The United States Department of Defense (DoD) views securing the supply chain and the Defense Industrial Base (DIB) as one critical pillar in protecting national security. Dedicated security requirements exist for the protection of federal information systems as well as classified information based on the NIST 800-53 standard. However, several years ago, a gap was identified in the security requirements for the protection of non-federal systems and controlled unclassified information (CUI). The steps initially taken by the DoD to enhance supply chain security would end up having significant implications for nearly all organizations that do work with the DoD.

To summarize, the DoD began requiring organizations that handle CUI to comply with the 110 security requirements outlined in NIST 800-171 via the Defense Federal Acquisition Regulation Supplement 252.204-7012. This contractual obligation required defense contractors to “self-attest” their compliance with this standard as well as to maintain a System Security Plan (SSP) and Plan of Action and Milestones (PoAM) to document security gaps.

The Cybersecurity Maturity Model Certification (CMMC) was developed to address some of the shortcomings of this original approach. It was determined that while the security standard of NIST 800-171 was appropriate, the DFARS clause had no “teeth”; it lacked accountability. The self-attestation model and broad allowance for non-compliant items, i.e., PoAMs, meant that many defense contractors did not actually implement the standard, manage their security program, or remediate non-compliant items. CMMC sought to fix these issues by moving to an independent third-party certification model, enhancing the framework with five different levels of security maturity, removing the allowances for PoAM items, and introducing significant documentation and governance requirements via “process maturity” requirements.

What Is in Cybersecurity Maturity Model Certification (CMMC) 2.0?

Beyond the initial DFARS rule, the initial self-attest implementation of NIST 800-171 (Read more...)