Creating a DoD Cybersecurity Maturity Model Certification Compliant Risk Management Plan


By Michael Chipley PhD GICSP PMP LEED AP, President, The PMC Group, (CS)²AI Fellow

November, 2020


INTRODUCTION

In response to continued data breaches and exploits of the Defense Industrial Base and other DoD contractors/vendors such as A&E, construction and systems integrators, the DoD is replacing the current DFARS 7012 Protecting Controlled Unclassified Information (CUI) self-attestation with the Cybersecurity Maturity Model Certification (CMMC) process. The CMMC builds upon the current NIST SP 800-171 and 172 standards and adds additional enhancements based on Levels 1 through 5, with 5 being the most difficult and intended for larger organizations with full IT and SOC capabilities. For most small and medium size organizations, Level 3 will be the typical baseline meaning they have a CMMC compliant Cyber Risk Management Plan (CRMP) in place and can identify and report a cyber incident. The desired state is Level 4 where the organization has an active Hunt and Defend program in place and performs Continuous Monitoring and Audits for Advanced Peristent Threats (APTs).  DoD RFP’s will be scored against the Level and an organization will only be able to obtain an RFP for which they have been certified. DoD is currently in acquisition stage discussions with 3rd Party Assessor Organizations (3PAO’s) with the intent to go to full Rule Making for the large DIB primes and their suppliers/subcontractors to start in early 2021. https://www.acq.osd.mil/cmmc/index.html

OFFICE OF SECRETARY OF DEFENSE FOR ACQUISITION A& SUSTAINMENT CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

· The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.

· The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.

· The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.

· The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

The CMMC is divided into 17 Capability Domains and 5 Levels with associated Practices and Processes.

The 5 Level Practices and Processes are intended to enable an organization to implement a cybersecurity program consistent with their cybersecurity contractual requirements as well as their financial and technical ability to obtain the desired Level of certification.

The CMMC will have database (currently being developed as a DISA eMASS instance) of Certified organizations and as part of the Solicitation/RFP a Level will be assigned to the type of work/acquisition. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). Levels 1 an2 are intended primarily for Vendor/Suppliers and Level 3 is the minimum Level that most contractors/vendors must attain to be able to obtain RFP’s. Levels 4 and 5 are for organizations able to perform Hunt and Defend and/or have a SOC capability.

The current year 2020 timeline is a bit behind schedule, but initial CMMC training and mock assessments are underway and the Final Rulemaking will hopefully occur in 2021.

The CMMC Compliance matrix has been posted to the OSD website. The excel file can be used in conjunction with the ESTCP NIST SP 800-171 System Security Plan Word template.

The CMMC Accreditation Body is now accepting applications for 3 PAO’s. https://www.cmmcab.org/

DFARS 701 CLAUSE AND CREATING A NIST 800-171 COMPLIANT CYBER RISK MANAGEMENT PLAN (CRMP)

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies. DoD issued the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting in 2015 with compliance required by January 2018. The intent is for an organization to be able to Detect a cyber incident and report it within 72 hours so that the compromise or breach can be evaluated for other impacts to DoD and/or contractor/vendor/Defense Industrial Base partners.

(a) Definitions. As used in this clause—

“Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.

“Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

“Contractor attributional/proprietary information” means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.

“Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

“Covered contractor information system” means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.

The DoD implementation of the EO was issued December 2015 as the “Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information).


The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

Technical data or computer software as defined in DFARS Clause 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in the solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

The data may be in tangible form, such as a blueprint, photograph, plan, instruction, or an operating manual, or may be intangible, such as a technical service or oral, auditory, or visual descriptions.

Examples of technical data include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software.

DoD ESTCP WEBSITE CYBER RISK MANAGEMEN PLAN TEMPLATES

The current 800-171 DFARS 7012 CRMP process is posted on the DoD ESCTP website at: https://serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/FRCS-Protecting-CUI.

All DoD projects that will collect, transmit, or store CUI data must have a current Cyber Risk Management Plan (CRMP) IAW with NIST SP 800-171 and the DFARS CUI Guide, compliance required by Dec 2017.

Templates are provided for each of the documents and the IE and ESTCP offices will assist contractors/vendors to complete a CRMP. Note the templates can be used for both corporate IT business systems and OT FRCS projects. Typical CUI data on corporate IT systems includes design drawings and site information (CAD, BIM, GIS), specifications, test results, and consumption data (meter, site data). Typical CUI on OT projects includes network traffic (Modbus, BACNet, TCP/IP) between HMI and lower level controllers, configuration files, hardware/software versions and hashes, and consumption data (meter, site data).

The following documents are typically included in the CRMP (presented in order of recommended completion):

  • CRMP Table of Contents Checklist

  • Event/Incident Communications Plan (EICP)

  • Event/Incident Response Plan (EIRP) 

  • Information Systems Contingency and CONOPS Plan (ISCP)

  • Information System Policies and Procedures (ISPP)

  • Security Audit Plan (SAP)

  • System Security Plan (SSP)

  • Security Monthly (or Quarterly)Assessment Report (SMAR)

  • Plan of Action & Milestones (POAM)

  • DFARS CUI DIBNet Incident Response Form

  • US-CERT Incident Response Form

  • CJCSM 6510.01B Incident Response Form

The DFAR 7012 Clause uses the NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations standard as the basis of a cybersecurity program.

“ The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. “

The NIST SP 800-171 controls originated in NIST SP 800-53 R4, condensed version – note the numbering scheme using the 3.X.X that differentiates it from NIST SP 800-53.

The current DFARS 7012 requires an organization to have a System Security Plan (SSP) and Plan of Action and Milestones (POAM).

· NIST SP 800-171, Security Requirement 3.12.4 (System Security Plan):−Develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems

· NIST SP 800-171, Security Requirement 3.12.2 (Plans of Action):−Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems

The SSP and PAOM templates are provided on the ESTCP website. The DoD CMMC Compliance Matrix or the DHS CSET Tool can be used to generate the Security Controls and responses.

Another key area to address is the Information System Contingency Plan and conducting a Table-Top Exercise. A Ransomware Table-Top Exercise is an excellent way to also test the Event/Incident Communications Procedure (EICP) and the Event/Incident Response Plan (EIRP).

DFARS CYBER INCIDENT REPORTS

DFARS cyber incidents are reported to the Defense Cyber Crime Center (DC3) via the DIBNet portal. Note: DIBNet is a web portal for sharing threat information between DoD and DIB companies. See appendix F for a list of reportable fields.

If the contractor does not have all the information required by the clause within the 72-hour time constraint, specified in paragraph (d)(1) of the safeguarding clause, the contractor should report the details available at the time.

Having created and exercised all of the CRMP documents, an organization is ready to Self-Attest compliance. An additional DFARS requirement is to flow down the DFARS CUI security requirements to all subcontractors/teammates.

CMMC IMPACT ON OTHER FEDERAL AGENCIES

The recently released GSA STARS III RFP includes requirements for all bidders to become CMMC compliant as they expect the CMMC will become the baseline for other federal agencies.

H.6.3.3 While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification.

H.6.3.4 8(a) STARS III contractors should begin preparing for CMMC and SCRM accreditation by staying aware of developing requirements and by implementing the appropriate NIST SP 800-series documents. Examples of appropriate actions include the following:

(1) Determine if your company receives federal funds from the Department of Defense either directly as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements. If so, and/or if Civilian agencies adopt the same program, you should be prepared to obtain at least a Level 1 certification.

(2) Determine whether your company currently or in the future expects to electronically process, store, or transmit CUI in the performance of its defense contracts. If so, you should be prepared to obtain at least a Level 3 certification.

(3) Review your company’s current compliance with NIST SP 800-171 Rev 1 in relationship to your expected CMMC level requirements. Begin drafting a System Security Plan (SSP) in accordance with NIST SP 800-18 Rev 1, If you currently have a Plan of Action and Milestones (POAM) in place or identify additional concerns, dedicate appropriate resources to ensure that progress is being made to close any gaps as quickly as possible. Examine Draft NIST SP 800-171B for enhanced security requirements to improve cybersecurity maturity capabilities as applicable given the CMMC level you intend to attain.

(4) Review your company’s current compliance with NIST SP 800-161 to include the establishment of a SCRM Plan.

(5) Investigate your subcontractor base as CMMC and SCRM requirements may flow down to subcontractors, including commercial item subcontractors. It is expected that consent to subcontract at the Order level may also consider subcontractor CMMC level.

SUMMARY

Any organization can download the ESTCP CRMP templates and start on the process to become NIST SP 800-171 and CMMC compliant. Organizations wishing to do business with the DoD and soon the GSA will need to ensue they have a CMMC Compliant Cyber Risk Management Plan in place and perform Continuous Monitoring and Auditing to ensure the IT systems are not compromised. The government does not penalize an organization that experiences a compromise or data breach, however, an organization MUST be able to DETECT and REPORTa cyber incident within 72 hours.

The CMMC costs to achieve a 3PAO compliance assessment has not been published, but the FAQ’s state “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The CMMC Accreditation Board website says a 3PAO must be ISO 17021 certified and they are now accepting applications.