Why CMMC: Protecting the DIB and DoD supply chain

Defence procurement

The United States Department of Defense (US DoD) invests significant amounts of money ($1.8Tn) in new weapons systems such as aircraft, ships, ground fighting vehicles and satellites and in new IT systems and capabilities to be delivered through prototypes or new procurement pathways.  This is in addition to the annual procurement of offensive and defensive systems for front line fighting forces such as the Air Force, Army and Navy.  These activities create, modify and manufacture existing and new technologies and Intellectual Property (IP) on many diverse digital platforms, which reside in over 300,000 suppliers across the DoDs Defence Industry Base (DIB).  Platforms which are exposed to cyber threats.

Recent cyber events have compounded the view that if this IP gets into the wrong hands it could damage the effectiveness of the offensive and defensive capabilities of the US.  It has been estimated by the Council of Economic Advisers in their 2018 report published by the Office of the President of the USA, that the cost of malicious cyber activity on the US economy in 2016 was between $56Bn and $109Bn.  Alongside which the intangible costs of cyber-attacks on the DIB will be felt through the loss, damage or destruction of IP.  Impacting US competitive advantage, having an associated economic impact to DIB contractors, effect the flow of products and services through the DoD supply chain and potentially impact front line fighting forces if US IP is used for both offensive and defensive purposes by an adversary.

This is recognised by the US DoD and the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).  The department responsible for the design, development and delivery of US DoD acquisition strategy and capabilities.  Acknowledging that cybersecurity is a foundation within the acquisition process.

Defence Federal Acquisition Requirements Supplement (DFARS)

DFARS is a comprehensive suite of requirements setting out the expectations for the procurement and supply of products and services to the US military.  Within these requirements is DFARS 48 CFR § 252.204-7012 (Safeguarding covered defense information and cyber incident reporting), defining the need for the implementation of NIST (SP) 800 – 171 (currently revision 2) which details a comprehensive set of cybersecurity practices for the protection of Controlled Unclassified Information (CUI).  All CUI categories are described in the US National Archives Controlled Unclassified Information (CUI) Registry.

Cybersecurity Maturity Model Certification (CMMC) – Why

Under DFARS 252.204-7012 regulations DIB contractors and their subcontractors were expected to be complying to the NIST (SP) 800 – 171 practices from 31.12.2017.  However DFARS 252.204-7012 did not fully address the requirement to ensure that suppliers to the DoD had implemented the appropriate cybersecurity practices.  To address this the DoD raised a formal DFARS case in 2019 – D041 ‘Strategic Assessment and Cybersecurity Certification Requirements’.  Initiating the process to implement a methodology for assessing DoD contractor’s compliance against NIST (SP) 800 – 171 and the protection of Controlled Unclassified Information (CUI).

CMMC – Scope and applicability (Enacted in legislation)

The CMMC interim final ruling which came into force on the 30th November 2020 (“ruling“) addresses the oversight and assurance gaps within DFARS 252.204-7012 for CUI data and extends the scope of oversight to encompass both CUI and Federal Contract Information (FCI).  As specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21.  Which includes information provided by or generated for a Government under contracts not intended for public release.

The CMMC programme will require an accredited independent cybersecurity assessment of DIB contractors and subcontractors before they are awarded a DoD contract.  The certification of 3rd Party Assessor Organisations (C3PAO) and accreditation of CMMC assessors.  It will be applicable to all 300,000+ global contractors and subcontractors as per existing DFARS 252.204-7012 (m) ‘flow down’ requirements (primes and subcontractors).  Contractors will have to confirm that they meet the cybersecurity maturity level defined by the DoD within the Request For Proposal (RFP), submitting a certification of compliance to the DoD.  The DoD will only accept CMMC certificated issued by accredited C3PAO organisations, 

The CMMC certification level will be defined by the DoD based upon 5 levels of maturity (levels 1, 2, 3, 4 and 5).  With levels 1 and 2 being applied to organisations processing FCI and level 3, 4 and 5 for those processing CUI.  These levels define the cybersecurity required to be achieved by a DIB contractor and subcontractor.  For example at level 5 (the most advanced) a DIB contractor can be expected to be managing 42 cyber capabilities, across 17 security domains and have embedded 171 security practices enterprise wide to protect CUI.

CMMC requirements have been added to legislation through the ruling.  Requiring all DoD contractors and subcontractors who are impacted by DFARS 252.204-7012 to assess their compliance to NIST SP 800 – 171 and submit their results to the DOD, before a new contract will be awarded.  Starting in 2021 the DoD will add CMMC Levels to new contracts, so that by the end of 2025 all DoD contracts will be CMMC compliant.  Requiring contractors and subcontractors to hold and maintain an appropriate CMMC certificate.  Issued by an accredited CMMC assessor and registered with the DoD. Before a contract is awarded.  All DoD contractors will have to be minimum CMMC level 1.

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts