Cybersecurity Maturity Validation for Department of Defense Contractors
By Mark Russo, Chief Architect – Innovation & Strategic Development
Oct 6, 2023 | Originally Published on att.com – January 2022
The Cybersecurity Maturity Model Certification (CMMC) framework is getting increased attention now, with each passing month. Initiated by the Department of Defense (DoD) in 2019 as a means to enhance the security posture of the Defense Industrial Base (conceivably 50,000+ companies in the supply chain to the Pentagon), the DoD just announced even further refinements to the evolving framework.
On November 4th, 2021 – these additional refinements (intended to streamline and simplify the original CMMC framework) have been dubbed ‘CMMC 2.0.’
So, what’s at the heart of this DoD-centric certification?
It’s all about the protection of Controlled Unclassified Information (CUI). The loss of such information from the DIB sector, especially when considered in aggregate, increases the risk to national security. And with so many companies operating in partnership with the DoD, CMMC 2.0 is a framework intended for risk reduction over a very large attack surface – striving to enhance the protection of CUI within DIB company unclassified enterprises.
How exactly, then, will this new cybersecurity maturity qualification work?
The DoD is migrating to CMMC to assess and validate, recurringly, the cybersecurity posture (focused on practices and processes) of ALL companies involved in the DIB sector. With the DoD’s recent update, there’s now a defined tiering of three cybersecurity ‘maturity levels.’ Maturity Level 1 is considered, ‘Foundational’ cybersecurity hygiene and intended to be achievable for small companies. At this level, there are security control requirements intended to assure some basic cybersecurity practices, including limited resistance against exfiltration and malicious actions.
At the other end of the spectrum, at Maturity Level 3, we now have ‘Expert’ cybersecurity practices, likely including the use of a Security Operations Center (SOC) with background-checked personnel – within an infrastructure supporting highly rigorous, documented, audited, and continuously-improved operational processes.
And right in the middle of these two extremes? We have CMMC 2.0 Maturity Level 2 which focuses on the implementation and operationalization of ‘Advanced’ cybersecurity hygiene via the realization of all cybersecurity controls within a document titled, “NIST SP 800-171.” (The National Institute of Standards and Technology’s Special Publication 800-171 – which governs controlled unclassified information handling in non-Federal information systems and organizations.)
The bottom line for bidding on DoD-initiated RFPs?
At present, with the [days old] announcement of CMMC 2.0, the DoD has stated that they will not approve inclusion of a CMMC requirement into any DoD solicitation. So, while DIB companies are in a current ‘reprieve’ interval – this expectation must remain front-of-mind for the entire sector. Just before this reprieve began, for example, I was involved with requirements aligned with CMMC 2.0 Maturity Level 2 via a Navy-centric request. And even here – there was an implicit expectation for an ‘envisioned path’ to Maturity Level 3. (This may be an important ‘precedent example’ to keep in mind.) And how will a DIB company prove that it meets these cybersecurity requirements? CMMC 2.0 will vary this by maturity level. At Maturity Level 1, an annual self-assessment will be required. At the higher two maturity levels, more rigorous triennial assessments come into play. An independent 3rd party assessor will be required for select DIB companies at Maturity Level 2, and government-led assessments will be required at Maturity Level 3.
How will CMMC play into the Managed Services offered by AT&T… right this minute?
Today, we’re happy to offer AT&T SD-WAN with Cisco – FISMA to our Federal Civilian customers. This managed SD-WAN offering realizes AT&T’s first SASE (Secure Access Service Edge) ‘pillar’ for Federal. (Federal agencies must comply with Federal cybersecurity law, hence: FISMA.) But how does all of this relate to CMMC? It relates very closely. CMMC 2.0 Maturity Level 2 [‘Advanced’ cybersecurity hygiene] has significant overlap in terms of requirements with FISMA Moderate: the cybersecurity-hardened designation of our existing managed SD-WAN offering for Federal. So, we’ll all be watching this very closely as the months ahead unfold – and if anyone reading has any specific insights or thoughts to share, we’d absolutely love to hear them!