Cybersecurity Maturity Model Certification
UPDATES:
October 30, 2024: The Cybersecurity Maturity Model Certification (CMMC)
Program rule will be effective December 16, 2024.
With this final rule, DoD establishes the Cybersecurity
Maturity Model Certification (CMMC) Program in order to
verify contractors have implemented required security
measures necessary to safeguard Federal Contract
Information (FCI) and Controlled Unclassified Information
(CUI).The mechanisms discussed in this rule will allow the
Federal Register
Department to confirm a defense contractor or
subcontractor has implemented the security requirements
for a specified CMMC level and is maintaining that status
(meaning level and assessment type) across the contract
period of performance. This rule will be updated as needed,
using the appropriate rulemaking process, to address
evolving cybersecurity standards, requirements, threats,
and other relevant changes.
Following are additional updates from Laura Rodgers, Director of Cybersecurity Practice in the Secure Computing Institute and Director of NC-PaCE at NC State:
- The DoD may include CMMC requirements on contracts awarded prior to 48 CFR part 204 CMMC Acquisition rule becoming effective, but doing so will require bilateral contract modification after negotiations.
- DoD estimates 8,350 medium and large entities will be required to meet CMMC Level 2 Third-Party Assessment Organization (C3PAO) assessment requirements as a condition of contract award.
- DoD estimates 135 CMMC C3PAO-led certification assessments will be completed in the first year, 673 C3PAO certification assessments in year two, 2,252 C3PAO certification assessments in year three, and 4,452 C3PAO certification assessments in year four.
- Solicitations and resulting defense contracts involving the processing, storing, or transmitting of FCI or CUI on a non-Federal system will, unless waived, have a CMMC level and assessment type requirement that a contractor must meet to be eligible for a contract award.
- A DoD Service Acquisition Executive or a Component Acquisition Executive may elect to waive inclusion of CMMC Program requirements in a solicitation or contract.
- The DoD encourages prime contractors to work with subcontractors to lessen the burden of flowing down CUI.
- Department Program Managers or requiring activities will determine which CMMC Level and assessment type will apply to a contract or procurement.
- The DoD issued policy guidance to its program managers regarding programmatic indicators to consider when selecting CMMC requirements.
- The DoD has updated the rule to add an additional six months to the Phase 1 timeline. Phase 2 will start one calendar year after the start of Phase 1.
- The required assessment frequency is every year for CMMC Level 1, and every three years for CMMC Levels 2 and 3, or when changes within the CMMC Assessment Scope invalidate the assessment (such as a change in scope).
October 11, 2024: The CMMC Program rule will be published in the Federal Register on October 15, 2024. It will go into effect 60 days after publication.
December 26, 2023: The Department of Defense published for comment a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program.
December 7, 2022: DMARC and other specs dropped from CMMC 1.0 have been sent to NIST to be included in future revisions of NIST SP 800-171, which CMMC is based upon.
For more recent updates, you can visit the Department of Defense Chief Information Officer webpage.
The following was published September 20, 2021.
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework being developed by the Department of Defense (DoD) to protect defense contractors from cyber threats. CMMC measures cybersecurity maturity with five levels consisting of security controls, practices and continual improvement to stop the theft of intellectual property, proprietary information and credentials that threaten economic and national security.
When an organization sets out to achieve a particular CMMC level, it must also meet the preceding lower levels. And because most data breaches and network exploits begin with phishing emails, email forgery protections are included in the CMMC model beginning at Level 3.
According to the DoD, “The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.” CMMC is heavily based on DFARS 252.204-7012, which requires federal contractors to adhere to baseline security practices defined in NIST SP 800-171.
Though there are current resource barriers for many small to medium sized businesses relative to achieving CMMC certification, DoD’s goal is for it to be “cost-effective and affordable for small businesses to implement at the lower CMMC levels.” Unlike the current DFARS provision, which is rooted in honor-based self-reporting, CMMC requires that accredited Third Party Assessment Organizations conduct on-site assessments and deliver CMMC certificates to companies.
In an FCW article, Matt Travis, CEO for the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB), reported that “training and IT access to the Defense Department’s Enterprise Mission Assurance Support Service (eMASS), which will house CMMC data, still needs to be finalized for the third-party organizations that will be charged with conducting cyber assessments.” There are currently four approved C3PAOs for CMMC assessments, though they don’t yet have access to eMASS. In addition, the CMMC program is being reviewed by the DoD before its official release. There are several moving parts, but the CMMC AB is confident that the model is in the final review stages.Currently, DMARC, SPF, and DKIM come into play at CMMC Level 3. The following is excerpted from the CMMC Appendices document:
SI.3.219: Implement email forgery protections
DISCUSSION FROM SOURCE: CMMC
Protecting your environment from harmful emails is one of the best ways to reduce the risk of viruses and malware from entering your network. Email attacks are one of the primary attack vectors in use by threat actors today because of their simplicity and effectiveness for circumventing an organization’s perimeter defenses. Implementing advanced email protections can help mitigate these email-based threats from penetrating an organization’s defenses and landing in the inbox of organizational end users.
CMMC CLARIFICATION
Implement email protections in addition to basic spam protections. Some potential advanced email protections include Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). SPF uses DNS to show which servers are allowed to send email for a given domain. DKIM uses asymmetric cryptography to verify the authenticity of an email message and provide assurance of the legitimacy of the email to the recipient. DMARC allows organizations to deploy a combination of DKIM and SPF to further enhance their electronic mail infrastructure by adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Example
As the email administrator for your organization, you want to add additional protections to ensure you are blocking as many unwanted and harmful emails as possible. You configure a DMARC policy that enables both SPF and DKIM on your domain. You configure an SPF text entry in your DNS configuration so that you explicitly authorize the servers that can send email as well as ensuring relevant outbound emails are signed using DKIM.
The biggest cybersecurity risk for most organizations is their people—employees clicking on unsafe email links and downloading treacherous attachments, inadvertently providing sensitive information to bad actors. Unfortunately, the practices in CMMC Level 1 do not adequately address those risks. The most effective way for an organization that does business with the government to protect national security, and themselves, is to focus their time and money on the industry standards that reduce cyber risks.
Several sections of the CMMC framework contain controls that reduce “people” risk. I recommend that organizations consider implementing all the “people” risk practices in CMMC Levels 1, 2, and 3—even if they are only required to comply with the practices in CMMC Level 1.
Laura Rodgers, cybersecurity compliance expert at the North Carolina Military Business Center
Compliance with CMMC does not equal 100% protection from cyber threats, so the model, beginning at Level 3, was designed to embed resilience into a company’s cybersecurity program. It helps an organization recover from an attack as quickly and effectively as possible and drives business continuity.
As DMARC continues to grow as a recommended and, in some cases, required control, let us know if you need any assistance to safeguard your domains from abuse.
You can register for a free trial and our support team will help you on your journey to securing your email domains.
Want to continue the conversation? Head over to the dmarcian Forum.
