MxD’s Cyber Marketplace offers assessments that provide organizations with vetted, market-ready cybersecurity solutions. Visit the marketplace for more information.
What’s New in CMMC Series:
Article #1: CMMC 2.0 Cybersecurity Framework: What to Expect
Article #2: CMMC 2.0: Why Manufacturers Should Get Started Now
Article #3: CMMC 2.0: Start With Scoping
Article #4: CMMC 2.0: The High Cost of Skipping Cyber Certification
Article #5: CMMC 2.0: Questions to Ask When Identifying Assets