DFARS|CMMC Updates
8/16/2020 - CMMC Accreditation Body Announced
The board members are self-nominated, non-felon US citizens. The Board Chairman will select the Directors, who are then approved by the board. There will be no more than 1 Director from any single organization. Each director will have a staggering term from 1-3 years and only serve two, 3-year terms. Each director may not work for a company planning to perform CMMC assessments. Each director must have a personal commitment to protecting the United States through improved cybersecurity
The Board Chairman for the CMMC Accreditation Body is announced. The Board Chairman is Ty Schieber. The Board member announced are Akin Akinbosoye, Carl Anderson, Mark Berman, Wayne Boline, Jeff Dalton, Nicole Dean, Regan Edens, James (“Jim”) Goepel, Chris Golden, Karlton D. Johnson, Dr. Richard H. 'Doc' Klodnicki, Dr. Tim Rudolph, Ben Tchoubineh and John Weiler.
The CMMC-AB is accountable for delivering:
-
The assessments for 300,000+ companies in the DoD supply chain
-
Training for assessors and C3PAOs (Certified 3rd Party Assessor Organizations)
-
Infrastructure to support its mission
-
Accreditation of organizations and assessors participating in the process
-
Adjudication of any protests or issues that develop with individual contractors or audits
-
Forward-thinking innovation to automate and improve the cybersecurity defensive posture of the supply chain
https://www.cmmcab.org/board-of-directors
----------------------------------------------------------------------------------------------------------------------
2/6/2020 - Updated DFARS|CMMC Blogs
DFARS | CMMC - What You Need to Know as a Contractor
----------------------------------------------------------------------------------------------------------------------
1/31/2020 - CMMC version 1.0 Now publically available.
The Office of the Under Secretary of Defense for Acquisition & Sustainment released the Cybersecurity Maturity Model Certification (CMMC) version 1.0 to the public today. InfusionPoints has been on top of each new version draft and now the final.
CMMC Model v1.0 encompasses the following:
– 17 capability domains; 43 capabilities
– 5 processes across five levels to measure process maturity
– 171 practices across five levels to measure technical capabilities
Links to the PowerPoint briefing, CMMC V 1.0, and video news conference at the links below.
You can view the briefing here
You can view the CMMC Model here
You can also view the new conference briefing with Ellen M. Lord, undersecretary of defense for acquisition and sustainment; Kevin Fahey, assistant secretary of defense for acquisition; and Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber here
Stay tuned for further updates
----------------------------------------------------------------------------------------------------------------------
12/20/19 - Cyber Maturity Model Certification Draft Version 0.7 Released
Updates regarding the new CMMC draft version 0.7 are out for the public to review. The full version of this release can be found here. As we are nearing final revision versions for CMMC, it is critical to understand and prepare for this new cybersecurity standard before it is released, regulated, and enforced in future DoD contracts.
Notable Changes in the Draft
42 New Controls
-
26 new controls have been added to Level 4
-
16 new controls have been added to Level 5
-
3 controls have been moved up from Level 2 to Level 3
-
17 controls are completely new and unique to CMMC
-
16 controls have been taken from NIST SP 800-171B, 9 of which have been modified.
-
2 controls have been taken and modified from NIST SP 800-171
-
2 controls are from NIST CSF
-
1 control is from ISO 27001
Changes to Practices, Capabilities, and Processes
-
Practices have been included for Levels 4 and 5
-
Capabilities and practices have remained the same for Levels 1, 2, and 3 with some clarification provided
-
Appendixes have been added to better illustrate what the Maturity Model looks like, including a broader clarification of the model. It is interesting to note that with the clarification to the Maturity Levels, CMMC can be viewed as having two types of requirements; practices and processes.
CMMC Version 1.0 Expected Release in January 2020
The timetable for rolling out CMMC remains unchanged. The final version, 1.0, is due out before the end of January. Those in charge of CMMC have done a very good job in sticking to their time commitments and deadlines, so there is no reason to believe that June 1st will not see the first inclusion of CMMC Maturity Levels as part of all RFI’s, and August/September as a requirement to respond to all RFP’s and re-competes.
----------------------------------------------------------------------------------------------------------------------
Cyber Maturity Model Certification Draft Version .6 Released Friday, November 8th, 2019
As promised, Office of the Under Secretary of Defense for Acquisition & Sustainment released draft version 0.6 of the CMMC the first week of November.
PDF - DRAFT CMMC Draft Version 0.6
Draft version 0.6 updates the technical practices for levels 1-3 and will be releasing the updated technical practices for levels 4-5 in the next public release. One of the key points to note for version 0.6 is in Appendix B. It provides Level one clarification with examples to help, not guide. Version 0.4 Model and Version 0.6 are contextually different. If you compare the two models, 0.4 had basic requirements that were not completed. Now in version 0.6, there is clarification and some requirements were moved from level 1 to level 2.
Level 3 begins policy-driven requirements. These requirements are based on NIST SP 800-171. We will find out more in the next release.
Stay tuned for more updates.
----------------------------------------------------------------------------------------------------------------------
CMMC UPDATES 10/30/19
Katie Arrington, Chief Information Security Officer at the Office of the Under Secretary of Defense for Acquisition and Sustainment, just shared insights on the progress of CMMC. Here are some of the key points mentioned.
ALL COMPANIES IN THE SUPPLY CHAIN WILL NEED SOME LEVEL OF CMMC
The thought of not needing a CyberSecurity model in your business is now a thought of the past. No matter the size of the company or involvement, CMMC will mandate that your organization reaches a level within the CMMC. At a minimum, you will be required to maintain at least a basic CyberSecurity hygiene.
FULL IMPLEMENTATION PREDICTED BY 2025
Although this seems to be a distant time frame, starting your CMMC journey needs to be a priority. Finding what level best describes the needs of your organization and creating avenues to reach this level is a priority. After all, this is not just a checklist item. These are steps that will secure and protect your role within the supply chain.
RE-CERTIFICATION PERIODS
Level 1 – 3 Years
Level 2 – 3 Years
Level 3 – 2 Years
Level 4 – Annually
Level 5 – Annually
Upcoming Revisions
Revision 0.6 of the CMMC will launch the first week of November 2019. Another version will drop in late November that will be 99% complete. This will most likely be the last update before the final release in January 2020.
---------------------------------------------------------------------------------------------------------------------
(Original Blog)
The Department of Defense (DoD)has issued a draft Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) for government contractors who handle sensitive data to make comments until 5pm on September 25th, 2019. CMMC Rev 0.4 is an effort to secure the supply chain from the largest contractors to the smallest and will be the new cybersecurity standard in 2020. Contractors now have a glimpse into the cybersecurity standards they will need to meet if they want to work on contracts that handle controlled but unclassified information (CUI) next year.
CMMC Rev 0.4 has a five-level system that combines guidance currently in place from the National Institute of Standards and Technology (NIST) with new input from the private sector and academia, including Johns Hopkins Applied Physics Lab and Carnegie Mellon Software Engineering Institute. The new details shed light on the third-party certification system, which will be managed by a nonprofit company in the coming months.
Slide 9 of the recently released presentation from the Department of Defense (DoD), found HERE, explains the levels of certification and descriptions.
Each level describes the maturity level expected to be for contract placement. It is assumed that contracts will be available to companies based on their maturity level. There will be a certain number of contracts released based on these levels of maturity. Level 1 and 2 are your basic cybersecurity maturity. These levels are achievable by small businesses with limited resilience against exfiltration and malicious actions.
Levels 3-5 are to be more rigorous by requiring compliance with all NIST 800-171 controls.
The model itself is still being revised. It is anticipated to be reduced in size by down selecting, prioritizing, and consolidating capabilities.
The Office of the Under Secretary of Defense for Acquisition & Sustainment is asking for your comments and suggestions by answering the following question:
-
What do you recommend moving within the model?
-
Which elements provide the highest value to your organization?
-
Which practices would you move or cross-reference between levels?
-
What recommendations do you have to clarify the processes?
They are also asking you to fill out their Comment Matrix with further suggestions to add or delete from the model.
Once they have received comments from the public, which is open until September 25th, they plan to adjust the model with the intent to add additional controls. You can view their synopsis in the below chart.
CMMC Rev 0.4 will be adding 230 total practices into its certification model.
Main Takeaways from CMMC Rev 0.4
-
All companies doing business with the DOD must utilize the CMMC and be certified.
-
DoD migrating from only utilizing NIST SP 800-171 standard to adding a security maturity model referred to CMMC in 2020.
-
All DoD contractors & subcontractors will receive a cybersecurity maturity certification score between 1 & 5, with 5 being the highest.
-
The higher your score the more contract opportunities become available.
-
CMMC Version 1.0 to be released in January 2020.
-
By the fall of 2020 requests for information (RFIs) and request for proposal (RFPs) will begin to include CMMC.
-
Cybersecurity is now an “allowable cost.”
-
Despite best intentions, companies are more likely to overrate than underrate their performance against the NIST SP 800-171 security controls when they self-assess and attest to the results.
-
Assessment of cyber maturity or cyber posture cannot be a one-time event. Regular assessment and security monitoring are imperative.
-
Insufficient understanding of individual controls by the assessor, the implementer, or both
-
SP 800-171 is necessary, but not enough. Continuous processes must augment the practices reflected in the controls.
-
External audits (Self-attestation is out, external 3rd party certification is in) of processes and practices.
-
Produce more thorough, consistent, and accurate results.
-
Which in turn drives stronger security and improved safeguarding of CUI throughout the DoD contractor supply chain.
InfusionPoints wants to make sure our clients and potential clients are always kept up to date. We are excited about the new model to roll out. We will be following this new model very closely. Keep an eye out for our next blog and webinar for the next revision of the CMMC.
References:
Office of the Under Secretary of Defense for Acquisitions & Sustainment
Cybersecurity Maturity Model Certification: https://www.acq.osd.mil/cmmc/draft.html
Draft Model: https://www.acq.osd.mil/cmmc/docs/cmmc-draft-model-30aug19.pdf
CMMC Briefing: https://www.acq.osd.mil/cmmc/docs/cmmc-overview-brief-30aug19.pdf
News Articles:
https://www.fedscoop.com/dod-contractors-cybersecurity-standards-draft/