Protecting supply chains
The United States Department of Defense (US DoD) invests significant amounts of money ($1.8Tn) in new weapons systems such as aircraft, ships, ground fighting vehicles and satellites and in new IT systems and capabilities to be delivered through prototypes or new procurement pathways. This is in addition to the annual procurement of offensive and defensive systems for front line fighting forces such as the Air Force, Army and Navy. These activities create, modify and manufacture existing and new technologies and Intellectual Property (IP) on many diverse digital platforms, which reside in over 300,000 suppliers across the DoDs Defence Industry Base (DIB). Platforms which are exposed to cyber threats.
Recent cyber events have compounded the view that if this IP gets into the wrong hands it could damage the effectiveness of the offensive and defensive capabilities of the US. It has been estimated by the Council of Economic Advisers in their 2018 report published by the Office of the President of the USA, that the cost of malicious cyber activity on the US economy in 2016 was between $56Bn and $109Bn. Alongside which the intangible costs of cyber-attacks on the DIB will be felt through the loss, damage or destruction of IP. Impacting US competitive advantage, having an associated economic impact to DIB contractors, effect the flow of products and services through the DoD supply chain and potentially impact front line fighting forces if US IP is used for both offensive and defensive purposes by an adversary.
This is recognised by the US DoD and the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The department responsible for the design, development and delivery of US DoD acquisition strategy and capabilities. Acknowledging that cybersecurity is a foundation within the acquisition process.
Defence Federal Acquisition Requirements Supplement (DFARS)
DFARS is a comprehensive suite of requirements setting out the expectations for the procurement and supply of products and services to the US military. Within these requirements is DFARS 48 CFR § 252.204-7012 (Safeguarding covered defense information and cyber incident reporting), defining the need for the implementation of NIST (SP) 800 – 171 (currently revision 2) which details a comprehensive set of cybersecurity practices for the protection of Controlled Unclassified Information (CUI). All CUI categories are described in the US National Archives Controlled Unclassified Information (CUI) Registry.
Cybersecurity Maturity Model Certification (CMMC) – Why
Under DFARS 252.204-7012 regulations DIB contractors and their subcontractors were expected to be complying to the NIST (SP) 800 – 171 practices from 31.12.2017. However DFARS 252.204-7012 did not fully address the requirement to ensure that suppliers to the DoD had implemented the appropriate cybersecurity practices. To address this the DoD raised a formal DFARS case in 2019 – D041 ‘Strategic Assessment and Cybersecurity Certification Requirements’. Initiating the process to implement a methodology for assessing DoD contractor’s compliance against NIST (SP) 800 – 171 and the protection of Controlled Unclassified Information (CUI).
CMMC – Scope and applicability (Not yet enacted in legislation)
The current CMMC proposal addresses the oversight and assurance gaps within DFARS 252.204-7012 for CUI data and extends the scope of oversight to encompass both CUI and Federal Contract Information (FCI) as specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21. Which includes information provided by or generated for the Government under contracts not intended for public release. This proposal is being developed by the CMMC Accreditation Body (CMMC AB) through a Memorandum of Understanding (MoU) signed between the Office of the Secretary of Defence and the CMMC AB in March 2020.
The CMMC programme will require an accredited independent cybersecurity assessment of DIB contractors before they can complete applicable DoD contracts. The certification of 3rd Party Assessor Organisations (C3PAO) and accreditation of CMMC assessors. It will be applicable to all 300,000+ global contractors as per existing DFARS 252.204-7012 (m) requirements (primes and subcontractors). The US DoD will only accept CMMC assessments from accredited C3PAO organisations, therefore contractors will have to confirm that they meet the cybersecurity maturity level defined by the DoD within the Request For Proposal (RFP).
The CMMC certification level will be defined by the DoD based upon 5 levels of maturity (levels 1, 2, 3, 4 and 5). With levels 1 and 2 being applied to organisations processing FCI and level 3, 4 and 5 for those processing CUI. These levels define the cybersecurity required to be achieved by a DIB contractor and subcontractor. For example at level 5 (the most advanced) a DIB contractor can be expected to be managing 42 cyber capabilities, across 17 security domains and have embedded 171 security practices enterprise wide to protect CUI.
As yet the current CMMC requirements have not been passed into legislation. Current proposal are to update DFARS regulations in the autumn of 2020 to reflect CMMC requirements.