During a CMMC industry event (CS2) on February 4, nearly one thousand attendees from the Defense Industrial Base (DIB) were polled via anonymous surveys in each session of the online event. The data and findings below reflect a subset of self-identifying small, medium, and large contractors supporting the Department of Defense (DoD). The analysis below is a small depiction of how Organizations Seeking Compliance (OSCs) are currently addressing, or not addressing federal cybersecurity mandates such as CMMC, DFARS 7012/7019/7020/7021, and more. Also, many survey questions and associated responses demonstrate several cloud adoption trends within DoD contracting community.
What CMMC Level are Most OSCs Pursuing?
Not surprisingly, 87% of the 564 individuals responded that they intend on pursuing CMMC Level 3 compliance. Because of the intrinsic requirements associated with the handling, storing, and protecting Controlled Unclassified Information (CUI), many aerospace and defense contractors are required to pursue Level 3 compliance, and it most closely maps to the precious requirements to meet the 110 controls found in NIST 800-171. Also, the CMMC model explicitly states the imperative for Level 3 is maintain "the increased protection of CUI".
It should be noted that most attendees of the Cloud Security and Compliance Series (CS2) are forward-leaning IT and business leaders that may also represent a different contingency compared to the tens, if not hundreds, of thousands of organizations that make up the DIB.
DFARS 7012: Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to provide “adequate security” for Covered Defense Information (CDI) and was released to the DIB on September 19, 2017. Much of these requirements overlap with CMMC Level 3, but it is telling to see a large quantity of organizations still in the process addressing gaps. Overall, it is promising to see the vast majority seriously tracking their progress and cybersecurity posture like never before in the industry's history.
What Data Types are Most OSCs Aware of or Holding: ITAR, CUI, or FCI?
The options are somewhat misleading because International Traffic in Arms Regulation (ITAR) data is a subset of CUI, meaning that the baseline protections you are required to provide for sensitive data, such as CUI-Basic, also apply to the ITAR.
Note: not all ITAR data is CUI; it is that possible data developed from a non-governmental contract could result in ITAR data outside of the CUI space.
However, there are more stringent requirements on tracking and logging how it can or may be distributed. Organizations dealing with ITAR data as a requirement of their contracts with the DoD or larger prime contractors often are considering specific cloud platforms, such as Microsoft 365 GCC High to achieve these regulations.
This particular poll allowed for multiple selections, but 40% of the respondents selected that they interact with CUI. The response is somewhat expected as the first poll shows companies are mostly pursuing CMMC Level 3. Since the inception of NIST 800-171 and more recently CMMC, a majority of industry discussion has circled around the question: "What is CUI, and how do I classify it when its identified?" This CS2 session "CUI Foundations and Critical Risks" from Bob Metzger provided clarity in the distinction between Federal Contract Information (FCI) and CUI for those in the DIB.
CUI is at a higher sensitivity level than FCI, and it's important to note that FCI does not include publicly available information. However, it is startling to see more companies reporting the presence of ITAR in their organization rather than FCI, which is mostly associated with OSC's pursuing CMMC Level 1. A possible conclusion is that there is less conversation and training around knowing and identifying FCI within organizations, and therefore it is the least recognized.
The last option 'Other' could imply that these organizations are handling other types of sensitive data such as CTI, CDI FOUO, LES, SBU, etc.
Identifying, Classifying, and Labeling CUI
Though many attendees were not acquisition or contracts professional, some among the audience held FSO, CISO, and various other security roles within their organization. Despite this mix, 87% of the 373 respondents lacked confidence in their understanding of CUI classification or their responsibility in the process. Understanding the origination, mutual responsibilities, and distribution requirements of CUI makeup the backdrop of NIST 800-171, DFARS 7012, and CMMC.
Even with DoD's release of the CUI Classification and Training Program and other supporting material, it might be concluded that an education gap exists amongst industry leaders. A possible side effect would be the development of many more secure organizations in the DIB that over or underclassify CUI in their possession during contract execution.
FISMA 113-283 states agencies must "identify and provide information security protections commensurate with the risk and the magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification or destruction" However, as demonstrated in the responses above, the DoD is not often or regularly or consistently "marking or otherwise identifying in the contract, task order, or delivery order and provided to the contractor" according to DFARS 7012. A combined 63% of the group polled answered that their customers "Practically Never" or "Not Very Well" label CUI regularly or consistently. So who is responsible?
The excerpt below from DFARS 7012 gives some clarity, or ambiguity depending upon your interpretation:
CDI is, in part, information "collected, developed, received, transmitted, used, or stored by or on behalf of the contractor", and this puts more of the onus on contractors who have less training than the civil servant contracting officers in most cases. Bob Metzger addresses this challenge in his talk from CS2.
Moreover, the DoD and supporting agencies, such as NARA, will need to address this challenge in the near term because CMMC was specifically "designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)". CMMC will miss some of its initial intent if CUI is not treated properly because it was never identified in the first or second place.
C3PAO Assessments: Preparations for CMMC
As Stacy Bostjanick mentioned in her CS2 session "CMMC Rollout and 2021 Outlook", the initial group of CMMC-AB approved Certified Third-Party Assessor Organizations (C3PAOs) are in the process of preparing for their own DCMA/DIBCAC assessments and some of them are currently underway. Defense contractors should actively be preparing for upcoming CMMC assessments, and likely need to begin the vetting process to identify the organizations that will be giving them to their "stamp of approval" to pursue DoD contracts. It will be more time consuming to receive an assessment if you start the outreach process during the initial rush.
81% of the 467 respondents had not reached out to a C3PAO, but it is expected that this number will rise throughout 2021. Many of these organizations can be found in the CMMC Marketplace and can provide pre-assessment audits as well.
DFARS 7019 Progress and Supplier Performance Risk System
Discussed in the DFARS 7019 and 7020 clauses, DIB suppliers must enter and maintain their self assessment results (if conducting a Basic assessment) in SPRS, or the Supplier Performance Risk System. As a prerequisite to contract award or renewal, contracting authorities must check properly reported assessment results as the new DFARS clauses are added to the RFP or contract language..
From the results above, 273 out of 472 people who answered this poll checked that they indeed had submitted their scores into SPRS.
Federal Assistance Meeting CMMC Compliance
79% of the 520 that answered the poll above stated "No" when asked if they had interacted with any local organizations in terms of CMMC and NIST 800-171 compliance. This is no surprise, as there has been no official mention of federal assistance being awarded to NIST MEP centers for CMMC assistance. PTACs, or Procurement Technical Assistance Centers, are state-represented training centers that help businesses of all types and industries meet federal regulations and maintain a competitive position in national and global markets. PTAC's also help DIB companies understand DoD cybersecurity requirements, successfully submit documentation and assessments in SPRS, and meet training needs.
In her CS2 session, Stacy Bostjanick mentioned that NIST MEP Centers are currently being trained for CMMC compliance, but there was no mention of when grant funding would be available in 2021/2022.
Organizational Cloud Adoption
The transition to cloud platforms and infrastructure is an ever-growing trend for small to large defense contractors. Though the CS2 conference has a unique focus on the government and US-sovereign cloud offerings of Microsoft, there are clear reasons why the greater community mimics the above breakout. Cloud providers such as Microsoft and Amazon are leading the way in the shared responsibility model, where their FedRAMP High and DISA IL 5 protocols at the data center and administrative levels will meet or partially meet many of the 130 Practices in CMMC Levels 1-3. Offloading these requirements can create resource margin in an otherwise burdensome situation where DIB suppliers are needing to transform the way they business from an IT and security operations standpoint. Moreover, Microsoft has initiated several programs to assist businesses in meeting the remaining practices and responsibilities for CMMC through free tools and documentation.
Without revisiting many of the aforementioned takeaways, this overwhelming majority is likely due to Google's lack of ability to meet select ITAR and DFARS requirements, and the lack of comprehensive SaaS offerings by other vendors. Unlike Microsoft's Office 365 GCC and GCC High suite, many other platforms lack elements of communication and collaboration (found in Teams) or native security tools such as Microsoft Defender. This is leading many companies to opt for a more complete solution regardless of well-known feature parity concerns or price.
Microsoft Compliance Manager
Matt Soseman, Security Architect and Spokesman at Microsoft, shared the capabilities of Microsoft's Compliance manager for CMMC compliance in his session at CS2 Virtual, and the results above show a breakdown of the audience's familiarity with the product. Because CMMC can be time consuming for IT managers as they build out assessments and templates for assessments, Compliance Manager solves this headache with the ease of template creation and tracking progress towards compliance.
Matt is consistently sharing Microsoft's product suite and the capabilities of each in demos, and formats that are easy to digest. Here are links to his LinkedIn and YouTube channel, as well as his session on "Microsoft Defender for Identity and CMMC".
Pulling (Audit) Logs Like a Lumberjack
A Security Information & Event Management (SIEM) product like Azure Sentinel is likely the method organizations will choose to meet specific CMMC requirements found in the Incidence Response (IR), Risk Management (RM), and Audit and Accountability (AU) domains.
For example, CMMC Audit and Accountability (AU) 2.044 reads: "Review audit logs" and practice AU.3.048 reads "Collect audit information (e.g., logs) into one or more central repositories." In order to pull these logs into a SIEM, a product like Microsoft Defender for Endpoint or similar would be needed to pull monitoring data from laptops, servers, and other machines into a single pane of glass for a complete understanding of all threats.
Who will be assessed first?
With the DoD's announcement that 15 prime contracts will be the first to include DFARS 7021 requirements, it is clear that those bidders and their subcontractors will be the first companies assessed, The remaining businesses in the Defense Industrial Base can expect to see CMMC requirements in all contracts by 2026. Also, OSCs can access CMMC Assessment guides for Level 1 and Level 3 that were released publicly from the DoD in way of preparation.
It is clear from the percentages above that organizations are optimistic to undergo an assessment by year's end and not largely sitting on their hands.
How often will we need an assessment?
As stated in DFARS 7019, contractors will need to have a Basic, Medium or High assessment completed every three years.
Overall the statistics gathered show progress towards a more secure supply chain and promising adoption of CMMC. Some concern could be garnered with regards to CUI and the lack of proper program execution from both agencies and industry. For greater context on all of the polls and sessions they correspond to, you can visit www.cmmc.video and subscribe for conference content yet to be released.
CS2 is a community and industry driven series of virtual and in-person events strictly for government contractors looking to meet cybersecurity regulations, address security threats, and glean best practices for their cloud investments. Previous conferences have coverd best practices for CMMC, DFARS 7012/7019/7020/7021, NIST 800-171 compliance, CUI and ITAR data management, audit preparations and other cloud security topics.
Disclaimer: The responses and data provided above do not represent the CMMC-AB or any other sanctioned federal entity.