Mandatory Cyber Security standards are on their way in the US and could impact UK business with the US

by Simon Enoch, Consultant Solicitor

It is often said that what happens in the US, crosses the pond and becomes the norm in the UK within 5 years and then crosses to Europe in the next 5 years.

In its June 2020 Defense Acquisitions Assessment Report the US Government Accountability Office detailed US Defense spending commitments to be around $1.8 trillion.  In the next financial year, The US Department of Defense (DoD) is budgeted to spend $137 billion on procurement, and a further $106.7 billion on research and development activity.

In March this year the DoD released its Cybersecurity Maturity Model Certification (CMMC) version 1.1 which is a unified standard for implementing minimum cybersecurity standards across the entire DoD supply chain of some 300,000 companies. This has come about because of significant compromises of contractors’ IT systems containing sensitive defence material.

All DoD contractors will eventually be required to complete a CMMC assessment and certification, which has to be renewed every 3 years. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers.

Here, in the UK, the MOD standards are nowhere near as comprehensive as the ones which will be imposed by the CMMC.  With the introduction of CMMC from 2021 the UK Defence Industry base may have to deal with the supply chain security requirements for MoD suppliers and, on top of this, the potentially more detailed assessment for those who supply the DoD.

The CMMC framework

CMMC requires a third-party assessment of the suppliers’ and their sub-contractors’ compliance with the procedures and capabilities set out below. The requirements aren’t static and will change as new cyber threats evolve.

The CMMC establishes five certification levels, which are tiered and build upon each lower one’s technical requirements, which can be briefly summarised as:

Level 1:“Basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). This is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”

Level 2: A company must document “intermediate cyber hygiene” practices to begin to protect any Controlled Unclassified Information (CUI). This is information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls. They must implement and comply with the US National Institute of Standards and Technologies’ (NIST) Special Publication 800-171 Revision 1 security requirements.

Level 3:The company must have a formal management plan to implement “good cyber hygiene” including all of the NIST 800-171 r2 security requirements.

Level 4:in addition to the requirements of Levels 1-3,the company has to have processes, which review and measure the effectiveness of practices to deal with an APT. An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.

Level 5:This is the highest level where the company must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.

When will CMMC compliance be necessary?

It is thought likely that a small number of new DoD requests for proposals (RFPs) will be released in late 2020 and define the required level of cyber security maturity.  However whilst it will be possible to tender against these RFPs it will not be possible to deliver against them until an appropriate CMMC assessment certificate has been obtained.

The role of the CMMC Accreditation Board

The CMMC Accreditation Body (CMMC-AB) liaises directly with the DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ compliance with the CMMC levels.

What should a UK Company who deals with the DoD be doing

The first stage for any company is to identify their existing DoD contracts and check to see if they contain either Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).  If a company processes FCI they should review the CMMC level 1 and level 2 maturity practices and evaluate if they comply with the standard and appropriately mitigate any gaps.

If a company processes CUI data they should initially evaluate the CMMC level 3 maturity practices and evaluate if they comply with the standard and appropriately mitigate any gaps.

Review RFIs and RFPs

RFP’s will soon start to contain CMMC requirements.

Look to see if they include minimum certification requirements and check to see if the assessed level is not unnecessarily burdensome and gives you enough clarity for the certification level your business will require.

Clearly document your practices and procedures with those requirements that already comply with CMMC practices or processes to see if you need to do any more work to achieve the appropriate level.

Be agile

CMMC certification will be a minimum requirement to be eligible for DoD contract awards, and is just a starting point for transforming contractors’ internal cybersecurity culture.

It is not a “fire and forget” process, that once a level is achieved that is enough.  You must be prepared to deal with the ever-evolving threats, and foster a culture of cyber resiliency and flexibility, and be prepared to invest more.

CMMC could just be the beginning

Whilst CMMC is being developed for the DoD, other US federal agencies are already looking to adopt the standard, and we expect it to have a much broader impact on UK companies dealing with the US.

With the ever increasing concerns at all levels about Cyber Security, it is easy to foresee that the CMMC approach will gain traction with other large purchasing organisations who have complicated and fractured supply chains such as our own MoD, or even the NHS, as well as large multinational organisations.