Si bien el programa de Certificaci\u00f3n del Modelo de Madurez de Ciberseguridad del Departamento de Defensa a\u00fan no se ha implementado por completo, los contratistas de defensa est\u00e1n trabajando en el complejo proceso de realizar una autoevaluaci\u00f3n de Nivel 1, al que los expertos se refieren como \u201chigiene cibern\u00e9tica b\u00e1sica\u201d.<\/p>\n
While the Defense Department\u2019s Cybersecurity Maturity Model Certification program has yet to be fully implemented, defense contractors are working through the complex process of conducting a Level 1 self-assessment, referred to by experts as \u201cbasic cyber hygiene.\u201d<\/p>\n
The program, known as CMMC, is the Defense Department\u2019s mechanism to assess whether companies and contractors that handle sensitive unclassified information are compliant with the department\u2019s cybersecurity requirements.<\/p>\n
Contrary to popular belief, the Defense Department\u2019s cybersecurity requirements have been around for a long time, said Logan Therrien, chief strategy officer at Kieri Solutions. \u201cThey are something that has been expected to have been implemented in organizations, and then the CMMC is just the assessment verification process making sure it\u2019s being implemented.\u201d<\/p>\n
Specifically, the program is designed to determine whether companies have the correct measures in place to protect federal contract information, or FCI, and controlled unclassified information, or CUI, shared with defense contractors and subcontractors.<\/p>\n
Federal contract information refers to information \u201cnot intended for public release that is provided by or generated for the government,\u201d Therrien said during a recent webinar hosted by the National Defense Industrial Association. \u201cUnder a contract, the developer delivers a product or a service to the government, not including information provided by the government to the public. So, that\u2019s a good delineation right there and then, or simple transactional information, such as information that\u2019s needed to process payments.\u201d<\/p>\n
CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, according to the Code of Federal Regulations.<\/p>\n
If one thinks of federal contract information as a big circle, inside that circle \u201cis a smaller circle that\u2019s labeled CUI, and what that means is that CUI is also FCI,\u201d Therrien said. Not all federal contract information is controlled unclassified information, but controlled unclassified information falls under federal contract information.<\/p>\n
CMMC\u2019s final rule took effect on Dec. 16, \u201ckind of,\u201d Therrien said. \u201cI say \u2018kind of\u2019 because there are other parts that need to be published, and then a timeline beyond that for that to become effective.\u201d<\/p>\n
Phased implementation of the program will begin when the Defense Department\u2019s follow-on Defense Federal Acquisition Regulation Supplement rule change to contractually implement CMMC goes into effect; that rule is still not finalized and is expected around mid-2025.<\/p>\n
In Phase 1 of implementation, department solicitations will require CMMC Level 1 or 2 self-assessments, where applicable. Once Phase 1 is completed, Phases 2 through 4 come into effect one year after the other, with Phase 4 being full implementation.<\/p>\n
To achieve CMMC Level 1 certification, companies must comply with 15 security requirements laid out in Federal Acquisition Regulation clause 52.204-21, \u201cBasic Safeguarding of Covered Contractor Information Systems.\u201d These controls fall under six categories: access control; identification and authentication; media protection; physical protection; system and communications protection; and systems and information integrity.<\/p>\n
There are two more levels of certification that require companies to meet additional cybersecurity requirements, and it is not \u201ceasy to step between levels,\u201d Therrien said. \u201cThe way things are scoped or assessed will actually change, but [Level 1] is basic cyber hygiene practices, some things that \u2026 without\u201d them, a company lacks \u201ca fundamental level of control of your environment.\u201d<\/p>\n
The first step of a Level 1 self-assessment is identifying all in-scope assets, or any asset that processes, stores or transmits federal contract information or controlled unclassified information.<\/p>\n
But it can get complicated, Therrien said.<\/p>\n
\u201cJust because it\u2019s on [your] network doesn\u2019t necessarily mean it\u2019s an FCI asset,\u201d he said. \u201cHowever, if it\u2019s on the network and it processes, stores [or] transmits FCI, it is an FCI asset.\u201d The network that transmits federal contract information is in scope, but if another computer is on the same network that is not processing, storing or transmitting federal contract information, \u201cthen that would not be in scope,\u201d he said.<\/p>\n
Next, companies must assess their information systems to determine whether or not they meet all 15 requirements, and they can apply to both infrastructure as a whole or to a particular enclave or enclaves depending on where the information will be processed, stored or transmitted. The assessment can be performed internally or with a third party.<\/p>\n
Even if a third party is used, it is still considered a Level 1 self-assessment, as it does not \u201cassure the certification, so it won\u2019t be a Level 2 assessment just because you brought in a third party for your FCI environment,\u201d Therrien said.<\/p>\n
In addition to the self-assessment report, companies must also submit a self-affirmation \u2014 a statement certifying their compliance with the protection requirements, which is the equivalent of a legal oath.<\/p>\n
Essentially, an internal affirmer must \u201cclick a button\u201d to verify that the information is correct and the proper evidence is provided, said Vince Scott, founder and CEO of Defense Cybersecurity Group.<\/p>\n
But the process is not as simple as the click of a button.<\/p>\n
\u201cThis is not, \u2018Oh yeah, somebody\u2019s just going to go into the portal and add it in, and it\u2019s all going to be good.\u2019 I would not think about this this way,\u201d he said. \u201cI would have my game face on, and I would be prepared, even for a Level 1 self-assessment. [It] requires work, requires rigor, requires thought because of the level of risk that the DoD is presenting to you contractually.\u201d<\/p>\n
Conducting a Level 1 self-assessment also requires gathering and maintaining evidence \u201cfor six years on behalf of the Department of Justice\u201d so the government can verify accuracy at a later date if needed, Scott said.<\/p>\n
\u201cI think it would be very wise to consider this,\u201d he said. Along with the assessment itself, the self-affirmation is \u201can annual requirement; you\u2019re going to have to do this once a year.\u201d<\/p>\n
Another requirement of the Level 1 self-assessment is providing methodology, or evidence, to demonstrate that the Level 1 objectives have been fulfilled. One of three assessment findings is possible: \u201cmet,\u201d meaning all applicable objectives for the security requirements are satisfied based on final form evidence; \u201cnot met,\u201d which means one or more objectives are not satisfied; and \u201cnot applicable,\u201d meaning a requirement or objective does not apply at the time of the assessment.<\/p>\n
There\u2019s \u201ca lot of argument or at least discussion\u201d about \u201cnot applicable\u201d assessment findings in the cybersecurity community, and it\u2019s considered a \u201cvariance,\u201d Scott said.<\/p>\n
\u201cIt\u2019s important to note that DFARS 7012 says that if you\u2019re going to mark something as \u2018not applicable,\u2019 you need the DoD [chief information officer\u2019s] permission to do that,\u201d he said. \u201cIn general, assessors recommend that instead of using \u2018not applicable,\u2019 if it\u2019s really not applicable, you mark it as \u2018met\u2019 and how you would meet it if those circumstances should arise inside your system.\u201d<\/p>\n
Scott noted that one \u201cnot met\u201d objective results in the failure of the whole Level 1 self-assessment.<\/p>\n
Additionally, defense contractors should remain up to date on CMMC Level 1 self-assessment requirements, because it\u2019s entirely possible that they could change slightly, Therrien said.<\/p>\n
\u201cIf you\u2019re familiar with the CMMC Level 1 assessment guide that was published prior to Dec. 16, it\u2019s worth taking a look at the numbering,\u201d he said. \u201cThere were some variables, maybe even some wording changes. So, if you haven\u2019t seen it since Dec. 16, it\u2019s worth going back to the DoD website and looking at these references in their updated form.\u201d<\/p>\n
The Defense Department provides a variety of CMMC-related resources, including a page on the chief information officer\u2019s website with a comprehensive list of internal, external and additional resources and documentation, along with several guides, including a CMMC Level 1 Scoping Guide and Level 1 Self-Assessment Guide.<\/p>\n
The Defense Industrial Base Sector Coordinating Council also has a CyberAssist portal with CMMC Level 1 resources, training and frequently asked questions.<\/p>\n
Self-assessments are \u201cnot automatic,\u201d Scott said. \u201cThey\u2019re not a \u2018gimme.\u2019 This requires some thought and some work if you\u2019re going to do it right. It also requires some work to be ready to submit.\u201d<\/p>\n