Si bien el programa de Certificación del Modelo de Madurez de Ciberseguridad del Departamento de Defensa aún no se ha implementado por completo, los contratistas de defensa están trabajando en el complejo proceso de realizar una autoevaluación de Nivel 1, al que los expertos se refieren como “higiene cibernética básica”.
While the Defense Department’s Cybersecurity Maturity Model Certification program has yet to be fully implemented, defense contractors are working through the complex process of conducting a Level 1 self-assessment, referred to by experts as “basic cyber hygiene.”
The program, known as CMMC, is the Defense Department’s mechanism to assess whether companies and contractors that handle sensitive unclassified information are compliant with the department’s cybersecurity requirements.
Contrary to popular belief, the Defense Department’s cybersecurity requirements have been around for a long time, said Logan Therrien, chief strategy officer at Kieri Solutions. “They are something that has been expected to have been implemented in organizations, and then the CMMC is just the assessment verification process making sure it’s being implemented.”
Specifically, the program is designed to determine whether companies have the correct measures in place to protect federal contract information, or FCI, and controlled unclassified information, or CUI, shared with defense contractors and subcontractors.
Federal contract information refers to information “not intended for public release that is provided by or generated for the government,” Therrien said during a recent webinar hosted by the National Defense Industrial Association. “Under a contract, the developer delivers a product or a service to the government, not including information provided by the government to the public. So, that’s a good delineation right there and then, or simple transactional information, such as information that’s needed to process payments.”
CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, according to the Code of Federal Regulations.
If one thinks of federal contract information as a big circle, inside that circle “is a smaller circle that’s labeled CUI, and what that means is that CUI is also FCI,” Therrien said. Not all federal contract information is controlled unclassified information, but controlled unclassified information falls under federal contract information.
CMMC’s final rule took effect on Dec. 16, “kind of,” Therrien said. “I say ‘kind of’ because there are other parts that need to be published, and then a timeline beyond that for that to become effective.”
Phased implementation of the program will begin when the Defense Department’s follow-on Defense Federal Acquisition Regulation Supplement rule change to contractually implement CMMC goes into effect; that rule is still not finalized and is expected around mid-2025.
In Phase 1 of implementation, department solicitations will require CMMC Level 1 or 2 self-assessments, where applicable. Once Phase 1 is completed, Phases 2 through 4 come into effect one year after the other, with Phase 4 being full implementation.
To achieve CMMC Level 1 certification, companies must comply with 15 security requirements laid out in Federal Acquisition Regulation clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” These controls fall under six categories: access control; identification and authentication; media protection; physical protection; system and communications protection; and systems and information integrity.
There are two more levels of certification that require companies to meet additional cybersecurity requirements, and it is not “easy to step between levels,” Therrien said. “The way things are scoped or assessed will actually change, but [Level 1] is basic cyber hygiene practices, some things that … without” them, a company lacks “a fundamental level of control of your environment.”
The first step of a Level 1 self-assessment is identifying all in-scope assets, or any asset that processes, stores or transmits federal contract information or controlled unclassified information.
But it can get complicated, Therrien said.
“Just because it’s on [your] network doesn’t necessarily mean it’s an FCI asset,” he said. “However, if it’s on the network and it processes, stores [or] transmits FCI, it is an FCI asset.” The network that transmits federal contract information is in scope, but if another computer is on the same network that is not processing, storing or transmitting federal contract information, “then that would not be in scope,” he said.
Next, companies must assess their information systems to determine whether or not they meet all 15 requirements, and they can apply to both infrastructure as a whole or to a particular enclave or enclaves depending on where the information will be processed, stored or transmitted. The assessment can be performed internally or with a third party.
Even if a third party is used, it is still considered a Level 1 self-assessment, as it does not “assure the certification, so it won’t be a Level 2 assessment just because you brought in a third party for your FCI environment,” Therrien said.
In addition to the self-assessment report, companies must also submit a self-affirmation — a statement certifying their compliance with the protection requirements, which is the equivalent of a legal oath.
Essentially, an internal affirmer must “click a button” to verify that the information is correct and the proper evidence is provided, said Vince Scott, founder and CEO of Defense Cybersecurity Group.
But the process is not as simple as the click of a button.
“This is not, ‘Oh yeah, somebody’s just going to go into the portal and add it in, and it’s all going to be good.’ I would not think about this this way,” he said. “I would have my game face on, and I would be prepared, even for a Level 1 self-assessment. [It] requires work, requires rigor, requires thought because of the level of risk that the DoD is presenting to you contractually.”
Conducting a Level 1 self-assessment also requires gathering and maintaining evidence “for six years on behalf of the Department of Justice” so the government can verify accuracy at a later date if needed, Scott said.
“I think it would be very wise to consider this,” he said. Along with the assessment itself, the self-affirmation is “an annual requirement; you’re going to have to do this once a year.”
Another requirement of the Level 1 self-assessment is providing methodology, or evidence, to demonstrate that the Level 1 objectives have been fulfilled. One of three assessment findings is possible: “met,” meaning all applicable objectives for the security requirements are satisfied based on final form evidence; “not met,” which means one or more objectives are not satisfied; and “not applicable,” meaning a requirement or objective does not apply at the time of the assessment.
There’s “a lot of argument or at least discussion” about “not applicable” assessment findings in the cybersecurity community, and it’s considered a “variance,” Scott said.
“It’s important to note that DFARS 7012 says that if you’re going to mark something as ‘not applicable,’ you need the DoD [chief information officer’s] permission to do that,” he said. “In general, assessors recommend that instead of using ‘not applicable,’ if it’s really not applicable, you mark it as ‘met’ and how you would meet it if those circumstances should arise inside your system.”
Scott noted that one “not met” objective results in the failure of the whole Level 1 self-assessment.
Additionally, defense contractors should remain up to date on CMMC Level 1 self-assessment requirements, because it’s entirely possible that they could change slightly, Therrien said.
“If you’re familiar with the CMMC Level 1 assessment guide that was published prior to Dec. 16, it’s worth taking a look at the numbering,” he said. “There were some variables, maybe even some wording changes. So, if you haven’t seen it since Dec. 16, it’s worth going back to the DoD website and looking at these references in their updated form.”
The Defense Department provides a variety of CMMC-related resources, including a page on the chief information officer’s website with a comprehensive list of internal, external and additional resources and documentation, along with several guides, including a CMMC Level 1 Scoping Guide and Level 1 Self-Assessment Guide.
The Defense Industrial Base Sector Coordinating Council also has a CyberAssist portal with CMMC Level 1 resources, training and frequently asked questions.
Self-assessments are “not automatic,” Scott said. “They’re not a ‘gimme.’ This requires some thought and some work if you’re going to do it right. It also requires some work to be ready to submit.”
