Recently, the Department of Defense Chief Information Security Officer, Katherine Arrington, gave a virtual presentation and interview sponsored by Bloomberg Government on the Department of Defenses’ Cybersecurity Maturity Model Certification (CMMC). The core of the CMMC is to establish five levels of compliance for Defense Contractors to assure the government they are safeguarding government information as part of their government contract support. Like most certifications, the CMMC will be a three-year cycle. The certification level the company requires to maintain is determined by the contracting officer on an opportunity by opportunity basis. Ms. Arrington did layout her expectations of the CMMC burden to be no more than $3000 per cycle to develop the company policies, establish the governance required, run the program, and get third party certification at Level 1. The third-party certifiers are going to be registered in a non-profit organization marketplace. Ms. Arrington stated that third-party certifiers can not provide advisory or remediation services even though there will be a huge demand for consulting services in preparation before certification. It remains to be seen if you can advertise both consulting services and certification services on the marketplace. From a clear Conflict of Interest perspective if a company in engaged for consulting services it could not be a certifier for the same company. The costs for certification and consulting will be different and most likely sue to the engagement period the consulting services will be more lucrative.
CMMC Process Maturity
The CMMC is structured along with other maturity models such that there are levels of maturity, capabilities, and practices. The five levels of process maturity are shown in the table below. The table is taken from the CMMC V.1.0.2 Excel file, dated March 18, 2020
[wpdatatable id=3 table_view=regular]
The DOD is going to require every company that works on DOD contracts regardless of their role as either Prime or Subcontractor to be at Maturity Level 1. Level 1 is a very low bar since most maturity models describe Level 1 as ad-hoc and reactionary.
Level 1 Certification Requirements
There are 17 practices that are required for level 1. This is the initial level that all DOD contractors must certify to in order to be eligible for a DOD contract. The vast majority of Primes and Sub-Contractors will be required to meet this level and not have to get certified for any higher levels. In fact, if you look at these practices you’ll see that with the exception of the five technical practices the other standards are about who should have access to the information within the company and mechanisms to govern the access to information. With the exception of single entrepreneurs, most companies limit access to critical financial, personnel, budgetary, and intellectual property information already. The key will be to pull together the policies, procedures, practices, and suitable results for the third party certifiers to make the determination that the company is meeting the Level 1 requirements. The governance surrounding those existing elements need to be mapped to controls that can be verified by the certifiers.
[wpdatatable id=4 table_view=regular]
In broad terms, there are three major areas that everyone must meet. First identification and control of information. Second, making sure only the right people have access and permissions to the information, and third technical controls to create and control the boundary that the information resides and the Internet.
Future posts will look at each of the three areas and provide some insights to get to Level 1 certification.