Cybersecurity Maturity Model Certification (CMMC) presentation and update
I attended the Watch the On-Demand session from SNG Live CMMC update.The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cyber security across all contractors and subcontractors that handle US federal contract information (FCI) and controlled unclassified information (CUI) will be subject to the standard, which includes in the region of 300,000 companies in the supply chain.
Katie Arrington, CISO for Acquisition at the DOD, provided a high-level program update on Cybersecurity Maturity Model Certification CMMC in a fireside chat with Philip Carruthers, Public Sector & Federal Sales Lead at IBM.
Katie explained that they created 5 pathfinder programs and mocked out contracts implementing the changes and process, then they went on to carry out mock assessments on the organisations. They tested dispute resolution with the 3rd party auditor, walking through the mediation process with CMMC AB.
She describes taking a crawl, walk, run approach, which will take 5 years to fully implement the program. She says "trust and verify", CMMC has the verify role, cyber security will form part of every contract, it is a foundational element of any acquisition. On Sept 29, 2020, the Department of Defense (DoD) issued an interim rule, Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), that implements its CMMC program.
By Nov 30th, 2020, vendors have to register and carry out a self assessment prior to the award, recording the level of maturity against the framework. The CMMC process builds on the NIST Special Publication 800-171 which establishes cybersecurity standards for federal contractors.
She explained that exemptions from the process include “micro transactions”, i.e. credit card transactions. If you are selling commercial off-the-shelf (COTS) products to the Government you will only need to get a level 1 CMMC i.e. a Microsoft Office licence.
The physical audit will help prevent fraudulent companies selling to the Government. CMMC AB oversees the third party assessors, currently they have had cycles of training which has created 50 accredited assessors. The first 11 Licensed Partner Publishers have been approved to support the certification process with training curricula.
The CMMC AB website says: The qualifiers to become an accredited LPP are: at least 200 hours of published coursework/curriculum in technology, cybersecurity, auditing or similar content, at least 2 years of publishing history of content in technology, cybersecurity, auditing or similar, and at least 3 suitable client references. In order to become certified, the LPPs must sign the Code of Professional Conduct, sign the LPP License Agreement, pay the application/acceptance fee, and be subject to an Organizational Background Check through Dun & Bradstreet and have a DUNS number. Katie said they wanted to make this scalable “coast to coast”.
They went on to feature a panel on building an army of CMMC assessors with Jeff Dalton, Director of the CMMC Accreditation Body and Kevin Orr, VP of Federal Sales at CyberArk.
Jeff explained that they were about to train their third cohort of provisional assessors, with 4 days of training culminating in an examination. They have received feedback on their first two training sessions that has helped develop the training. He explained that assessing maturity was very different in a 10 person company to one with 10,000. Jeff spoke about the difference between an audit and an assessment, he sees an audit as a very much a yes or no answer as to whether an organisation has achieved a specific criteria. In an assessment you can have an “it depends” answer. It is reliant on the context for that organisation which can be altered by the size of company, type of business, the culture, type of leadership or a variety of factors. They are reliant of the experience of the assessor to take that contextualised answer and make an assessment as to whether they meet the requirements. The assessment guides are still being written, which will set out the expectations. The what is easy to define, but the how not so.
The new interim rule estimates that the total number of unique DoD contractors and subcontractors impacted is 220,966, however there may be a need for multiple assessments on larger organisations. Jeff said that there needs to be a pipeline of assessors to meet the need, they estimate this will mean a need for around 2000 assessors, however there will be a turnover of staff across time which means an ongoing need.
An interesting update as to where they have got to.