In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.” Visser Precision, a Denver, Colorado-based manufacturer, makes custom parts for many industries, including Lockheed Martin, Boeing, General Dynamics, and SpaceX.
Security researchers say the DoppelPaymer ransomware caused the attack, a file-encrypting malware that first exfiltrates the company’s data before encrypting the victim’s computer then exposes the files. The ransomware threatens to publish the stolen files if the ransom is not paid.
The Department of Defense (DoD) has one of the world’s largest supply chains, including thousands of third-party contractors. The vendors and partners represent the weakest cyber link in the nation’s defense infrastructure and present a substantial cyber risk.
In this series of blogs, “Everything You Need to Know About DoD CMMC,” we will discuss the Cybersecurity Maturity Model Certification, known as “CMMC.” Today’s article is the second in the series, and it’s about the CMMC model.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”.
The CMMC is incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) and used as a contract award requirement.
The new CMMC framework is used to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
The CMMC is intended to serve as a verification and validation mechanism to ensure appropriate levels of cybersecurity practices and processes to ensure basic cyber hygiene and protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
To protect from cyber-attacks, DoD wants vendors to secure the following types of unclassified information from adversaries:
Federal Contract Information: The information is not intended for public release. FCI data is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public on public-website.
Controlled Unclassified Information: CUI does not include classified information. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government. CUI is considered any potentially sensitive, unclassified data that require controls in place which define its proper safeguarding or dissemination.
The first version released on January 31, 2020 (since then, two updates have been introduced), the model articulates several requirements that contractors must meet to qualify for various cybersecurity maturity certifications.
Those certifications encompass multiple maturity levels, Level 1, “Basic cybersecurity hygiene,” to Level 5, “Highly advanced cybersecurity practices.” These certifications are likely to be mandated in RFPs beginning as early as this year. The RFP will state the CMMC level L and M and use it in “go/no go decisions”.
The vendors must perform CMMC audits to become certified and continue to offer their products and services to the DoD.
The CMMC model combines various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 and inputs from DoD and DIB into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC also measures the maturity of a company’s institutionalization of cybersecurity practices and processes.
The CMMC model organizes Processes and Practices into a set of domains and five maturity levels. The framework aligns the practices to a group of capabilities. It categorizes these best practices into: