Current State of CMMC with AFCEA - SCRM
Can CMMC help us avoid another SolarWinds-type attack? What is CUI and FCI, really? Are there any plans for CMMC reciprocity? And what country exploited DIB supply chain vulnerabilities to build an F-35 fighter jet using our technology? These questions and more are answered in this installment of the AFCEA Webinar Series: CMMC Q&A.
The Cybersecurity Maturity Model Certification (CMMC) is fraught with uncertainties, but one thing is still sure: CMMC is here. While the timeline for CMMC compliance continues to be a fluid process, the path to certification takes a lot longer than most defense suppliers think.
We attended another AFCEA Webinar to get an update on the current status of CMMC implementation from those who are best equipped and informed to provide it: Stacy Bostjanick, Acting Director of Supply Chain Risk Management for the Office of the Under Secretary of Defense for Acquisition & Sustainment, and Bob Kolasky, Assistant Director from Department of Homeland Security’s National Risk Management Center.
The CMMC is a foundational beginning for Supply Chain Risk Management (SCRM) as a national security issue. This is how we protect ourselves, our country, and our intellectual property. There's even talk of CMMC certification becoming a federal government-wide capability across the board to address supply chain risk management as an issue for the whole country and not just a DoD/DHS concern.
Mr. Kolasky Intro: The National Risk Management Center and the Cyber and Infrastructure Security Agency's (CISA) role is to think about our work around two core concepts: being the nation's cyber and critical infrastructure risks advisor and getting the best information into the hands of people who are making security resilience decisions.
There are ways for industry and government to collaborate, enhancing supply chain practices and we need to learn from CMMC to do things consistently with other parts of the civilian government. We are looking at ways to push good practices that will show the standards consistent with the risk-based and help the industrial base demonstrate that they're trustworthy, putting acquisition professionals in a position where they don't have to take so many risks.
Ms. Bostjanick Intro: The CISA and DHS are "working to implement supply chain, risk management controls and, issues across the department to make sure that we get the information into the war fighter and the decision program manager's hands," Bostjanick said. She makes clear that this is "not just a DOD issue, it's not just a federal government issue, it's an issue of protecting our nation to ensure that we keep our intellectual property within our borders. Otherwise, we're giving our adversaries advantages over us by allowing our information to be stolen on a regular basis."
Ms. Bostjanick is serious about our nation's proprietary information. "We have always been known as a country that's on the cutting edge of innovation and a lot of the great ideas around the world have started here," she said. "Where we find ourselves today is other countries are stealing our information and they're beating us out for superiority based on our hard work. That's why there's a plane that looks just like the F-35 flying around in China."
Bostjanick worked for NAVAIR when the F-35 aircraft was being developed. "I remember the hours and the blood, sweat, and tears that those engineers put in place to figure out why they were having trouble getting it off the carrier deck. They worked until midnight to ensure they met schedule and secured superior capability for our war fighters when they went into battle. Then they lost that edge because somebody came in and stole our information by hacking into somebody's supply chain." This emphasizes why CMMC is a whole nation issue.
The webinar was a CMMC Q&A that we’ve summarized here so the DIB community can stay up to date on CMMC.
Question: What is Cybersecurity Maturity Model Certification (CMMC), how is it important to Supply Chain Risk Management (SCRM) and how do they work together?
According to Ms. Bostjanick, CMMC came about after two 52204 7012 clauses went into effect at the end of 2017. By 2018, the Inspector General and the Navy Cyber Readiness Review team were performing audits. They determined that companies who previously claimed compliance were, in fact, not meeting the compliance standards of the 7012 clause and even had POAMs that hadn't been touched for years. The DoD decided it was time to validate companies in the DIB, so they initiated the construct of CMMC with third-party assessment organizations, much like FedRAMP uses third-party assessment organizations to validate cybersecurity standards.
"CMMC is a framework that the Department of Defense put together that looked at all of the different cyber standards across industry and across the world." Bostjanick notes that it's "important to make sure that your networks are handling the controlled unclassified information (CUI) in a secure manner."
Ms. Bostjanick outlines the construct of CMMC this way, "There are approximately 17 families of practices that are included in our model and or CMMC Level Three, there are 130 requirements that 110 of those directly aligned to the NIST 800-171, and the first 17 of those directly aligned to the basic cyber hygiene requirements in the FAR 52 204-21."
Mr. Kolasky chimed in, stating that CMMC and SCRM are "really around particularly understanding your ICT suppliers and risks associated with the availability of confidentiality, the integrity of critical systems that could be exploited by supply chain failure." Supply chain exploitation becomes a cybersecurity conversation because of the potential risk incumbent software systems, especially with the uptick in software as an attack vector, but there's also a hardware component. We all need to think about and take seriously the supply chain risk as we're making the decisions. According to Mr. Kolasky, getting those risks ingrained into decision-making centers is at the core of SCRM.
Question: Many in the DIB, the defense industrial base, continue to struggle with fully understanding exactly what CUI is and what they are obligated to protect under existing contracts that have the 7012 clause. Is there more clarity around this?
The DoD is working very hard to establish training courses for the program managers so they may be able to identify CUI before it goes into a contract. This will then allow them the capability to think through it and be able to map it down the supply chain. They recognize that it doesn't make sense for one requirement to come in at a CMMC Level 3, then have every subcontractor that falls under that meet the same level.
Question: What are the best practices for small businesses that may work with supply chains which include China, possibly other foreign states, and other overseas partners that will eventually be bidding, but they aren't vendors yet? Are there any resources or guidance for those scenarios?
Mr. Kolasky: All DoD contractors doing business with the national security enterprise will have to take seriously that they could be a potential exploitation target from countries trying to exploit our supply chains. Last year we published Supply Chain Risk Management Essentials, an overview on thinking through your supply chain risk management program available on our website. It takes some of the great principles of SCRM to provide a better suite of tools that support small, medium-size businesses in decision-making.
In terms of sourcing things from particular countries or companies that may be under the influence of foreign governments who don't share America's interests, it's something we are always thinking about.
Question: What are CISA or DHS future plans to work with DoD and bring the CMMC into contract requirements or solicitations.
Mr. Kolasky: So from a DHS perspective on CMMC, there were conversations under the previous administration about bringing CMMC into parts of the DHS contracting base. Since there's a new administration with a new CIO and new CISO, the DHS will review those plans and have ongoing conversations. There's no formal answer yet, but we're headed toward more convergence.
Question: Since C3PAO assessment reports will be uploaded eMass, will audit runs and audit reports be accessible for contractors to validate other companies they do business with?
Ms. Bostjanick: The database that we're using right now is the CMMC eMASS through the DISA gov cloud. The CMMC Third-Party Assessor Organizations (C3PAO), the Defence Contract Management Agency (DMCA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment team have been trained to examine against the CMMC requirements. C3PAOs will provide a Level 3 assessment (performed virtually until the pandemic restrictions are lifted), for the DIB contractor, then that assessment report will be fed into the DISA eMASS solution database. From there, the certification level will be fed to the SPRS database, which is the supplier performance risk program that we have in the department. That will be where the contracting officers and the program managers will go to validate that those companies actually do hold the certification level that they need for the contract. It is not currently available for contractors to peruse, or to find out whether other contractors have their certification level.
That is something that they're thinking about and looking at, but at this point in time, they're not. For a DIB contractor to determine whether a subcontractor had the proper certifications, they'd have to ask to see their certification to prove that they meet the requirements.
Question: We've heard that CMMC may grant reciprocity to other frameworks like FedRamp. When will this be official and what will reciprocity look like?
Ms. Bostjanick: CMMC reciprocity is on the radar with DoD working through policy issues surrounding implementation. They've completed what reciprocity would look like for the DIBCAC assessment by taking the DoD methodology and the DIBCAC team looking at the CMMC model and lined them up to determine whether there would be an ability for reciprocity capability by capability. If a company has already gone through a DIBCAC high assessment and they achieved the full 110 score, then they would only have to do the Delta assessment for the additional 20 requirements that we require under CMMC. It will be different with FEDRamp because their methodology is different. For example, FEDRamp allows POAMs, whereas CMMC does not allow POAMs. We need to sit down with GSA to walk through the distinct requirements that each model requires, where we can draw synergies and where we can give credit. Then there will be a gap analysis to tell you what you need to do. Bottom line, we're in the process of determining reciprocity, but we haven't finalized it.
Question: Any plans for FedRamps to look at ISO 27000 where DIB contractors may already be certified in?
Ms. Bostjanick: Yes, we will look at all of the different standards out there to see where we can draw synergy, so we don't put other companies in a place where they have to do multiple certifications.
Question: DHS released the Supply Chain Risk Management Task Force Year 2 Report in the context of CMMC and risk management in general. Can you explain the report's findings and how it plays into the overall risk management practice for DHS and the DIB?
Mr. Kolasky: With this task force, we're now two years into releasing annual reports highlighting the work we've done under the critical infrastructure partnership advisory council's authorities, which allows us to have special authorities to work with the industry.
The report highlights the five focus areas of the task force, one of which is essentially a legal review of barriers to information sharing about supply chain risks and how to think through overcoming some of those barriers to encourage more information sharing. Some steps to help, particularly private entities, think through the legal framework of sharing information about supply chain risks and threat evaluation scenarios. We identified 300 potential threats to supply chains, particularly around hardware, software, and services, to get some scenario identification around those threats. We release an in-depth report on those threats, which will help prioritize risks for risk managers.
The task force offers guidance on establishing qualified bidder, qualified, manufacturer preferred, preferred buyer, preferred supplier list type based on lessons learned from programs that have done that in the past, including work we do here at CISA around the CDM program. We're thinking about vendor attestation in ways that you can, like CMMC, demonstrate good supply chain security practices so that there's a way for buyer and supplier to have that conversation. The last area was around lessons learned from the pandemic on the ICP supply chain and particularly the stressors of the initial phases of the pandemic, where we really saw some ICP supply chains come close to breaking although there were no significant breakage. What does that mean for future supply chain management? That is all summarized in the Year 2 report.
(Mr. Kolasky was quick to point out that the task force will disseminate future reports more broadly as usable tools and guidance for the supply chain community on the supply chain risk management journey.)
Question: We're struggling to apply FCI (Federal Contract Information) to things like building names, contracts, etc. What is considered FCI?
Ms. Bostjanick: FCI is more of the contract number. FCI could also include things that you would want to keep somewhat secure. FCI is protected at the basic CMMC Level One, which is basic cyber hygiene. It's important to have all of those controls in place because there have been identity theft issues for government contractors. For example, a bad actor gains access and adjusts the CAGE code to redirect government payments to a different account.
Bostjanick offered an actual scenario she witnessed regarding how not protecting your FCI can go awry. "A construction contractor for the government lost $40,000 because somebody got in and stole his CAGE code, redirected the bank account information that was associated with that CAGE code to their bank account," she said. "Unfortunately for him, there's not a whole lot of help for him out there, so keeping that basic cyber hygiene to protect yourself is important, no matter what."
Question: There are two categories of supply chain risks: tangible end items (such as Weiwei equipment) and services (like SolarWinds software) that were presumed to be risk-free, but have become tainted by third-party actors. So other than these two different categories are there other categories of risks?
Mr. Kolasky: There are more than 2 categories of supply chain risks. Of course, there's intentional exploitable things and unintentional exploitable things. But the supply chain journey does not end when you buy something and deploy it. There's maintenance, there's upkeep, there's regular review. You have to think about supply chain risk management as holistic, from the moment you implement something to the moment you get rid of it. We've published a Threat Scenarios Report that's worth checking out.
Question: How will CMMC help prevent the Solar Winds sunburst type of incident moving forward?
Ms. Bostjanick: CMMC to Level Three with the NIST 800-171 would not have prevented Solar Winds. It would have given some of the companies who had employed all of the controls the ability to identify and see it happening, but you're not going to get into the ability to stop those advanced threats until you get into CMMC Level Four and Five. There's some talk that to effectively stop a Solar Winds attack, you need to almost go to a zero-trust environment.
Mr. Kolasky: We always want to learn and adopt practices based on threats today and in the future. It's not just the software, it's also the use of the software and understanding how it's being used, what level of access and things along those lines. By putting extra controls in place on items with high levels of access, we minimize significant risk. You can't go to zero-trust on everything, but you can go to zero-trust on crucial things.
Speakers CMMC Q&A Conclusion
Mr. Kolasky: For those of you who do business with the government, we want to support your ability to secure your systems, and encourage you to take security seriously in your supply chain as part of your business proposition and as something that has to be put into your business risk calculations. An investment in security and not just an investment in compliance.
Ms. Bostjanick: Our deepest hope with our efforts to date is that our partners in industry start protecting themselves and making sure that they protect their data, as well as the federal government's, to keep from giving an advantage to our adversaries. We are working very hard to ensure that we have programs to help some of these small businesses like Project Spectrum and the P-TACS. We're also working with the NIST MEP organizations to understand CMMC and provide consulting services to small businesses.
We wholeheartedly embrace the small businesses and what they bring to the table for us. It's not our intent to narrow the field– we want everybody to be able to participate, but we also have to make sure that we protect ourselves and our supply chains as we go forth.
Not there yet? We can help. Contact us to discuss your CMMC journey.