The Cybersecurity Maturity Model Certification (CMMC) 0.4 draft has gone through a public review period, and the resulting 0.6 draft is published as of November 2019. In this revision there were several overall changes, deep cuts based upon industry feedback, and domain-by domain-impacts. Summit 7 hosted a webinar on the changes. You can watch below or read ahead for the high notes. Readers are leaders after all.
Overall Changes and Updates
For starters, Levels 4 and 5 were not covered in 0.6 and will likely come out in a separate release, possibly ‘0.9’. Also, Stacy Bostjanick mentioned in Tampa CMMC session that a 0.7 should be released in mid-December that includes additional walkthroughs and assessment guides. There’s a walkthrough for Level 1 at the end of the 0.6 draft, and there will be a walkthrough for all levels with the 1.0 release. No slip in schedule.
The CMMC managed to eliminate 18 controls in Level 1, 57 in Level 2, 35 in Level 3, 33 in Level 4 and 9 in Level 5. 152 total controls were removed and primarily in Asset Management (AM), Configuration Management (CM), Cybersecurity Governance (CG) – now gone entirely, and Situational Awareness (SA). As a result, 219 total controls remain to reach Level 5 and 131 total to reach Level 3 (21 above and beyond NIST 800-171). It is important to note that all levels are cumulative, meaning Level 3 requirements include the addition of Level 1, 2, and 3 controls.
Federal Contract Information (FCI) vs CUI
This round of changes introduced a new acronym for CMMC (predates CMMC), and we love new acronyms in the DoD community. CMMC refers to 48 CFR § 52.204-21 for clarification on the FCI moniker.
Information that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.
In Levels 1 and 2 a word swap of CUI to FCI occurs in several places. The change in vernacular presumably intends to make the requirements more broad and expand these requirements beyond just CUI, as some confusion exists amongst industry as to what contractual information constitutes CUI. Also, CUI is definitively at a higher sensitivity level than FCI, and it's important to note here that FCI does not include publicly available information.
Domains Beyond NIST 800-171
The below list consists of domain practices that have some requirements beyond NIST 800-171 as of the CMMC 0.6 draft:
- Asset Management (AM)
- Audit and Accountability (AA)
- This domain introduces the need for a SIEM or SIEM-like suite of tools, namely collating audit logs into a central repository/location for review.
- Incident Response (IR)
- Root cause analysis necessitates technology like Microsoft's eDiscovery, a SIEM, etc.
- Recovery (RE)
- Off-site and offline does not necessarily mean creating tapes and storing them in a safe. This requirement is somewhat interpretable. Nevertheless, it likely requires backup solutions to limit addressable connectivity of operating systems conducting the backups. Severed communication after backup is key.
- Risk Management (RM)
– The 1147 requirement is mainly referring to obsolete technology needing to be offline or disconnected from the network. For example, a manufacturing company might currently use a Windows XP machine to run a legacy CNC software, and it would be costly to replace. This scenario is appropriate so as long as it is offline and remains in a disconnected state.
- Security Assessment (SAS)
- System and Communications Protection (SCP)
- System and Informational Integrity (SII)
The level of reduction leads us to believe much of what you see in 0.6 is what you will see in 1.0. Industry has spoken loudly, and the CMMC has responded accordingly. Therefore, the next best steps will be preparing existing information systems (covering FCI and CUI) to meet NIST 800-171 or establishing a new environment that meets those standards to migrate into. DFARS 7012 requirements still exist and process requirements are retained in CMMC. Thus, it would behoove DoD suppliers in the Defense Industrial Base (DIB) to establish an SSP and POA&M in the immediate future.
Lastly, a new solution for backups and SIEM will need to be defined or the existing solutions will need to be reassessed for CMMC. More to come on that subject.