The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), shared with contractors and subcontractors of the Department of Defense (DoD) through acquisition programs, as defined by Executive Order 13556.

The CMMC 2.0 Proposed Rule, published on December 26, 2023, represents the latest evolution of the CMMC cybersecurity model.

On June 27, 2024, after adjudicating nearly 2,000 comments, following a 60-day open-comment period, the DoD submitted a draft of the CMMC 2.0 Final Rule (32 CFR) to the Office of Information and Regulatory Affairs (OIRA) at the White House.

The summited draft represents the final step before the CMMC 2.0 rule is published in the Federal Register. As the final draft has been submitted the focus now shifts to the timeline for when the CMMC 2.0 regulation will take effect and be enforced.

Before addressing this shift in focus, it is essential to understand that the security requirements, upon which CMMC 2.0 Level 2 is founded (NIST SP 800-171), have been mandatory for DoD contractors handling sensitive information since December 2017, when the DFARS clause 252.204-7012 was included in DoD contracts. However, during this period, compliance mostly relied on self-attestation without a robust enforcement mechanism, leaving the DoD unable to verify adherence. As a result, many contractors neglected to fully implement the required controls.

To address this issue, the DoD launched the CMMC program, which essentially serves as the mechanism through which the DoD will verify compliance with the requirements outlined in DFARS clause 252.204-7012 (NIST SP 800-171), mandated in contracts since 2017.

As the DoD puts it: “A key difference between the DFARS 252.204-7012 and CMMC Level 2 requirements is that compliance with NIST SP 800-171 under DFARS 252.204-7012 has not been consistently verified. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.“

The significant change introduced by CMMC, requires contractors to obtain certification through assessments conducted by a CMMC Third Party Assessment Organization (C3PAO) to demonstrate compliance to retain and secure DoD contracts.

CMMC Rulemaking Timeline

The CMMC rulemaking timeline is summarized below based on publicly available information as of July 17, 2024.

As with all federal regulations, CMMC requires a legal basis for implementation. Therefore, to determine when the CMMC 2.0 regulation will come into effect, we need to understand the rulemaking process behind CMMC 2.0, involving two rules from the Code of Federal Regulations: 32 CFR and 48 CFR.

For the CMMC 2.0 regulation to come fully into effect, two things need to happen.

1. The 32 CFR CMMC Final Rule has to come into effect. This rule outlines and codifies the CMMC program and will allow CMMC third-party assessments to begin, known as the “market rollout“.

The 32 CFR CMMC Final Rule is estimated to be published no later than October 26, 2024, after OIRA’s review of up to 120 days, and will come into effect approximately 60 days later, in late Q3 or early Q4 2024.

2. 48 CFR CMMC Final Rule must come into effect. This rule revises the DFARS clause 252.204-7021 to point to the CMMC program (32 CFR) and will introduce CMMC compliance as a contractual clause gradually over 3 years, known as the “phased rollout“.

The 48 CFR Proposed Rule was submitted to OIRA in May 2024. After a 90 to 120-day regulatory review and an initial 60-day public comment period, the Proposed Rule will undergo another 60-day public comment period, followed by a Final Rule review and adjudication process, estimated to take 150 to 280 business days. The 48 CFR Final Rule is expected to come into effect around Q3 or Q4 2025 but could be sooner, as it revises an existing, small clause (DFARS clause 252.204-7021).

The 32 CFR is the Starting Gun for the CMMC Race

While the effective date of the 48 CFR Final Rule (expected in Q3 or Q4 2025) will determine when the CMMC 2.0 regulation is mandatorily included in contracts, known as the “phase-rollout,” it’s a significant misconception that the pivotal milestone for the start of the CMMC race is the effective date of the 48 CFR.

Indeed, the kickoff for the CMMC race will be determined by the effective date of the 32 CFR Final Rule (expected late Q3 or early Q4 2024), not the 48 CFR Final Rule.

The 32 CFR Final Rule will trigger the “market rollout“, which will allow CMMC assessments to begin. Once these assessments are available, prime contractors (e.g., Lockheed Martin, Boeing, Raytheon) will likely require subcontractors to obtain CMMC certification as soon as possible, well before DoD does through the “phased rollout“, to maintain their competitive edge and mitigate the risk of non-certified suppliers jeopardizing their own certification status.

Midnight Rulemaking and CMMC 2.0

In the past 6 months, there has been a notable acceleration in the CMMC rulemaking process. This is evident in several key milestones, including the publication of the 32 CFR Proposed Rule in December 2023, the submission of a 48 CFR Proposed Rule to OIRA in May 2024, and most recently, the submission of the 32 CFR Final Rule to OIRA in June 2024. This phenomenon is often referred to as “Midnight Rulemaking“, which describes the rush to finalize regulations in the final months before a presidential administration concludes.

Thus, if we anticipate the 32 CFR Final Rule to be finalized and effective in late Q3 or early Q4 2024, given the Department of Defense’s strong motivation to complete the CMMC regulations before the U.S. 2024 elections, there is a very strong possibility it will become effective before November 5, 2024.

Don’t Wait for the Starting Gun to Begin the CMMC Compliance Journey

The DoD anticipates that it will take two years for companies with existing contracts to become CMMC certified, assuming they have already implemented the NIST SP 800-171 Rev. 2 requirements as per DFARS clause 252.204-7012. This extended timeline is due to several factors:

1. Once 32 CFR becomes effective, CMMC third-party assessments for CMMC Level 2 will commence, requiring organizations to achieve 100% self-attestation readiness before undergoing assessment. This preparatory phase demands significant time and effort.
2. On average, organizations spend between 12 to 18 months preparing for a CMMC Level 2 assessment.
3. Due to a shortage of CMMC assessors, organizations may expect to wait approximately 9 to 15 months (3 to 5 quarters) for a CMMC assessment.

Therefore, to stay prepared for future DoD contract opportunities and maintain a competitive edge, it is recommended that organizations begin their CMMC compliance process today.

Feel free to reach out to discuss your CMMC journey with us and explore how #Wavestone can assist you in navigating the intricate landscape of CMMC 2.0 compliance, supporting your path to certification, and enhancing your cybersecurity readiness into a strategic advantage.

Our CMMC 2.0 Compliance Services:

1. CUI Identification:
   • We assist in identifying Controlled Unclassified Information (CUI) within your organization to ensure compliance with CMMC requirements.
2. CMMC Assessment Scope Identification:
   • We help define and minimize your CMMC Assessment Scope to stay cost-effective and pragmatic. By clearly identifying the scope, we ensure that all necessary systems and processes are included while avoiding unnecessary complexity and costs.
3. CMMC Readiness Assessments:
   • Our experts conduct CMMC Level 1 and 2 readiness assessments, evaluating your current state against the respective assessment objectives (e.g., NIST SP 800-171A) to provide you with actionable recommendations.
4. CMMC Compliance Roadmap Definition:
   • We work with you to define a clear roadmap to achieve CMMC compliance, tailored to your needs, whether for CMMC clusters or all-in scenarios.
5. CMMC Implementation Support:
   • We offer comprehensive guidance and support throughout the implementation phase, helping you effectively integrate the required controls and reach CMMC 2.0 compliance.

Cet article Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking est apparu en premier sur RiskInsight.

These incidents, commonly referred to as “supply-chain attacks”, involve targeting an organization’s downstream third parties (e.g., partners, vendors) to gain access to valuable systems. In the Bank of America case, the compromised third party responsible for this breach, was Infosys McCamish Systems (IMS), an insurance process management services provider.

This breach resonates with the infamous SolarWinds cyberattack, where Nobelium hackers inserted malicious code into the SolarWinds Orion platform, enabling them to infiltrate numerous government systems, including the U.S.’ Homeland Security, State, Commerce, and Treasury, as well as private systems worldwide.

As corporate IT architectures are arguably a mere reflection of a company’s intricate web of business relationships, these events serve as a stark reminder that organizations are not isolated entities but rather hubs of interconnected and co-dependent partners and third parties. Achieving a robust cybersecurity posture requires more than individual efforts; it demands cultivating a secure ecosystem of thoroughly vetted trusted partners to effectively safeguard the entire supply chain required for product delivery (TPRM).

However, building such an ecosystem poses challenges. Many companies lack the resources to exclusively select leading, cutting-edge, and trusted third parties or may lack the leverage to demand transparency from existing partners.

Drawing lessons from the SolarWinds cyberattack, and amid heightened geopolitical tensions (see Chinese cyberattacks on U.S. infrastructure at an unprecedented scale), the Department of Defense recognized this challenge and responded with the development of a solution for securing the supply-chain ecosystem of the Defense Industrial Base (DIB) called the CMMC.

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), that is shared with contractors and subcontractors of the Department of Defense (DoD) through acquisition programs.

The CMMC 2.0 Proposed Rule Release, published on December 26, 2023, represents the latest evolution of the CMMC cybersecurity model, poised to supplant the preceding CMMC 1.0 with a more pragmatic approach. Following its release, the proposed policy underwent a 60-day open-comment period, which concluded on February 26, 2024. The new regulation is anticipated to be finalized by late 2024 or early 2025.

The CMMC 2.0 is aimed at safeguarding sensitive national security information by protecting the Defense Industrial Base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. It streamlines requirements to three levels of compliance and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. The specific security requirements and assessment types (self-assessment, third-party assessment, or DoD assessment) vary based on the level.

• Foundational (Level 1): Targets organizations handling FCI (e.g., contract performance reports, organizational charts). Compliance mandates strict adherence to the 15 security requirements outlined in FAR clause 52.204-21, through an annual self-assessment.
• Advanced (Level 2): Targets organizations handling CUI, including Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, and Personally Identifiable Information (PIIs). Compliance requires adherence to 110 security requirements based on NIST SP 800-171 Rev. 2. Assessments are conducted by third-party organizations known as CMMC Third Party Assessment Organizations (C3PAO) tri-annually or through an annual self-assessment, depending on the sensitivity of the underlying CUIs.
• Expert (Level 3): Targets organizations handling CUI for DoD programs with the highest priority. Compliance entails adhering to the 110 security requirements based on NIST SP 800-171 Rev 2 and an additional 24 security requirements based on NIST SP 800-172. These organizations undergo tri-annual assessments conducted by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Organizations must obtain a CMMC Level 2 Final Certification before scheduling a DIBCAC assessment for CMMC Level 3.

The results of all assessments conducted on DIB organizations are consolidated within the Supplier Performance Risk System (SPRS). The SPRS (pronounced “Spurs”) is Department of Defense’s web platform that collects, processes, and retrieves data on supplier performance within the Defense Industrial Base, enabling the DoD to map the DIB’s business network cyber maturity, assess supplier performance, and evaluate risks related to contractual obligations.

By deploying this mandatory certification model, the DoD is at the forefront of establishing a comprehensive, secure, end-to-end supply chain framework within the DIB, hopefully enhancing long-term U.S. national security. Simultaneously, the DoD underscores that security is no longer optional; it is an integral aspect of business operations.

CMMC 2.0 assessments are expected to become available around Q4 2024 (once 32 CFR is finalized). Prime contractors will expect sub-contractors to achieve CMMC compliance before Q3 2025, when CMMC 2.0 takes effect. Starting October 1, 2025, CMMC certification will be mandatory at the time of contract award.

If you require assistance navigating the intricate landscape of CMMC 2.0 compliance or need support on your path to certification, #Wavestone is ready to empower your journey. Reach out today and elevate your cybersecurity readiness into a strategic advantage.

Cet article The DoD Strikes Back: Enhancing Supply Chain Cybersecurity with CMMC 2.0 est apparu en premier sur RiskInsight.

Paradoxically, only 35% of organizations consider their third-party cybersecurity management process as effective (according to a study conducted by the Ponemon Institute).

How to define an effective third-party cyber risk management strategy? What are the key success factors?

Adapt your third-party cybersecurity strategy to the risks

From business partners to subcontractors and IT service providers, a lot of your suppliers manage or have access to your assets. Therefore, they represent a risk for your organization and thus it is important to ensure they are committed to respect a cybersecurity level that meets your requirements.

Depending on which business perimeter they operate and which type of service they provide, the level of risk would be more or less critical. Therefore, our recommendation is to classify your suppliers to adapt your cybersecurity strategy according to the risks they imply.

Since your suppliers can be thousands, this classification will also allow you to prioritize and keep an acceptable workload for your teams.

In order to do that, our first piece of advice is to inventory your suppliers. We notice that few organizations have an exhaustive cartography and that its realization is a tedious project that requires the involvement of many stakeholders (purchasing, legal, department, business…). Therefore, we advise you to start by defining a process to capture your new third parties and by identifying your suppliers involved in the critical business activities identified in your BIA (Business Impact Assessment). Afterwards, you will be able to extend progressively to other third parties.

From this cartography, you will be able to assess your supplier’s criticality and classify them on a scale with several levels. We advise you to consider the following criteria:

• The business criticality of the project or the asset the supplier is working on;
• The degree of interconnection to your information system;
• The access to sensitive or confidential data;
• The service exposure on the Internet.

Nevertheless, we can observe in our client’s environment that applying those criteria can be challenging due to the lack of information about some third parties. Then, we suggest organizing workshops with cybersecurity teams, IT teams and business teams to validate your cybersecurity classification by expert knowledge.

Example of a classification scale with 3 levels

Consider cybersecurity throughout the whole lifecycle

The feedbacks from the field show that most organizations assess their third party’s cybersecurity level before contracting and include cybersecurity clauses into their contracts. Nevertheless, cybersecurity is not always taken into account thereafter.

We recommend integrating cybersecurity throughout the whole third-party lifecycle by empowering them and adopting a control position.

Third party management lifecycle

During contractualisation

Before the contract signature, the objective is to ensure that the supplier chosen by your business meets your cybersecurity requirements. To do so, we advise you to integrate cybersecurity at each step of the supplier selection process:

• Include your cybersecurity requirements in your Request For Proposals;
• Assess the maturity level of the suppliers responding to your Request For Proposals;
• Provide a cybersecurity recommendation to your business according to the project sensitivity and the risk implied by the third party,
• Include in the contract cybersecurity requirements adapted to the criticality and the type of service delivered.

 During the contract period

 To ensure your third parties respect their cybersecurity commitments throughout the contract period, we advise to:

• Integrate your third parties into your risk analysis when they operate on the scope of a project. For instance, the methodology allows you to identify all the stakeholders involved in a project and to define an action plan to secure and monitor your ecosystem. The implementation of the security measures must be followed-up with the third-party;
• Organize cybersecurity reviews at a frequency adapted to the risks and thus the level of classification. For instance, the most critical third parties can be reviewed at least annually while the less critical ones can be reviewed at contract renewal;
• Define a process dedicated to cybersecurity incidents involving a third party and create emergency instructions;
• Perform audits only when necessary (for instance following a major cybersecurity incident or after identifying a critical risk…)

At the end of the contract

 A contract renewal is an opportunity to perform a new assessment of the third-party cybersecurity posture and if necessary, update the contractual requirements.

If the contract ends, you must apply your reversibility clauses and ensure that cybersecurity is part of the decommissioning of the service provided.

Industrialize third parties’ assessments thanks to market solutions

We observe that many organizations assess and monitor the cybersecurity level of their third parties with proprietary and non-automated questionnaires that require many external resources. In addition, big-sized suppliers may refuse to complete these questionnaires while smaller ones may not always answer correctly.
Furthermore, we also notice that few organizations have yet adopted a mass assessment approach.

In order to rationalize the approach, we therefore suggest giving-up these historical assessment tools to adopt solutions adapted to the supplier classification level and thus be able to scale up.

For the most critical third parties

We advise you to adopt a co-constructive approach with your most critical suppliers, while adopting a position of control. This translates into the following actions throughout the lifecycle:

• Assess your most critical suppliers based on their cybersecurity certifications and compliance reports on the scope of the service provided;
• Define a contractual Security Assurance Plan to precise the security governance of the service;
• Organize security reviews (at least once a year) to control the security level of your suppliers based on the indicators defined in the Security Assurance Plan (maintaining certifications, security incidents, audits, security roadmap…). These committees are also an opportunity to build a relationship of trust with your suppliers, for example by discussing security news and events as well as the conferences that you could do together.

For third parties with a medium to low criticality

In order to take a massive approach in assessing and reviewing the cybersecurity level of your non-critical third parties, market solutions can be used. Indeed, editors and startups (such as CyberVadis, CyberGRX, Risk Ledger…) are positioned on the industrialization of third party’s cybersecurity assessments. This will be the topic of one of our next articles.

Their solutions are based on maturity questionnaires whose results are shared with all their customers. More concretely, these platforms work as follows:

Third party maturity assessment platforms

Although these solutions are currently not customizable according to your organization’s specific requirements, they will allow you to:

• Get cybersecurity assessments tailored to non-critical third parties;
• Reduce the workload of your cybersecurity teams;
• Share third-party assessments with other customers and therefore be able to quickly access assessments already performed;
• Adopt a win-win approach with your suppliers who will share a single questionnaire with all their customers and will be proposed action plans to remedy any discrepancies;
• Popularize third-party cybersecurity management to your business or purchasing teams thanks to didactic scores on different topics.

Ensure the effectiveness of your third-party cybersecurity management process

From business to IT project managers and including purchasing and legal teams, third-party cybersecurity management involves many players in your organization. It can only be successful if your process is well-known and applied by all. Therefore, it is key to train and raise the awareness of all stakeholders.

To ensure that your process is properly implemented, it is important to define and implement controls covering all stages of the supplier management life cycle. As a first step, we recommend that you define realistic targets by focusing on your most critical third parties. Over time, these targets may evolve to consider your suppliers with lower levels of criticality. Your controls may include the classification of your third parties, their assessment and their review at an appropriate frequency during the contract period.

Integrate third-party cybersecurity management in a “Know Your Supplier” approach

Just as the KYC (Know Your Customer) approach in B2C sectors, we suggest that you include third-party cybersecurity management in a KYS (Know Your Supplier) spirit where the objective is to take all supplier risks into account in a consolidated way.

Cybersecurity assessments and notably maturity assessment platforms can be integrated within supplier management tools (source to contract), as well as financial, CSR, environmental impact, anti-corruption and anti-money laundering assessments. This will ease the integration of cybersecurity into your sourcing and supplier review processes.

See you next episode for an article about market solutions that automate the cybersecurity assessments of your suppliers.

Cet article How to define an effective third-party cyber risk management strategy? est apparu en premier sur RiskInsight.