cybersecurity maturity model certification (CMMC) (noun) [Word Notes] - Hacking Humans

Summary5 min read

Podcast Summary: Hacking Humans – Episode on Cybersecurity Maturity Model Certification (CMMC)

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode: Cybersecurity Maturity Model Certification (CMMC) (noun) [Word Notes]
Release Date: December 24, 2024

Introduction to CMMC

In this episode of Hacking Humans, the focus is on the Cybersecurity Maturity Model Certification (CMMC), a pivotal framework designed to enhance the cybersecurity posture of contractors within the U.S. Department of Defense (DoD) supply chain. Hosted by N2K Networks, the discussion delves into the origins, structure, implementation, and future implications of CMMC, providing listeners with a comprehensive understanding of its significance in the realm of cybersecurity.

Understanding CMMC

Nyla Genoi kicks off the discussion by defining CMMC:

"The word is Cybersecurity Maturity Model Certification spelled C for cybersecurity, M for Maturity, M for Model, and C for certification. A supply chain cybersecurity accreditation standard designed for the protection of controlled, unclassified information that the US Department of Defense or DoD will require for all contract bids by October 2020."
[00:53]

Genoi elucidates that CMMC is not merely a certification but a robust framework aimed at safeguarding sensitive information within the DoD’s supply chain. Even organizations outside the prime defense contracting sphere are increasingly recognizing the necessity to comply with CMMC, anticipating its broader adoption in future compliance obligations.

Origins and Development of CMMC

CMMC's roots trace back to the evolution of maturity models in software engineering, which have been enhancing processes since 1986. Genoi explains:

"Maturity models establish benchmark levels to evaluate an organization's process and practices."
[02:10]

Originally tailored for software development, these models have expanded across various disciplines, including manufacturing and cybersecurity. CMMC emerges from this lineage, developed collaboratively by the DoD, Carnegie Mellon University, and Johns Hopkins University. It amalgamates multiple existing frameworks such as NIST SP800-171, the NIST Cybersecurity Framework, and ISO 27001, thereby creating a comprehensive standard that supersedes the Defense Federal Acquisition Regulation Supplement (DFARS).

Structure and Levels of CMMC

Explaining the structural aspects, Matt Kelly from Nabex Global outlines that CMMC comprises five maturity levels:

"The more controls you implement, the higher your maturity level and the more contracts your business would be eligible to bid on."
[03:30]

Each level represents a set of cybersecurity practices and processes that companies must implement. Starting from basic cyber hygiene to advanced/progressive practices, organizations can progress through these levels by enhancing their cybersecurity measures, thereby qualifying for a broader range of DoD contracts.

Implementation and Impact

Nyla Genoi provides insights into the implementation timeline:

"In 2021, the DoD started CMMC compliance with a select number of large prime contractors. More and more contractors will be subject to CMMC over the next five years until all defense contracts will require CMMC compliance in fiscal year 2025."
[03:50]

This phased approach ensures a smooth transition, allowing contractors to adapt their cybersecurity practices incrementally. The ultimate goal is to create a secure and resilient supply chain, minimizing vulnerabilities that could be exploited to compromise national security.

Challenges with Previous Standards

John Roman from Security Magazine is cited to highlight the inadequacies of previous approaches:

"Up until now, companies that process sensitive government data, whether directly or as a subcontractor, have only been required to self-attest as to their knowledge of relevant regulatory requirements. In many aspects, self-attestation has proven unsuccessful, as evidenced by notable breaches of critical government information in both the public and private sector."
[02:50]

Roman underscores the necessity of a more rigorous and verifiable certification process, which CMMC addresses by mandating third-party assessments rather than relying on self-attestation.

Ensuring Fairness in the Bidding Process

Towards the end of the episode, Rick Howard discusses the strategic implementation of CMMC:

"What's going to happen with the CMMC is it's going to be a go/no go decision. So when the CMMC assessor comes and does the audit, you either are level one or you're not. You either are level two or you're not. You either are level three or you're not and up the chain. So it will be equal for all and it will not be used as a source selection factor."
[04:58]

Howard emphasizes that CMMC serves as a binary qualification tool rather than a factor influencing bid selection. This approach ensures fairness, as all companies must meet the required maturity level to qualify, eliminating the potential arbitrariness of CMMC being a competitive edge in the selection process.

Conclusion and Future Outlook

The episode concludes by reinforcing the critical role of CMMC in standardizing cybersecurity practices across the defense supply chain. With endorsements from key figures like Katie Arrington, DoD's CISO for acquisition, CMMC is poised to foster a secure, equitable environment for contractors vying for DoD contracts.

For listeners looking to navigate the complexities of CMMC, this episode of Hacking Humans serves as an essential guide, offering expert perspectives and actionable insights into achieving and maintaining cybersecurity excellence in an increasingly interconnected defense landscape.

Notable Quotes:

Nyla Genoi [00:53]:

"Cybersecurity Maturity Model Certification spelled C for cybersecurity, M for Maturity, M for Model, and C for certification..."
John Roman [02:50]:

"Self-attestation has proven unsuccessful, as evidenced by notable breaches of critical government information..."
Matt Kelly [03:30]:

"The more controls you implement, the higher your maturity level and the more contracts your business would be eligible to bid on."
Rick Howard [04:58]:

"It will be equal for all and it will not be used as a source selection factor."

Final Notes:

This episode, curated by Nyla Genoi and produced by Peter Kilpe, with editing by John Petrick and Rick Howard, and featuring sound design by Elliot Peltzman, offers a thorough exploration of CMMC. By distilling complex regulatory frameworks into accessible discussions, Hacking Humans equips professionals and enthusiasts alike with the knowledge to navigate the evolving cybersecurity landscape effectively.

Loading summary

Transcript5 lines

[00:02]
Rick Howard
You're listening to the Cyberwire Network powered by N2K.
[00:13]
N/A
Identity Architects and engineers. Simplify your identity management with Strata, securely integrate non standard apps with any idp, apply modern MFA and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress free identity management and join industry leaders in transforming their identity architecture with Strata. Visit Strata IO Cyberwire, share your identity challenge and get a free set of AirPods Pro. Revolutionize your identity infrastructure. Now visit Strata IO CyberWire and our thanks to Strada for being a longtime friend and supporter of this podcast.
[01:17]
Nyla Genoi
The word is Cybersecurity Maturity Model Certification spelled C for cybersecurity, M for Maturity, M for Model, and C for certification. A supply chain cybersecurity accreditation standard designed for the protection of controlled, unclassified information that the US Department of Defense or DoD will require for all contract bids by October 2020. Example sentence even if you're not a prime defense contractor, it's likely that you will need to add CMMC to your list of compliance obligations in the near future. Origin and context maturity models in software engineering have been around since 1986. Early capability maturity model approaches were geared toward improving the software development process, and now they have appeared in a range of disciplines from manufacturing to cybersecurity. The term maturity refers to a set of characteristics, attributes, indicators, or patterns that represent capability and progression. Maturity models establish benchmark levels to evaluate an organization's process and practices. According to Katie Arrington, the DOD's CISO for acquisition, CMMC will ensure a more level and fair playing field for companies bidding on DoD contracts. As John Roman from Security Magazine explains, up until now, companies that process sensitive government data, whether directly or as a subcontractor, have only been required to self attest as to their knowledge of relevant regulatory requirements. In many aspects, self attestation has proven unsuccessful, as evidenced by notable breaches of critical government information in both the public and private sector. Developed by DoD in conjunction with Carnegie Mellon University and Johns Hopkins University, the CMMC requirement is based on a compilation of multiple frameworks and standards, including the NIST SP800171, the NIST Cybersecurity Framework, ISO 27001, and others, it replaces DFARS or the Defense Federal Acquisition Regulation Supplement the current Government Contracting rule. According to Matt Kelly from Nabex Global, the CMMC establishes five levels of cybersecurity maturity. The more controls you implement the higher your maturity level and the more contracts your business would be eligible to bid on. In 2021, the DoD started CMMC compliance with a select number of large prime contractors. More and more contractors will be subject to CMMC over the next five years until all defense contracts will require CMMC compliance in fiscal year 20. Nerd Reference In November 2020, Katie Arrington appeared on the Insa Coffee and Conversation YouTube channel to talk about CMMC. She refers to the current source selection process for DoD contracts with that system. If a potential bidder showed progress in meeting the contract requirements, the Source Selection Authority could potentially rate another contractor who met all of the requirements at the same level.
[04:59]
Rick Howard
What's going to happen with the CMMC is it's going to be a go no go decision. So when the CMMC assessor comes and does the audit, you either are level one or you're not. You either are level two or you're not. You either are level three or you're not and up the chain. So it will be equal for all and it will not be used as a source selection factor. That was one of the big things in DoD. If I made it a source selection factor, that wouldn't be fair. It needed to be a go no go decision because it would be arbitrary, it wouldn't be defendable. We needed a third party audit like ISO. It's not that you're sort of ISO certified. It's a go no go decision. That's exactly what we're doing with the cmmc.
[05:55]
Nyla Genoi
Wordnotes is written by Nyla Genoi, executive produced by Peter Kilpe, and edited by John Petrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.