The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) and related interim rules have focused government contractors’ attention on cybersecurity. The time required to establish the certification program may give some organizations (at least those without cybersecurity obligations in their current government contracts) the impression that they have significant time to comply. But whether they know it or not, government contractors (and other private companies) are already subject to cybersecurity requirements separate and apart from their contractual obligations. Waiting to comply with the CMMC leaves organizations non-compliant with existing obligations.
Even organizations that reach certain CMMC Levels may not be compliant with their other obligations. Certifying a level of maturity lower than these obligations can create headaches, especially in the wake of a data breach. Organizations must understand the risks involved in obtaining the wrong level of certification.
"..enforcement authorities expect organizations to implement “basic” cybersecurity controls even in the absence of specific statutory or regulatory requirements."
"Any organization that collects personal information, including their employees’, arguably has a legal duty to implement some level of cybersecurity.
The Department of Defense implemented the CMMC because contractors were not meeting existing contractual cybersecurity obligations. The CMMC process will eventually require third-party assessors to validate the maturity level of a contractor’s cybersecurity program.
The CMMC assesses organizations under two broad categories: processes and practices. An organization’s overall maturity level is the lower of its maturity level in these two categories. For instance, an organization with excellent practices (e.g., it has implemented many advanced technical controls) but with little to no formal documentation would have the lowest level of maturity.
Under the current CMMC process, an organization’s maturity level will not be made public, but the fact that an organization is certified will be. Much like other cybersecurity certifications (e.g., PCI DSS), regulators, plaintiff’s lawyers, and similar entities will demand the underlying work papers when they have the authority to do so (e.g., in discovery). Ultimately, CMMC documentation may serve as roadmap for third parties seeking to prove that an organization lacked reasonable security. This is especially true for the Level 1 maturity level, which lacks the rigor that many enforcement authorities look for in a cybersecurity program.
The current CMMC guidelines do not require a process assessment for the lowest level of maturity, assuming that processes are ad hoc. The assessed practices must only meet the FAR 52.204-21 requirements. These requirements are the “most basic level of safeguarding” as established in 2016. Technology has advanced significantly since then.
While minimum standards are appealing to subject organizations, the requirements for CMMC Level 1 are so low that meeting only those requirements could raise concerns about an organization’s security program. First, the practice requirements established at Level 1 are below what many enforcement authorities expect today. Second, the process requirements are non-existent, when most enforcement authorities require systematic processes.
CMMC Level 1 requires only the most basic security controls. These security controls may not be “reasonable” for the sensitivity of data that an organization collects. For instance, the CIS 20 includes training, penetration testing, and red team requirements, whereas the FAR clause is silent on these issues. Then AG Harris considered the CIS 20 as the minimum for any personal information; certifying to a lesser standard, especially in cases where more sensitive information is stored, could be problematic.
Next, many enforcement authorities would view an ad hoc security program as unreasonable, even though such a program is sufficient for CMMC Level 1. As an example, the FTC has included in its recent consent decrees a requirement that organizations present their board or equivalent with the organization’s written information security program.
Organizations that seek CMMC Level 1 certification should ensure that the paperwork surrounding the process is clear that the assessor did not examine their entire cybersecurity program, and only looked at the practices necessary for the organization to meet its DFARS requirements
The CMMC has 5 levels of maturity. Level 3 contains all requirements necessary for an organization to store, transmit, or process Controlled Unclassified Information. Level 2 bridges Level 1 and Level 3, while Levels 4 and 5 have requirements that attempt to mitigate the risk from Advanced Persistent Threats.
Organizations should examine the requirements of the CMMC level they are seeking and compare it with their other legal obligations. For instance, the Level 2 process requirements include practices and policies for the specific practice domains, but do not currently require an overarching security program. The Level 2 practices do contemplate basic risk assessments, but there is not a requirement to conduct periodic risk assessments of the type that the FTC has required in consent decrees. In short, Level 2 process requirements may not meet the requirements in other legal regimes.
This post has focused on some of the most generally applicable cybersecurity legal regimes, but some industry sectors have more specific requirements, such as financial services and healthcare. Organizations with these specific requirements should ensure that their CMMC Level requirements match on a line-by-line basis with their other obligations. Each enforcement regime has different priorities, and what may be critical control for one may not be for another.
The CMMC may be some organizations’ first introduction to formal cybersecurity requirements. Organizations need to ensure that they are not designing their cybersecurity programs to the CMMC maturity levels, since these levels likely do not represent an organization’s full set of legal requirements. More practically, the CMMC requirements, especially at the lower levels, are unlikely to be sufficient to mitigate the threat of data breaches.
Organizations seeking CMMC certification should consider that effort as one part of a broader cybersecurity program that is compliant with an organization’s full set of legal requirements, as well as appropriate to the organization’s actual needs. A failure to do so could result in unwanted legal and technical risk.
Brandon Graves is a Partner at Centre Law & Consulting focusing on cybersecurity practices. He helps clients manage everything from crises related to security breaches, regulatory investigations, and disputes, to helping companies operate more securely in their normal course of business. Recently, Brandon has assisted companies investigate entry to new markets, comply with new government supply change regulations, and prepare for certification under the DoD’s Cybersecurity Maturity Model.
Learn how Centre’s Cybersecurity Maturity Model Certification (CMMC) Accreditation Board (AB) Registered Practitioner Organization (RPO) designation help contractors.
On March 2, 2020, Virginia’s governor signed into law the Consumer Data Protection Act. Who does this law apply to and what does it mean for consumers? Understand what else must controllers do and what is the path forward.
During FY2020, 2,149 cases were filed, a 2% decrease from the 2,198 filed in FY2019. However, the number of sustained protests was slightly higher at 84, compared to 77 the year prior, for a sustain rate of 15% in FY2020