New unified Defense Department guidelines require third-party verification of scores of cybersecurity protocols for federal contractors and subcontractors.

New federal guidelines for Defense Department contractors set to go in effect in 2020 require small businesses doing work with the government to certify that data security standards are being met.

According to Gregory Thornton with SSE Inc. in St. Louis MO, “For many contractors, the new mandate will require third-party confirmation of compliance with overlapping existing guidelines. The Cybersecurity Maturity Model Certification (CMMC) program comes on the heels of several devastating data breaches and is expected to be a requirement in Requests for Proposals beginning in June 2020.”

Why is CMMC Necessary?

The series of data breaches in 2019 led Pentagon officials to reevaluate its reliance on existing security protocols, particularly the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Skepticism grew as to whether the NIST SP 800-171 rules were enough to protect against a growing number and more complex series of cyberattacks, especially from nation-states.

How Will CMMC Be Authorized?

One issue with existing cybersecurity guidelines is that there are multiple systems in place, some of which require only self-certification. That puts more compliant contractors at a disadvantage. The new guidelines require third-party verification.

How Is CMMC Structured?

As of December 2019, the 173 practices and 43 capabilities are housed in a five-tiered system, representing different levels of cybersecurity:

• Level 1: Basic Cyber Hygiene. This foundational level maps to 48 CFR 52.204-21, the basic federal regulations safeguarding covered contractor information systems.
• Level 2: Intermediate Cyber Hygiene. Organizations with this level of certification are expected to have standard operating procedures, policies and strategic plans in place that guide their cybersecurity program.
• Level 3: Good Cyber Hygiene. This level maps to NIST SP 800-171 and should be used by contractors wanting to access Controlled Unclassified Information (CUI), which is information created or possessed by a federal agency or on behalf of an agency. It reflects an organization's ability "to protect and sustain an organization's assets and CUI." However, Level 3 contractors may face challenges defending against advanced persistent threats.
• Level 4: Proactive Cyber Hygiene. Contractors at this level have a "substantial and progressive" cybersecurity program. These organizations can adapt their activities to protect data and sustain operations against advanced persistent threats that frequently change tactics, procedures and attack techniques.
• Level 5: Advanced and Progressive Cyber Hygiene. At the most advanced level, organizations at Level 5 can optimize their security measures and have process implementation that is standardized throughout the organization.

What Areas Does the CMMC Require to Be Addressed?

The Pentagon guidelines refer to 17 "domains" where it is requiring certification. Many are taken from existing standards. They are:

• Access Control
• Asset Management
• Audit and Accountability
• Awareness and Training
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Recovery
• Risk Management
• Security Assessment
• Situational Awareness
• System and Communications Protections
• System and Information Integrity

Each domain has capabilities that need to be met. For example, the System and Information Integrity domain requires contractors to meet the following:

• Identify and manage information system flaws
• Identify malicious content
• Perform network and system monitoring
• Implement advanced email protections

How Can I Maintain CMMC Compliance?

The Pentagon is creating an accreditation body that will administer the program, after which that body will begin accrediting third-parties to assess contractors.

In the meantime, companies can get a head start and ensure that their cybersecurity protocols will meet the expected final requirements. Working with a managed services provider helps you continue to bid for and work on federal contracts. Managed services providers can assess your existing cybersecurity and recommend changes to keep your company eligible for DoD work.