Pentagon Updating Cybersecurity Guidance.

• Author: Burnette, Ryan

* In December, the Defense Department released a new draft of its Cybersecurity Maturity Model Certification, or CMMC, an important guide for contractors.

Given the expected release of Version 1.0 of the CMMC framework in late January 2020, it is likely that the requirements in this draft will closely resemble those that will serve as the basis for the first contractor audits.

The two most significant updates are the addition of "practices" for obtaining Level 4 and 5 certifications, and an expansion of the "clarifications" section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1.

It retains the matrix format that we have seen in prior versions, composed of "domains," "capabilities," "practices" and "processes."

Each domain consists of multiple capabilities, and each capability consists of multiple practices. Capabilities are general achievements to ensure cybersecurity objectives are met within each domain. Practices more specifically outline the technical requirements necessary to achieve compliance with a given capability, while processes measure how well practices have been implemented across a contractor's business.

Version 0.7 now contains what we expect to be a near-final set of practices necessary for obtaining Level 4 and 5 certifications, and relegates all processes to a much-simplified table that is intended to apply across all domains.

The requirements in Levels 4 and 5 are greatly consolidated. However, they still represent a significant set of compliance obligations that contractors must follow in order to perform work on contracts designated at either of these two certification levels.

Level 4 now incorporates 13 controls set forth in the draft NIST SP 800-171B, and Level 5 certification includes requirements for an additional five controls from draft NIST SP 800-171B.

Levels 4 and 5 continue the practice of including multiple controls for certain practices, thereby increasing the possibility of conflicting guidance. Moreover, standards that are pulled from NIST SP 800-171B in some cases appear to have been incorporated into the CMMC on a modified or a partial basis. For this reason, even those contractors that have implemented sophisticated cybersecurity controls in line with the standards set forth in NIST publications should closely review how these requirements and others have been described in the CMMC to ensure that they will be compliant with all applicable practices at the time...