Later this month, the U.S. Department of Defense (DoD) will release version 1.0 of the Cybersecurity Maturity Model Certification (CMMC). The CMMC will be a mandatory third-party certification for any DoD contractors and subcontractors, intended to help protect the government’s sensitive, unclassified data against cyber threats. How did the CMMC come together and what will it entail? Read on to find out other cyber threat mitigation standards, how they inspired the CMMC, and what to expect when the CMMC goes live.
Inspiration for the CMMC: Cyber Mitigation in the UK
One of the primary inspirations for the CMMC and an early example of successful mitigation frameworks are the United Kingdom Cyber Essentials. Since 2014, the Cyber Essentials certification has been a requirement for any current or bidding contractors or subcontractors for any part of the UK central Government.
Currently, the Cyber Essentials certification requirements fall under five technical control themes: firewalls, secure configuration, user access control, malware protection, and patch management. Organizations need to meet and prove they’ve met the minimum requirements for each of the controls before being approved for certification. There are two levels of certification: Cyber Essentials, which involves an independent verification from an Accreditation Body of a thorough self-assessment, and Cyber Essentials Plus, which involves an Accreditation Body performing the assessment to ensure the requirements are in place.
While no official research has been done by the government, they have felt this certification process has been greatly beneficial, with none of the 30,000 certified systems experiencing a major breach. Recently, the National Cyber Security Centre launched an initiative to revise the Essentials to reflect the evolution of cybersecurity, add tangible benefit measurements, and help even more organizations become certified.
While there are other cybersecurity mitigation strategies elsewhere, like the Essential Eight of Australia, they aren’t necessarily mandated. This is makes CMMC even more interesting, since it may indicate a trend in cybersecurity requirements for different organizations, particularly those dealing with sensitive government data.
The Basics of the CMMC
While the CMMC will be unveiled in January, it is not expected to be enforced until June, giving ample time for organizations to prepare and take measures to update their security program. Additionally, it will give time to certify third party accreditation parties, who will face an onslaught of organizations needing evaluation. So what are the components of this framework that these parties will be evaluating?
Similar to the Cyber Essentials model, the CMMC will also have progressive levels of certification. Instead of two, the CMMC has five, with level one only requiring basic cyber hygiene. These levels are cumulative, so level five must demonstrate good cyber hygiene, meet NIST requirements, have a substantial and proactive cybersecurity program in place, and show optimization capabilities to ward off advanced persistent threats. They must meet these requirements in all domains, which will be discussed below.
These levels also incorporate the key concept of maturity. While level one has no maturity requirements, beginning at level two, there is an expectation to create and adhere to a cybersecurity policy within the organization. As the different levels progress, maturity requirements grow, including establishing procedures, goals, project plans, and stakeholder agreement. The highest levels require revisiting, evaluating, and refining this policy, as well as having enough resources including staff, funding, and tools, to implement it.
The CMMC is much more specific than both the Cyber Essentials and the Essential Eight. It has 17 domains, mostly taken from the Federal Information Processing Standards (FIPS) and NIST. These domains cover the full range of cybersecurity needs—they aren’t just aimed at malware prevention, but also deal with limiting the damage of a breach, as well as data backup and recovery.
The domains, as of the latest draft, are:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System Communications and Protections
- System and Information Integrity
The domains also break down into capabilities, further refining the requirements of what is expected of organizations wanting to be certified. For example, Access Control breaks down into four capabilities: establishing system access requirements, controlling internal system access, controlling remote system access, and limiting data access to authorized users and processes.
Building a Universal Framework
While the CMMC will only apply to organizations that work with the DoD, it serves as a crucial step in creating a universal framework of cybersecurity standards. For now, even those who are not required to follow the CMMC should view it as an essential list of best practices that they should also prioritize.