Software Engineering Institute

July 28, 2020—Defense-sensitive information is lifeblood to the more than 300,000 organizations in the Department of Defense's (DoD) supply chain, from aerospace giants to specialty shops. These Defense Industrial Base (DIB) contractors must safeguard, and disseminate to their subcontractors, the confidential unclassified information (CUI) needed to produce materiel for the warfighter. In 2019, the SEI, in partnership with the Johns Hopkins Applied Physics Laboratory (APL), led the development of version 1.0 of the Cybersecurity Maturity Model Certification (CMMC). Its mission was nothing less than to reform cybersecurity for the entire DIB, because every stolen schematic, design, and specification could erode the American military’s technological advantage.

Since 2010, the Defense Federal Acquisition Regulation Supplement (DFARS) has imposed a one-size-fits-all approach to DIB cybersecurity: before receiving CUI, all DIB contractors and their subcontractors self-attest that they comply with all 110 security requirements of the National Institute of Standards and Technology (NIST) Special Publication 800-171. Companies can cover any gaps with a Plan of Action and Milestones (POA&M).

These requirements have proved simultaneously too rigid—all NIST 800-171 requirements, every DIB supplier, every contract—and too loose—a business could extend its POAMs indefinitely. Information losses under this scheme, such as the notable theft of transport plane and fighter jet data, motivated the DoD to shirk the checklist approach in favor of something more flexible and verifiable.

In early 2019, the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) asked the SEI to help make a maturity model for DIB cybersecurity. There were two requirements: retain all the practices from NIST 800-171, and find a way for DIB members of varying cyber-sophistication to participate without POAMs.

Members of the CERT Division’s Cybersecurity Assurance Team and their APL partners started assembling cybersecurity best practices from beyond NIST 800-171: ISO/IEC 27001, the Center for Internet Security controls, the United Kingdom's National Cyber Security Centre Cyber Essentials, and the Australian Signals Directorate. APL focused on the most advanced technical practices for sophisticated enterprises while the SEI focused on small and mid-sized organizations. Their initial harvest reaped a whopping 400 practices.

To help select the most practical controls, the SEI and APL solicited input from the nation’s defense contractors via the DIB Sector Coordinating Council. "The folks that they brought to the table are cybersecurity practitioners on the front lines, from smaller organizations to people at the enterprise level defending their companies against advanced, persistent threats," said Andrew Hoover, the SEI’s resilience engineering team lead and a CMMC architect. "They were able to tell us, 'That’s a great control, but in practice we don’t really do it that way.'" Informed by this hard-won experience, the project team slashed the final set of practices to less than half the original number. To ensure there were no gaps, they mapped the practices back to cybersecurity standards.

Working with their APL collaborators, the SEI team divided the cybersecurity practices into 17 domains, such as Access Control and Risk Management, and sorted them into a five-level framework. "That was sometimes more of a challenge than making sure we had all the right practices," said Katie Stewart, an SEI senior engineer and one of the CMMC architects. Level 1 indicates the minimum level of cybersecurity, such as basic cyber hygiene. Level 3 indicates the organization can protect CUI. At level 5, an organization works proactively to combat advanced, persistent threats (APTs).

Months in, the team had a robust, organized cybersecurity framework. But it was not a maturity model yet.

Process maturity is stickiness, or how well the technical practices are embedded in the organization. Institutionalized practices are more likely to be resilient under stress. "There is a history at the SEI of process maturity," said Hoover. "You can trace a lot of the maturity practices that are in the CMMC all the way back to CMMI." The Capability Maturity Model Integration (CMMI) helped the DoD assess the quality and capability of its software contractors. Katie Arrington, chief information security officer for OUSD(A&S), knew of CMMI and was counting on the SEI to bring the same process maturity wisdom to DIB cybersecurity.

The SEI team dug into the CERT Resilience Management Model (CERT-RMM), the SEI's foundational process improvement approach to operational resilience management. CERT-RMM is the parent of other SEI maturity models, such as the Smart Grid Maturity Model (SGMM) and the Department of Energy's Cybersecurity Capability Maturity Model (C2M2). CERT-RMM also shaped two organizational assessments developed and administered by the SEI for the Department of Homeland Security: the Cyber Resilience Review (CRR) and External Dependencies Management (EDM).

Hoover and Stewart’s colleague Shing-hon Lau, a senior cybersecurity engineer, had already mined the real-world results of more than 500 of Cyber Resilience Reviews (CRR) and External Dependency Management (EDM) assessments to determine which of their cybersecurity and supply chain practices would fit in the CMMC. He also analyzed the assessments’ maturity process results. "We were able to use that data and figure out which of the maturity processes are the most impactful," said Hoover, "and we added those into the CMMC."

With this history and data for guidance, and with continual reality checks with industry collaborators, the SEI team crafted the set of processes that make security practices mature within a DIB organization. They sorted these processes, as they had the practices, into five levels. The greatest intersection of an organization's overall practice level and overall process level would determine the organization's cybersecurity maturity level, which will be certified by an accredited third party.

The result is a model-based certification that eschews one-size-fits-all for many-sizes-fit-many. CMMC allows the DoD to meet more organizations where they are: any DIB supplier with a certified cybersecurity maturity level can bid on defense contracts with a corresponding level or lower. The DoD can have justified confidence that the suppliers can protect the information entrusted to them.

"If you’re a DIB contractor, and you’re just making nuts and bolts to pass up the supply chain, you really don't need to have as much cybersecurity in place as the big prime contractors," explained Matt Trevors, lead of the Cybersecurity Assurance Team during the CMMC's development. By only paying for the cybersecurity that’s needed, the contractor can control its costs and offer better value to the DoD. "The maturity model gives the DoD the reasonable expectation that the contractor can keep the specifications for nuts and bolts as safe as they need to be," said Trevors. If the business wants to chase contracts requiring greater cybersecurity maturity, CMMC provides a progressive, actionable roadmap to get there.

Though the SEI had its own roadmap for developing the new maturity model, the journey was anything but leisurely. "I would say 18 months is a reasonable amount of time to understand the problem, identify requirements for the model, design the model, implement the practices and processes, test the model, and deliver version 1," said Trevors. "All of that was compressed into a one-year schedule for an informal, iterative collaboration between academia, government, and private industry."

In a constantly accelerating timetable, the SEI and APL transformed a long-standing checklist into a flexible, model-based cybersecurity certification for all 300,000 DIB organizations. "CMMC could very well be described as the broadest application of our capability maturity process in the cybersecurity space," said Matt Butkovic, technical director of the CERT Division’s risk and resilience directorate. "We know maturity models work. We know CERT-RMM works. We took these foundational concepts and applied them to this challenge. It’s exactly the sort of thing our DoD sponsor expects us to do: solve the nation’s defense challenges in a novel way."

For more information on the CMMC, visit https://www.acq.osd.mil/cmmc/. Learn more about CMMC at the SEI at https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_datapageid_4050=205766.