Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Cybersecurity Maturity Model Certification: 5 Important Things to Know and Prepare For

The Department of Defense (DoD) is not immune to cybersecurity incidents. Given the expansive list of third-party contractors and subcontractors, it conducts business with, this should come as no surprise. Historically, the Defense Industrial Base (DIB) has complied with the NIST Special Publication (SP) 800-171, which is aimed at the protection of controlled unclassified information (CUI). Given that compliance with SP 800-171 has been based on the honor system, many contractors have fallen short of meeting the requirements, resulting in security incidents. This is now all about to change.

In May, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, gave a presentation to a small group of DoD contractors, introducing the development of the Cybersecurity Maturity Model Certification (CMMC). Designed to be a unified security standard that enhances the protection of CUI and applies to all organizations in the DIB, this new framework takes the previous requirement to the next level by featuring a verification component, among other demands.

All organizations that hold contracts, or subcontracts, tied to the DoD fall in scope of the CMMC. While the first draft of the framework was issued in September 2019, Version 1.0 of the new model is expected in January 2020. The requirements are expected to be incorporated into Requests for Information by June 2020, and into Requests for Proposals by Fall 2020.

“If you touch the Department of Defense at all, or sell to them in any way, or sell to a prime contractor that sells to the Department of Defense, you’re going to be in scope of [the CMMC],” says Darren Van Booven, lead principal consultant at Trustwave and former CISO of the U.S. House of Representatives.

The deadlines to become compliant are looming, so it’s best to get ahead and work through the most important demands the CMMC requires. To give you a head start, with the help of Van Booven we’ve outlined the seven most important things to know and prepare for when it comes to the DoD’s cybersecurity framework.

1. The framework is specifically for the Department of Defense only.

Organizations that specifically work with or sell to the DoD will be in scope of the CMMC. No matter the size of the organization or type of work it conducts, it will have to be compliant, according to Van Booven.

“There are a lot of companies who may not be thought of as defense contractors in the classical sense—like the Lockheed Martins and Northrop Grummans of the world—that will be in scope,” Van Booven says. “Many of the larger organizations that are out there in the technology world that provide software or services that the DoD leverages are going to fall into this bucket.”

While the CMMC is specifically focused on third-parties holding contracts with or bidding on DoD contracts, there is language in the draft of the framework that hints toward the model taking on a broader role beyond the DoD further down the road.

2. The CMMC combines existing portions of current cybersecurity standards.

As previously mentioned, prior to introducing the CMMC, the DoD required all contractors and subcontractors to be NIST SP 800-171 compliant. Not only will this still be the case in regard to the new framework, but other portions of cybersecurity standards will be brewed into the new cybersecurity model, including NIST  SP 800-53, ISO 270001 and ISO 27032. The goal for the department is to create a unified standard that “measures the maturity of a company’s institutionalization of cybersecurity practices and processes.”

3. Certifications will be determined by an auditor.

Perhaps one of the most impactful requirements of the CMMC is that the certifications will be determined by accredited and independent third-party certified organizations. These entities will rate the compliance of the contractors with the CMMC on levels that range from a one to a five, with a five being the most mature from a cybersecurity posture standpoint. Although the criteria and the accreditation for companies to be certified auditors has yet to be determined, according to the CMMC site, “higher-level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency or the Defense Counterintelligence and Security Agency.

4. Specific maturity levels will be assigned.

The results of the CMMC qualification process will be a maturity level assignment that ranges from Level 1 (“Basic Cyber Hygiene”) to Level 5 (“Advanced/Progressive”). The specific parameters around what it takes to meet each level of maturity are and what the criteria are for doing these verifications is still being defined, according to Van Booven.

“They’re going to need to pay a company to perform the verification,” he says. “Before it was more of a pass-fail model, but what the framework introduces is a decision to be made on the contractor’s part to implement new controls that allows them to reach a new level of cybersecurity maturity that will give them an advantage on a contract.”

The government will ultimately decide the maturity tier that is assigned to contracts.

5. You may not lose your certification if you’re compromised.

As we all know when it comes to security breaches, it’s not a matter of if, but when. For those contractors or subcontractors that have been certified, should a security breach take place, it will not result in the loss of their certification. However, depending on the specifics tied to the compromise, the contractor may be required to be recertified, which will inevitably involve additional costs incurred on the contractor’s behalf.

The First Two Steps to Take

It’s likely that additional changes are made in the coming weeks and months to the framework, but according to Van Booven, any organizations currently working with or planning to bid on DoD contracts should focus on the following two areas to get a step ahead in the process:

Determine If You’re in Scope

Seeing as ALL contractors, subcontractors or other organizations doing business with the DoD must be NIST SP 800-171 compliant, first determine if your business falls into this bucket. This is the first step that must be confirmed because overlooking it runs the risk of losing potential business you currently have.

“Organizations that in scope of this absolutely need to be preparing now for this in terms of understanding or looking at themselves,” Van Booven says.

Assess Your Security Program

It’s important to determine how mature your security program is. Assess how you identify and control sensitive government information. It may also be helpful to compare yourself as a company against the standard and start assessing where you are, but most importantly, where you’ll need to be to meet the requirements of the given DoD contract you’re aiming to win.

“Companies should definitely not wait until June of next year to get certified, only to find out that their cybersecurity maturity is at a level 1 when they need to be at a four,” Van Booven adds. “During that time lost they could have implemented the necessary changes.”

Meeting the requirements tied to the CMMC should not be too complex for companies, but it may require the help of a trusted security advisor that can provide a second opinion on where they think your organization is from a readiness perspective. Many organizations opt to take this route seeing as how you assess yourself is sometimes different than how you would be assessed against industry best practice or other standards. An objective third-party partner is the best way to do that.

Latest Trustwave Blogs

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More