CMMC - The DoD’s new Cybersecurity Standard

The White House estimated in 2018 that malicious cyber activity cost the US Economy between $57 billion and $109 billion. Existing standards in the defense industry have failed to secure the most sensitive data causing national security risks and severe economic loss. The poster child for this failure is the Chinese J-31 aircraft which is extremely similar to the American F-35 Joint Strike Fighter. It was later found that a small Australian subcontractor on the F-35 fighter project suffered a severe cybersecurity breach that was confirmed by the DOD. Reuters found that about 30 gigabytes of data was stolen in the cyber attack, including details of the F-35 Joint Strike Fighter warplane. This incident exemplifies how even small sub-contractors in large projects may possess information far beyond the direct scope of their work. Small-medium subcontractors, when breached by adversaries, have compromised major projects such as the F-35 and have led to significant economic losses and damage to national security.   

Small-medium subcontractors, when breached by adversaries, have compromised major projects such as the F-35 and have led to significant economic losses and damage to national security.

The defense sector faces sophisticated cyber attacks from the most advanced adversaries such as Advanced Persistent Threat (APT) groups who are typically working in association with nation-states to pursue multiple objectives. The goals of a cyber campaign against a defense contractor could include:

• Theft of intellectual property to advance domestic aerospace and defense capabilities 
• Develop countermeasures to technologies exposed by the breach
• Produce competing technologies for sale 
• Collect valuable intelligence with which to monitor, infiltrate and subvert other nations' defense systems and capabilities 

In 2019, this risk was strongly recognized, and work began on the CMMC Certification.  This model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats.  The model consists of 

maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community.

The Cybersecurity Maturity Model Certification (CMMC)

The DoD implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through DFARS in October 2016.  Contractors are currently required to self-verify that adequate security controls required by NIST SP 800-171 are implemented within their systems to ensure that CDI confidentiality is maintained and enforced. However, it was proven that self-verification is not generating the required security posture and that higher standards are required due to the intensifying attacks on DoD contractors.

When fully operational, the CMMC will be mandatory for any firm doing business with the Department at any level. 

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. The CMMC certification is granted and validated by an independent third party assessment organization similar to the practice in the leading government cloud security standard - FedRAMP.  In addition to cybersecurity control standards, the CMMC measures the maturity of a company’s institutionalization of cybersecurity practices and processes. The CMMC encompasses multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”.

When fully operational, the CMMC will be mandatory for any firm doing business with the Department at any level. 

There will be five certification levels to the CMMC:

• Level 1 – Basic Cyber Hygiene. Includes basic cybersecurity, including universally accepted common best practices. 
• Level 2 – Intermediate Cyber Hygiene. Includes universally accepted cybersecurity best practices. Practices are documented, and access to CUI data will require multi-factor authentication.
• Level 3 – Good Cyber Hygiene. Includes coverage of all NIST SP 800-171 controls.  Processes at Level 3 are maintained and followed, including a comprehensive knowledge of cyber assets. 
• Level 4 – Proactive.  Includes advanced and sophisticated cybersecurity practices. Methods are regularly reviewed, adequately resourced, and continuously improved. 
• Level 5 – Advanced / Progressive. Includes highly advanced cybersecurity practices, include continuous improvement across the enterprise and defensive responses performed at machine speed.

Importance of Cybersecurity in the Defense Sector is Only Growing

The vast and complex network of third party stakeholders in the defense sector supply chain is facing an increasing number of attacks from state-sponsored actors seeking to target less sophisticated, small third parties on the supply chain and use them as a vector to access large defense contractors. 

Adversaries have regularly exploited supply chain vulnerabilities to launch sophisticated cyberattacks to gather sensitive data.  Threat actors may target defense technologies to create disruptions on the battlefield or to steal intellectual property giving them a competitive advantage by reducing costs and allowing them to produce and sell new products at lower prices.

CyLogic builds, operates and continuously monitors dedicated cloud platforms for enterprises that require the highest level of security with total control of their data.  Our proprietary platform,CMMC CyCloud, exceeds the DFARS frameworks, NIST SP 800-171, and the Level 5 CMMC compliance. CyLogic is helping DoD Contractors to be CMMC ready seamlessly - with a cloud platform and related professional services that was built specifically for DoD Contractors’ needs.