The Department of Defense has finalized and released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, making official the requirement for all Defense Industrial Base (DIB) contractors to achieve certain levels of certification to continue bidding on defense contracts.
Here are some initial thoughts from our analysts.
Institutionalization of Security Processes
CMMC v1.0 is aimed at making security of the DIB more than just a paper exercise; it is meant to provide a method to best assess how well an organization integrates security with its business operations.
Compared to previously released draft versions, v1.0 seems to put more emphasis on institutionalization of security processes and the impact of embedding security into a company’s daily operations. It specifies that CMMC is meant to be a method of measuring this “deeper integration” of the security mindset into organizational activities.
To achieve levels 4 and 5 for instance, an organization will need to show that – to a certain extent – it is considering exposure, defense and attack surface from the offensive perspective, which requires a more flexible and adaptable architecture.
Helping Decision Makers Understand CMMC
CMMC v1.0 defines each level of the maturity model in both general terminology (from “Basic Cyber Hygiene” at Level 1 up to “Advanced/Progressive” at Level 5) and in terms of what type of data will be scrutinized at each level.
At Level 1, the emphasis is on Federal Contract Information (FCI). Level 3 focuses on the protection of controlled unclassified information (CUI). (Incidentally, Level 3 now requires techniques such as sandboxing or detonation and impersonation detection, expanding on CMMC’s intention to prevent the theft of sensitive data.)
As you move up the model into Levels 4 and 5, the onus is on the contractor to not only protect sensitive information but to protect its enterprise from advanced persistent threats (APT).
More Focus on Threat and Threat-Based Intelligence
Protection of CUI from APTs is highlighted to a greater extent in v1.0 than in previous draft versions. Levels 4 and 5 address the ability to respond to changing tactics, techniques, and procedures (TTP) used by advanced persistent threats (APT), and the situational awareness requirement continues to focus on threat-informed defense.
This goes hand-in-hand with the requirement for a 24×7 security operations center (SOC), which is now a requirement at Level 4, instead of Level 5. (Note: The SOC was a requirement for Level 4 in draft v0.7, but only during normal business hours.) For smaller companies, maintaining an in-house SOC isn’t practical, so finding a provider who can offer nation-state-level threat intelligence and 24×7 SOC services is essential to companies who want to bid on higher-level government contracts.
What Could Make It Better?
CMMC is a living model, so we can expect to see it change and improve over time. Here are some thoughts on what we would like to see included in future iterations of CMMC.
Throughout much of the CMMC development process, the expectation has been that the majority of contracts will require Level 3 certification. It satisfies the requirements in NIST SP 800-171 for protecting controlled unclassified information (CUI) and is easier and less expensive for companies to achieve than Levels 4 and 5.
Levels 4 and 5 do address the ability to respond to changing tactics, techniques, and procedures (TTP) used by advanced persistent threats (APT), but the primary focus is still on protecting data, not necessarily maturing an organization’s cyber resiliency. While that may not be a focus of the government, it remains an important focus for businesses. Developing the ability to anticipate potential attacks through threat intelligence, fight through an APT attack, and maintain operational continuity sets companies ahead of their competitors and opens up opportunities unavailable to others.
Additionally, we think some of the Level 5 requirements for incident response (IR) and System Information and Integrity (SI) should be required at a lower level of certification. Requirements such as “inserting automated response for pattern matching” and “monitoring individuals and system components on an ongoing basis for anomalous or suspicious behavior” are already available in a majority of Security Orchestration, Automation and Response (SOAR); User and Event Behavior Analytics (UEBA); and endpoint solutions. This indicates that UEBA and SOAR capabilities are not required until level 5. A better approach would be to start phasing in UEBA and SOAR capabilities at Level 3 and provide a full enablement in level 5.
A Final Word
CMMC will help guide companies to a better security posture against attacks and move away from a mere “compliance” mentality. Despite CMMC requiring initial cost and effort, it should result in improved business operation and profit over the long run. The fact that it’s an allowable cost helps incentivize the DIB to pursue this institutionalization of security processes and practices – particularly at higher levels of maturity – and encourages them to find solutions to mature their entire enterprise, thus advancing their own business opportunities.
Trying to better understand your options for meeting CMMC requirements? Visit www.dibdefender.com to learn more or call us at 833-682-8270.