Chances are good that if you're reading this post, you’re aware that a new organization-wide cybersecurity certification, called the Cybersecurity Maturity Model Certification (CMMC), will be released soon by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).
In the past, Defense acquisition has prioritized cost, schedule, and performance. At times, these prioritizations have come at the expense of cybersecurity. CMMC will ensure that cybersecurity controls are fundamentally in place and operational within contractor environments before DoD contracts are awarded. Certification of contractor cybersecurity maturity levels will ensure that future DoD acquisitions will be based upon cost, schedule, and performance considerations and awarded only to organizations that meet or exceed the appropriate levels of cybersecurity controls.
This new model for certifying the state of cybersecurity operations and maturity within an organization applies to all DoD prime contractors and sub-contractors. Given the imminent release of the CMMC and broad applicability across the contracting world, organizations should be actively preparing and charting next-steps to ensure that they are ready when the CMMC goes live in January 2020.
An Organizational Cybersecurity Certification “With Teeth”
Once CMMC is live, organizations seeking to obtain or sub-contract on DoD contracts will need to be pre-certified by a CMMC-accredited third-party assessment organization (3PAO) in order to be eligible for contract award. DoD CISO for Acquisition & Sustainment, Katie Arrington, put it this way in November 2019:
“Every company will have to have a 3PAO auditor come in, conduct an audit, and issue an accreditation level to the company. These accreditations will be hosted in the CMMC certificate database.”
According to Ms. Arrington, under the CMMC, self-attestation of compliance and plans of actions and milestones (POAMs), which were permitted under the DFARS, will not be permitted. Starting in fall 2020, DoD will begin putting the CMMC into contracts as a requirement for contractors.
An Important Step Toward US National Supply Chain Security
The CMMC represents an important step forward for United States national supply chain security by establishing a consistent set of tiered cybersecurity levels for US DoD contractors.
Having said that, the CMMC has the potential to introduce significant implementation challenges and resource demands across the DoD contracting world. Recognizing these potential challenges, my team at Splunk has been developing a technical solution, based on the evolving draft CMMC guidance. The overarching purpose of this solution will be to facilitate continuous monitoring of technical controls and alleviate much of the evidentiary burden associated with a 3PAO CMMC audit.
We are actively developing our solution, but awaiting the finalized publication of the Cybersecurity Maturity Model Certification V1.x guidance before making our solution generally available for customers.
For Organizations Wanting to Get a Head Start
For organizations that are eager to begin preparing ahead of the finalized CMMC publication, we are recommending the following approach:
- Begin assessing your readiness today by leveraging Splunk Compliance Analytics (SCA) for DFARS
By inputting the data necessary to address the DFARS controls into SCA, you will be able to proactively identify gaps in your current cybersecurity maturity (note that the DFARs technical controls comprise a significant portion of the proposed CMMC technical requirements)
- Take action to shore up data visibility and cybersecurity capability gaps identified by undertaking the above exercise with Splunk Compliance Analytics
This will ensure that your organization is well on its way to closing gaps and demonstrating cybersecurity maturity in a manner that is closely aligned with the controls frameworks specified in the CMMC
By taking these actions, DoD contractors will be well-positioned to proactively identify and begin addressing any gaps in their cybersecurity maturity with respect to the CMMC controls as early as possible.
Next Steps on the Splunk for CMMC Solution
Once the Cybersecurity Maturity Model Certification is published in January 2020 and 3PAOs begin receiving their accreditations, we will make final updates to the Splunk for CMMC codebase to address any significant deltas introduced in the final version of the CMMC. Assuming that the CMMC launch schedule proceeds as currently planned, that positions us to make the Splunk for CMMC solution generally available to customers in early Spring 2020.
With Splunk for CMMC, DoD contractors will be able to confidently assess their cybersecurity posture and furnish data-driven justifications of their cybersecurity maturity level for their 3PAO CMMC audits.
Hopefully that provides folks out there with some helpful context around the Cybersecurity Maturity Model Certification, how it will affect DoD contractors, and what Splunk is building to help customers address associated 3PAO CMMC audits.
Reach out to us at firstname.lastname@example.org if you need help getting started on the steps above or if you would like us to connect with you once the Splunk for CMMC solution is finalized.
As I mentioned, development is actively underway, so stay tuned for more updates as the CMMC is finalized and we progress toward launching the Splunk for CMMC solution.
Happy holidays and happy Splunking!