Critical infrastructure
News
Regulation, Standards and Compliance

US DoD releases guidance documents for Cybersecurity Maturity Model Certification program

January 03, 2024
US DoD releases guidance documents for Cybersecurity Maturity Model Certification program

The U.S. Department of Defense (DoD) recently announced the availability of eight guidance documents for the Cybersecurity Maturity Model Certification (CMMC) Program providing additional guidance for the CMMC model, assessments, scoring, and hashing. The CMMC Program provides the Department with the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and is maintaining that status across the contract period of performance, as required. 

The agency is proposing to implement the CMMC framework, to help assess a defense industrial base (DIB) contractor’s compliance with the implementation of cybersecurity requirements to safeguard federal contract information (FCI) and controlled unclassified information (CUI) transiting non-federal systems to help mitigate the threats posed by APTs (advanced persistent threats).

In a recent notice published in the Federal Register, the DoD is seeking public input from stakeholders by Feb. 26, 2024. The agency currently requires covered defense contractors and subcontractors to implement the security protections outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800–171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP). 

The ​​document focuses on the CMMC Model as prescribed in the CMMC Program proposed rule. The model incorporates the security requirements from FAR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, NIST SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and a selected set of the requirements from NIST SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171. 

The DoD–CIO–00002 (ZRIN 0790–ZA18) document guides the preparation for and execution of a Level 1 Self-Assessment under the CMMC Program. CMMC Level 1 comprises the 15 basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204–21.

The DoD–CIO–00003 (ZRIN 0790–ZA19) document guides the preparation for and execution of a Level 2 Self-Assessment or Level 2 Certification Assessment under the CMMC Program as set forth 32 CFR 170.16 and 170.17 respectively. 

For CMMC Level 2 there are two types of assessments – a self-assessment is the term for the activity performed by an entity to evaluate its own CMMC Level, as applied to Level 1 and some Level 2; and a CMMC Level 2 Certification Assessment is the term for the activity performed by a Certified Third-Party Assessment Organization (C3PAO) to evaluate the CMMC Level of an OSC.

The DoD–CIO–00004 (ZRIN 0790–ZA20) document guides the preparation for and execution of a Level 3 Certification Assessment under the CMMC Program. Certification at each CMMC level occurs independently. 

“A CMMC Level 3 Certification Assessment as defined in 32 CFR 170.4 is the term for the activity performed by the Department of Defense to evaluate the CMMC Level of an OSC,” the DoD outlined in the Federal Register notice. “For CMMC Level 3, assessments are performed exclusively by the DoD. An OSC seeking a CMMC Level 3 Certification Assessment must have first received a CMMC Level 2 Final Certification Assessment, as set forth in 32 CFR 170.18, for all applicable information systems within the CMMC Assessment Scope, and the OSC must implement the Level 3 requirements specified in 32 CFR 170.14(c)(4). This is followed by the CMMC Level 3 assessment conducted by the DoD.”

The notice also detailed that the OSCs may also use this guide to perform CMMC Level 3 self-assessment (for example, in preparation for an annual affirmation); however, they are not eligible to submit results from a self-assessment in support of a CMMC Level 3 Certification Assessment. Only the results from an assessment by the DoD are considered for the award of a CMMC Level 3 Certification Assessment. 

The DoD–CIO–00005 (ZRIN 0790–ZA21) document provides scoping guidance for Level 1 of CMMC. Before a Level 1 CMMC Self-Assessment the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the self-assessment. The guide is intended for OSAs who will be conducting a CMMC Level 1 self-assessment and the professionals or companies that will support them in those efforts.

The DoD–CIO–00006 (ZRIN 0790–ZA22) document provides scoping guidance for Level 2 of CMMC. Before a Level 2 Self-Assessment or Level 2 Certification Assessment, the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the assessment.

This guide is intended for OSAs that will be conducting a CMMC Level 2 Self-Assessment, OSCs that will be obtaining a CMMC Level 2 Certification Assessment under 32 CFR 170.17, and the professionals or companies that will support them in those efforts. OSCs are a subset of OSAs as all organizations will participate in an assessment, but self-assessment cannot result in certification.

The DoD–CIO–00007 (ZRIN 0790–ZA23) document provides scoping guidance for Level 3 of CMMC. Before conducting a CMMC assessment, the Level 3 CMMC Assessment Scope must be defined to cover the assets within the OSC’s environment that will be assessed and the details of the assessment.

When seeking a Level 3 Certification, the OSC must have a CMMC Level 2 Final Certification Assessment for the same scope as the Level 3 assessment. Any Level 2 Plan of Action and Milestones (POA&M as outlined in 32 CFR 170.4) items must be closed before the initiation of the CMMC Level 3 assessment. The CMMC Level 3 CMMC Assessment Scope may be a subset of the Level 2 CMMC Assessment Scope (e.g., a Level 3 data enclave with greater restrictions and protections within the Level 2 data enclave).

This guide is intended for OSCs that will be obtaining a CMMC Level 3 assessment and the professionals or companies that will support them in those efforts.

The DoD–CIO–00008 (ZRIN 0790–ZA24) CMMC Hashing guide assumes that the reader has a basic understanding of command line tools and scripting. During the performance of a CMMC assessment, the assessment team will collect objective evidence using a combination of three assessment methods – examination of artifacts, affirmations through interviews, and observations of actions.

“Because these OSA artifacts may be proprietary, the assessment team will not take OSA artifacts offsite at the conclusion of the assessment,” the notice said. “For the protection of all stakeholders, the OSA must retain the artifacts. This guide describes how to provide a cryptographic reference (or hash) for each artifact used in the assessment.”

The DoD announced in November 2021 that its CMMC 2.0 program will simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy, and contract requirements. It will also focus on advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs and increase DoD’s professional and ethical standards oversight on the assessment ecosystem.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings