Setting the Stage for CMMC – What is CUI
This article will address what CUI is, why all DOD service providers will need to meet the new CMMC requirements, and a brief overview of how they can get started toward CMMC.
Controlled Unclassified Information (CUI) is defined by the Department of Defense (DOD) as the information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
The DOD is planning to migrate to a new framework called Cybersecurity Maturity Model Certification (CMMC) in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to combine various cybersecurity control standards and to serve as a verification mechanism so that appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect CUI that resides on the Department’s industry partners’ networks.
What Is All The Hype About CUI – Protecting CUI
In 1996, the federal government put in place contractual mandates requiring that their service providers protect CUI, and in the past four years since inception, the number of breaches and costs associated with them has steadily increased. DOD has decided that a new approach, focussed on building sound IT security practices that are adaptive and resilient, is necessary to not only protect their CUI, but also reduce the financial burdens of security breaches on their service providers.
Despite the existing standards and self-assessments, breaches are still occurring at an alarming rate and are actually increasing rather than decreasing. In order to protect CUI and thus protect national security, the DOD is updating the way that CUI is protected.
Costs of breaches include:
- Financial impact
- Breach notifications
- Credit protection for employees, partners, customers
- Dealing with PR issues
- Reputational damage
- Addressing the impact to the integrity of the business
- Loss of strategic information
- Loss of data and equipment
- Loss of revenue
- Cybersecurity improvements
- Court settlements and fees
- Regulatory penalties
- Forensics
The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. The Center for Strategic and International Studies and McAfee estimate that the total global cost of cybercrime was as high as $600 billion in 2017. Ransomware-as-a-service is the fastest-growing cybercrime tool, and Cybercrime-as-a-service has grown in sophistication.
Aside from the overt cost of a security breach, compromising the CUI has several impacts not the least of which is a company’s bottom line. Poor cyber hygiene and IT security programs that do not adapt to emerging threats allow threat actors to gain access to your company’s valuable data. DOD understands the value in having strong IT security programs from their service providers all along the supply chain. Similar to how the government and auto industry concluded that air-bags and backup cameras have become standard equipment decreasing costly damage, injuries, and fatalities, CMMC moves toward having adaptive and mature cybersecurity programs become the norm and ultimately improve the safety of those programs and even have an economic benefit for participating companies.
Because of the robust security measures that the DOD has in place within its agency, threat actors find it very difficult to penetrate the DOD’s networks. In turn, the threat actors are now strategically targeting service providers because these providers have fewer protections in place than DOD networks. By instilling strong IT security practices for service providers, the measures are actually going to protect service providers as much as it will protect the DOD.
The DOD has numerous standards in place, which could protect the agency, CUI, and service providers – IF service providers would adhere to the standards. The problem is that the standards are seen as optional, so many service providers do not implement them. The DOD is transitioning to requirements that will be third-party verified to make sure that all service providers comply with the requirements.
The Measures That Have Been In Place And The Measurements That Are Coming
Under the existing 48 CFR 52.204-21 and NIST SP 800-171 requirements, federal and DOD contractors were required to implement security protections for CUI and allowed to self-assess those implementations, meaning that companies went through an internal audit process to see if they met the requirements and then they submitted the documentation, or artifacts, saying that they met the requirements. There were no checks and balances of the self-assessment. With the inception of CMMC, ALL defense contractors will be required to have a CMMC certification at the maturity level appropriate to the sensitivity and volume of CUI that they have access to via a certified and accredited 3rd-party auditor for all defense contracts. The certification requirement also extends to any subcontractors.
Many DOD service providers think that CMMC only applies to companies providing IT services. However, service companies may not realize they will need to comply with these new requirements even if they are not providing IT services. ALL DOD Service Providers need CMMC certification.
With the CMMC standard, if a service provider does not obtain the CMMC, then they will not be eligible for the acquisition. At the onset of the CMMC program by the end of FY2020, all service providers and their partners will need to be certified at CMMC Maturity Level 1 for all new acquisitions.
Why Non-IT Service Providers NEED (Not Want) CMMC
The CMMC is designed to focus on supply chain integrity of the entire Defense Industry. The DOD is putting the CMMC maturity model in place to help all DOD service providers, not just IT providers, secure their corporate IT in a way that is cost effective, that’s reasonable for the type of data that service providers have access to, and that allows service providers a logical pathway to respond to existing and new threats.
Attackers and threat actors are becoming more and more sophisticated, have increased the amount of attacks, and have a variety of motivations.
According to the Council of Economic Advisers, cyber threat actors include six broad categories, with each one having distinct objectives and motivations:
- Nation-states
- Corporate competitors
- Hacktivists
- Organized criminal groups
- Opportunists
- Company insiders
The Office of the Director of National Intelligence (DNI) has identified the major nation-state threats as Russia, China, Iran, and North Korea. These groups are well funded and typically engage in sophisticated, targeted attacks that are motivated by technical, economic, political, or military agendas. Many attacks are retaliatory attacks in response to sanctions or are focused on industrial espionage.
Corporate competitors seek illicit access to strategic, financial, and workforce-related information on competitors.
Hacktivists act alone or in groups to carry out high-profile attacks and often are influenced by political agendas.
Opportunists, typically amateur hackers, attack for notoriety.
Company insiders are usually disgruntled employees or former employees looking for financial gain or revenge. These attacks pose more threat when they’re in connection with external actors.
In order to address the issue of increased sophistication of attacks as well as the sheer volume of attacks and continually changing threat landscape of attacks, the DOD is looking to beef up measures. Currently, there are simple compliance-based check-the-box processes in place. The new measures will be of value to service providers no matter what they do or what data they have.
Take an engineering company, for example, that has an acquisition to build stealth technology. While this company is not providing IT services, they are working with CUI as part of the acquisition. In order to protect the CUI, they would need to get CMMC at a level set in the acquisition. If the CUI were breached, a foreign government could gain military advantages and become a threat to national security.
Implementing the various practices and processes provides value to organizations, and the maturity model structure provides a good pathway to evolve from one maturity level to the next. Service providers may be in good shape already if they are fully implementing NIST SP 800-171, which provides the bulk of CMMC maturity Level 3, and the content sources are well established (NIST CSF, ISO 27001, etc).
The highest levels of the maturity model put in place extremely resilient types of security measures that are designed to protect and respond to the most sophisticated types of threats and attacks that are out there.
At the onset, all new acquisitions for all types of service providers, not just IT providers, will need to have at least Level 1 of CMMC. The CMMC Level 1 is basically aligned with what the original DAR & FAR requirements were. As it stands now, CMMC is expected to appear in RFPs starting in September 2020.
What Can You Do Now To Prepare
There are many things that DOD service providers can do to prepare for CMMC.
First of all, become familiar with the CMMC standard on the Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification website.
Try to identify what levels your company wants to be able to achieve based on the types of acquisitions you are tracking right now.
Start preparing your artifacts. Have as much information ready to go to facilitate and reduce the number of hours and resources needed, which could potentially keep accrediting costs down.
Hire a consultant to help you prepare. Consultants, like IBSS, can look at your business development program to determine which acquisitions will have access to sensitive data and see what level of CMMC would be needed for those acquisitions as well as make recommendations for what is needed to obtain a certain CMMC level.
For example, say you are an engineering company that is going to be building a solution or creating some CUI as well as having access to it, a consultant can see you would need Level 3 CMMC based on the CUI being accessed and that you need to put in place an active security operations center in order to be ready for that contract.
Also, consultants can help service providers pull together all the artifacts that will be needed at the time of the CMMC audit, which would decrease the amount of time needed to perform the audit and could help lower the audit cost.
While CMMC is coming and all DOD service providers need to have at least CMMC Level 1, whether primary or secondary providers, acquiring CMMC will have benefits beyond acquisitions. By getting CMMC, service providers are taking their support of the DOD mission to a deeper level as they better protect themselves and national security.
To learn more about the CMMC framework, read our post called Exploring the CMMC Framework.
For a free consultation to see where you stand, contact us at 301-942-9014, email us at cmmc@ibsscorp.com, or fill out this form.
ABOUT IBSS
Since 1992, IBSS, a woman-owned small business, has provided specialized cybersecurity, enterprise IT, environmental science and engineering, and professional and management consulting services to the Federal sector. Our clients include the National Oceanic and Atmospheric Administration (NOAA), the Department of Defense (DoD), and the Department of Justice (DOJ). We are committed to serving our clients and employees by delivering service excellence, creating value through technology, and continually improving our skills, services, and processes. In addition, we maintain an ISO 9001:2015, ISO 27001, ISO 20000, and CMMI certifications which allow us to optimize current industry best practices to enhance delivery outcomes for our clients and demonstrate our commitment to quality.
