The US Department of Defense (DoD) has announced its intention to enact a new cybersecurity standard for defense contractors called the Cybersecurity Maturity Model Certification (CMMC).
While the details of this certification are not yet finalized, the intent is to improve the current level of cybersecurity present in the US defense industrial base (DIB).
By implementing this new certification, the DoD hopes to strengthen the cybersecurity of national security data and networks.
Current compliance with cybersecurity regulations
Under the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, defense contractors handling sensitive but unclassified information are required to implement 110 security controls described in NIST SP 800-171.
This requirement is intended to protect sensitive data entrusted to contractors by the DoD.
However, recent research compiled by a certified cybersecurity assessment team from Sera-Brynn has revealed that the average US defense contractor falls far short of compliance with NIST SP 800-171 requirements.
The surveyed organizations had implemented only 39% on average of the 110 mandatory security controls. Moreover, none of the surveyed organizations were fully compliant with NIST SP 800-171, and nearly half (45%) of the organizations had never even read the NIST requirements.
New rules under the CMMC
The current regulations outlining cybersecurity requirements for US defense contractors (DFARS Clause 252.204-7012) clearly outline steps that companies must carry out in order to be eligible for contracts.
However, the current regulation lacks enforceability and allows the contractor to self-certify compliance with NIST SP 800-171.
The new CMMC is designed to provide the enforcement component missing in the current legislation. Significant changes include:
- Certification Levels: Every defense contract will require one of five levels of compliance. Failure to achieve the specified level will be grounds for automatic rejection of the contract bid.
- Audits: Organizations will no longer be able to self-audit against NIST 800-171. Third-party audits will be required for all defense contractors.
- Scope: Currently, only compliance with NIST SP 800-171 is required. The new certification may incorporate requirements from other frameworks as well.
Although these changes appear to be simple, they dramatically change the level of cybersecurity that US defense contractors must achieve in order to be awarded contracts.
Even if the scope of the regulation is not changed beyond that of NIST SP 800-171, the new level of enforcement under CMMC has significant implications for the defense industrial base.
Implications of the CMMC
The Cybersecurity Maturity Model Certification represents a significant change in how defense contracts will be awarded.
As demonstrated in the Sera-Brynn research, DIB contractors have largely ignored the cybersecurity requirements established by the US government. Given the fact that none of the surveyed organizations showed full compliance, it is evident that noncompliance is a widespread issue and not isolated to a few organizations.
The research showed that noncompliance occasionally stemmed from lack of understanding of some of the security controls; however, the more frequent reasons given for noncompliance were related to cost, complexity and ease of use. Some survey respondents indicated that available cybersecurity solutions were prohibitively costly to implement.
Under the new CMMC standard, demonstrated compliance with NIST regulations for a baseline level of cybersecurity will become a minimum requirement for consideration of a bid for a defense contract.
The short term implications of the legislation will likely be significant as contractors scramble to implement the necessary security controls currently lacking in their organizations.
In addition to its robust security, GoSilent is a flexible solution and its price-point makes it a truly scalable solution.