In a guest column written for the Rochester Business Journal, Chief of Innovation Michael Montagliano lays out the security risks facing the DoD supply chain and how CMMC, while an obligation, is also an opportunity to improve and mature cybersecurity posture.
CMMC: An Obligation and Opportunity
This article appeared in the February 12, 2021 issue of the Rochester Business Journal.
Sometimes, regulatory compliance and an organization's obligation to the law aren't enough to drive change. A prime example is the Healthcare Insurance Portability and Accountability Act (HIPAA), which came out in the early 2000s. There weren't any HIPAA police to enforce the law, so it had no teeth.
Such was the case with the Defense Federal Acquisition Requirement Supplement (DFARS). It had a Department of Defense (DoD) deadline of Dec. 31, 2017, for all covered defense information contractors/subcontractors to implement NIST 800-171 security controls to protect Controlled Unclassified Information (CUI). Companies could self-attest to compliance with DFARS, with only a few of the 300,000+ companies in the DoD supply chain being formally audited.
Roll ahead to 2019 and the DoD realized that self-certification wasn't working and many suppliers remained out of compliance. Combined with growing threats from nation-states like China, Russia, North Korea and Iran, these conditions prompted the creation of Cybersecurity Maturity Model Certification (CMMC) and an audit process to ensure compliance.
The What: CMMC Explained
CMMC was signed into law on Sept. 29, 2020. Shortly after, the CMMC-AB (accreditation body), an organization independent from the DoD, was formed to certify contractors through third-party assessment organizations. Assessments would allow for an impartial review before contracts were awarded and would be completed on an ongoing basis.
The model is based on practices and processes across five maturity levels, depending on the criticality of the information held by DoD suppliers. The lowest levels (1 and 2) are for smaller businesses and intended to be cost-effective and affordable. Achievement of higher levels of CMMC enhances an organization's ability to protect CUI and requires additional controls. For instance, Level 1 starts with 17 controls, Level 3 has 130 and Level 5 has 171. Each level inherits the controls from the previous level and adds additional requirements.
Assessments will begin later this year and continue through 2025, when it’s expected that all prime contractors and subcontractors will have been evaluated and assigned a maturity level. All DoD contracts will be examined during that same timeframe and given a corresponding maturity level required to hold or bid on the contract.
If your current contract is marked for Level 3 maturity and your organization has not attained Level 3 accreditation, your contract renewal is at risk. We’ve already heard from companies being pressed by upstream partners for evidence of compliance in advance of the CMMC assessment rollout.
The Why: The Targets of Hackers
The United States DoD supply chain is one of the largest globally, with hundreds of thousands of partners and suppliers. Critical information is spread across this enormous defense infrastructure and poses a vast cyber risk to our nation. Nation-states attempt to steal information to develop countermeasures, sometimes in advance of a new jet fighter's final release, for instance, or to reproduce our capabilities for their defense efforts.
In 2018, Chinese hackers stole U.S. Navy submarine plans on undersea warfare from a Rhode Island DoD contractor. Code named Operation Sea Dragon, the contractor was working on disruptive offensive capabilities against enemy ships.
In 2016, plans for the F-35 fighter, which would cost taxpayers $1.5 trillion over the development lifespan, were stolen from an Australian subcontractor who never changed the default Windows passwords for admin and guest accounts.
An internal U.S. Navy review in 2019 found that the service and its industry partners are "under siege" from Chinese hackers building Beijing's military capabilities while eroding U.S. advantage.
The Opportunity: Improve Security Posture
While checking the box on compliance is often thought of as a burden, it can also be an opportunity to improve and update a company's ability to protect critical assets.
Over the past few years, and primarily since the beginning of the pandemic, cybercriminals have increasingly targeted manufacturing. In warnings issued in October and November of 2020, the FBI sent notices that hackers were attempting to compromise manufacturing, automotive, logistics, hospitality, health care and financial services using very sophisticated techniques.
The FBI warning detailed methods used in attacks, which often start with brute-force and phishing attacks and lead to ransomware deployments. A ransomware attack occurs every 11 seconds, up from 21 seconds last year, so the volume has increased significantly. The bounties have also increased, often starting a $1 million, with the largest I've heard requested being $40 million.
Cybercrime is a $6 trillion economy, while security investments across all vendors are $1 trillion, making cybercrime the third-largest economy in the world after the United States and China, and larger the Japan, Germany and the U.K.
So rather than approach CMMC solely as protection for the DoD supply chain and CUI, the framework can be a chance to improve the overall security posture for any manufacturer.
Preparing for Audit
Most contractors have time before CMMC assessors start knocking on their doors, but the time to start is now. Attaining accreditation does not happen in a few weeks or months.
First, CMMC will not accept evidence of controls implemented for the specific purpose of passing the assessment but will review logs to make sure controls have been in place for a sufficient period to allow for assimilation into the organization's culture.
Then there’s a five-step process every organization will need to go through to prepare for an audit.
Start by assessing your current controls against the CMMC requirements at the level you wish to attain. Then develop and execute a plan of action for remediation, which could take a year or two to complete based on the number of gaps discovered during the initial assessment and budget restrictions. Document your policies and procedures for satisfying your compliance objectives, and include a program for maintaining compliance since organizations will need to recertify annually.
No company wants to go through an audit without knowing it will pass. Guarantee compliance by developing and adhering to an implementation and maintenance plan for CMMC.