Understanding DoD Frameworks
The Department of Defense or DoD provides the United States of America military with forces that are needed to deter war and ensure the nation’s security. To accomplish this mission, the DoD is partnered with the Defense Industrial Base sector, which involves over 100,000 Defense Industrial Base companies and their subcontractors to provide essential materials and services to the DoD. This includes research and development, as well as designing, producing, delivering, and maintaining military weapons systems and components or parts.
Within the last decade, the DoD has worked continuously with the Defense Industrial Base sector to enhance the protection of Controlled Unclassified Information (CUI) within unclassified networks that belong to organizations within the Defense Industrial Base sector. What exactly is CUI and why does it need to be protected? The DoD has defined CUI as: Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
To adequately safeguard CUI, the DoD has implemented several frameworks and contractual requirements that organizations within the Defense Industrial Base that handle CUI must comply with and implement. There are three main frameworks/contractual clauses that are currently being used to safeguard CUI or in the process of being implemented to safeguard CUI:
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”;
National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”; and
Cybersecurity Maturity Model Certification (CMMC).
The Defense Federal Acquisition Regulation Supplement also known as DFARS is the DoD’s Federal Acquisition Regulations (FAR) supplement that was published in December 2015. The primary objective of the DoD’s acquisition is to acquire quality supplies and services that satisfy users’ needs with measurable improvements and operational support at a fair and reasonable price.
Within the DFARS clause there is a set of Cybersecurity requirements that DoD contractors must adhere to, to maintain or obtain a DoD contract. This requirement is in section 252.204-7012 of DFARS and is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The objective of this clause was to protect CUI and the flow of CUI on the contract holder’s information systems and networks.
Within this clause, contractors within the Defense Industrial Base are required to provide adequate security on all covered contractor information systems. The DoD requires that the contractor’s information system and network implements the security requirements within NIST SP 800-171 which is titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
This publication that was developed by NIST is guidance for protecting the confidentiality of CUI when it resides on and flows through nonfederal organization’s information systems.
Within NIST SP 800-171, there are 110 security controls that are spread out through 14 different control families or domains. These domains range from Access Control to System and Information Integrity. The implementation of the security controls from NIST SP 800-171 is recognized to be adequate security that protects against the loss, misuse, and unauthorized access to or modification of CUI.
So, on top of the security controls from NIST SP 800-171, organizations also need to be compliant with additional requirements that were specific to DFARS section 252.204-7012.
The main requirement is the Cyber Incident Reporting Requirement. This requirement in the clause states that when a contractor discovers a cyber related incident, the organization must conduct an investigation to determine the scope, impact, and results of the incident. The contractor must then submit a report of their findings to the DoD.
To be compliant with the DFARS requirements, all it takes is for an organization to self-attest that they comply or will comply with the security controls and requirements within DFARS. There is no certification process for NIST 800-171 or DFARS, it is all based on the honor system. Therefore, it did not take the DoD long to realize that without a certification process, many organizations were performing self-assessments and were claiming to be DFARS compliant, without fully understanding the security controls and how to safeguard CUI within their information systems.
This leads us to the creation of the CMMC. The CMMC was released on January 31st of 2020 and the intent of the CMMC is to incorporate a certification process into DFARS and use it as a requirement for contract award with the DoD. Much like DFARS, the purpose of the CMMC is to enhance the protection of CUI, within the Defense Industrial Base.
CMMC measures cybersecurity maturity with 5 different levels. Each of these levels consists of a set of processes and security practices. There are a total of 171 security practices or controls throughout 17 different control families and 5 different processes within the CMMC model.
Organizations within the Defense Industrial Base that handle CUI will be required to be at least CMMC level 3. CMMC level 3 consists of all 110 controls from NIST SP 800-171, as well as 20 other security practices specific to CMMC. Additionally, organizations will be required to implement 3 processes which are designed to mature the cybersecurity program.
A major difference between CMMC and DFARS, is that CMMC requires assessments to be performed by 3rd party assessors only. Organizations are still responsible for implementing all of the cybersecurity requirements associated with the CMMC. However, there are no more self-assessments like there were with DFARS. All assessments must be performed by a CMMC-Accreditation Body (AB) approved assessor and then the assessment results will be sent to the CMMC-AB for review before a CMMC certification is awarded to the organization seeking certification.