Examining the Comprehensive Cybersecurity Framework: CMMC In Detail
The Cybersecurity Maturity Model Certification (CMMC) program, introduced by the US Department of Defense (DoD), has been instrumental in raising cybersecurity awareness across the defense supply chain. The program, designed to ensure that defense contractors meet stringent cyber-hygiene requirements, has been a significant step towards safeguarding sensitive information.
In a recent cyberattack, nearly 40 defense contractors to the US government were hit. This incident underscores the importance of the CMMC, as it aims to prevent such occurrences in the future. The CMMC framework enables the DoD to make risk-informed decisions regarding the information it shares with Defense Industrial Base (DIB) contractors.
Contractors seeking to bid for contracts with the DoD will be subject to an assessment by an approved CMMC Third Party Assessment Organization (C3PAO). This assessment will help ensure that contractors meet the necessary cybersecurity standards.
The CMMC framework consists of five certification levels, with level five being the highest. Level one shows that a contractor has performed basic cyber-hygiene practices, while level two shows that these practices are documented. Level three, the current focus, demonstrates that cybersecurity practices are managed and includes 110 security requirements from NIST SP 800-171. The CMMC extends across 17 technical domains, including access control, asset management, audit and accountability, awareness and training, configuration management, and more.
The CMMC certification lasts for three years and is considered an agreed expense by the DoD. The DoD plans to begin including CMMC as a requirement in all Request for Proposals (RFPs) starting in 2026.
However, the CMMC program has not been without controversy. The CMMC Accreditation Body (CMMC-AB), which will accredit the assessors, has faced criticism for its partnership plan and has experienced leadership changes. There have also been concerns about the CMMC-AB's initiative to monitor open-source information about companies' cybersecurity, with criticisms about response time, cost, and market research.
Moreover, there are questions about the effectiveness of the CMMC's enforcement, given the questionable track record of federal agencies in cybersecurity. Some argue that the outsourced certification process could potentially be more effective in enforcing cybersecurity standards than intra-government efforts.
Despite these concerns, the CMMC includes process maturity activities such as maintaining policies and managing activities. However, it remains unclear how effective the CMMC will be at staunching the flow of information from the US military-industrial complex, particularly as weapons systems become increasingly sophisticated and companies move into advanced research areas such as AI.
Before the introduction of the CMMC, the DoD relied on self-attestation for defense contractor security. The CMMC represents a significant step forward in ensuring the security of sensitive information in the defense supply chain. As the program continues to evolve, it will be interesting to see how it impacts the cybersecurity landscape.
