After a public review of Draft CMMC v0.4 (Cybersecurity Maturity Model Certification) framework and assessment of the feedback, the USD(A&S) (Office of the Under Secretary of Defense for Acquisition and Sustainment) has released v0.6. It comes with a number of interesting and unexpected changes.
Summary of Changes
- One whole domain (Cybersecurity Governance) was removed and the controls in three domains (Asset Management, Configuration Management, and Situational Awareness) were dramatically reduced.
- This version specifically calls out federal contract information (FCI) as separate from controlled unclassified information (CUI).
- Some practices were promoted from previously higher levels to lower levels, such as Advanced Email Protections. Changes specifically in this capability area included asymmetric cryptography and email sandboxing were both moved from Level 4 in v0.4 to Level 3 in v0.6.
- The specifics of Levels 4 and 5 are not addressed in this version. A later version is expected to release in mid-December, which USD(A&S) stated will include information on CMMC levels four & five.
Removal of Domains and Controls
Clearly, the writers of CMMC took industry feedback to heart, because the newest version eliminates many of the practices v0.4 required. The Cybersecurity Governance domain was eliminated completely, and practices within the Asset Management, Configuration Management and Situational Awareness domains were significantly reduced. Across Levels 1-3, the number of practices went from 242 to 134.
This streamlines the process for government contractors, but the new version still requires an extra 21 practices above and beyond what was required by NIST 800-171. To meet the level of cybersecurity maturity the government desires, companies will still have to address Security Information and Event Management (SIEM) solutions and threat intelligence – factors they might not have considered significant in the past.
Federal Contract Information
Draft CMMC Model v0.6 specifically addresses FCI as separate from CUI. FCI is defined as “information that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” This change presumably broadens the amount of information that is protected under CMMC requirements.
Advanced Email Protections
Descriptions of practices remained the same, but some – such as advanced email protection – were moved from Level 4 to Level 3. Presumably this is due to the availability of these capabilities as well as their applicability and pertinence to securing email, widely accepted today as one of the most abused and targeted systems within corporate networks. Email regularly appears in the top 3 cyber attack categories, utilized in 62-91% of cyber attacks, depending on the business sector.
Levels 4 and 5
It may seem hard to fully assess the future of CMMC without being able to analyze Levels 4 and 5, but our impression is that many RFPs will be categorized at Level 3. Nonetheless, at Ardalyst, we believe that compliance is not security, and security is not defense. The further mature your practices, the more competitive you will be – not just in bidding on contracts but in establishing business operations and embracing technology that set you ahead of your peers. We look forward to seeing what comes out of the next release in mid-December.