New DOD requirements – supply chain, risk management, and Cybersecurity Maturity Model Certification

The DoD will require written proof of a compliant security program throughout the supply chain in RFP responses. To establish accreditation, the DoD is establishing a new standard and maturity ranking called the Cybersecurity Maturity Model Certification (CMMC). Under the CMMC, contractors will be assessed on their implementation of required cybersecurity controls and processes, and their cybersecurity hygiene will be ranked on a scale of one to five: 

• Level 1: Basic
• Level 2: Intermediate
• Level 3: Good
• Level 4: Proactive
• Level 5: State of the art

Level 3 will be the minimum necessary to comply with DFARS requirements to win a defense RFP. In general, Levels 1 to 3 map to NIST 800-171 Rev. 1, while Levels 4 and 5 map to NIST 800-171B. The 800-171B version of the regulation has 32 new enhanced security requirements that are based on the 14 control families found in NIST 800-171. Some significant conditions include: 

• Establish and maintain a full-time security operations center.
• Establish and maintain a cybersecurity incident-response team that can be deployed within 24 hours.
• Employ automated mechanisms to detect misconfigured or unauthorized system components.
• Implement secure information-transfer solutions, including encryption of data, to control data flows between security domains on connected systems.
• Ensure that internet of things, industrial internet of things, and operational technology systems, components, and devices are compliant with the security requirements.

The Pentagon will release details on CMMC later this summer, and aims to finalize the framework by January 2020. CMMC will start appearing in RFIs in June 2020, and potential contractors will be required to demonstrate a rating of at least Level 3 by September 2020. We expect that the DoD will outsource CMMC compliance to independent third-party firms that will audit contractors and issue certifications.

Compliance with DU and CMMC will be challenging for many prospective contractors, particularly smaller and midsize firms that have not implemented the controls detailed in NIST SP 800-171. Here’s why: 

Government contractors that have not designed and implemented a formal security program will be unprepared to identify, prevent, detect, and report supply chain cyberattacks. That’s because they lack the necessary security policies, processes, and controls. Among these, an incident-response plan is critical because the DoD requires that contractors and subcontractors establish processes to identify a cybersecurity incident and report the intrusion event within 72 hours of discovery.

Moreover, contractors often don’t have documented procedures for due diligence, audits, and risk assessments of their subcontractors. Another frequent deficiency is a lack of multifactor authentication, which is a critical requirement for DFARS compliance and is a mandatory requirement under DU. The DoD has not yet specified the type of multifactor authentication required, but two-factor authentication will be a minimum. 

Finally, smaller companies may lack a thorough understanding of the compliance obligations stated in DoD contracts. In part, that’s because defense contracts are inconsistent across agencies, and each may stipulate a different set of requirements.

One critical mandate of both DU and CMMC is advanced breach detection, a capability that government contractors often lack. Contractors will need to fuse advanced solutions with appropriate governance and mature processes to rapidly detect devices of interest and indicators of compromise.

To fill this gap, companies will need to implement solutions that can analyze the multitude of protocols and new attack vectors each day to identify breaches and anomalous behavior on the defense contractor network. The analysis should weigh the contractors’ application-based metadata – combined with user information and the latest threat intelligence – against past, current, and future network activity to detect previously unidentified breaches.

The specific safeguards and controls mandated by DU and CMMC are not yet known, so compliance obligations and strategies are preliminary, at best. MITRE recommends that contractors develop a security program based on industry frameworks such as NIST SP 800-171, NIST SP 800-53, and NIST SP 800-160. 

Even though the precise requirements are not yet established, government contractors should begin working toward certification now. Start by assessing compliance with NIST SP 800-171, which lays out 110 security controls for contractors. Those that have implemented most or all of the controls will have a head start earning CMMC accreditation. Contractors that have not implemented 800-171 controls will need to launch an accelerated effort to do so.

Bhavesh Vadhani, Principal, Cybersecurity and Privacy

703.847.4418

Kristen Soles, Partner, Government Contracting Industry Leader