| What: | Evolution of securing CUI and development of CMMC |
| When: | The CMMC final rule went into effect in December 2024 and will start appearing in contracts at the end of 2025. |
| Why it matters: | The Defense Department is on the cusp of implementing the Cybersecurity Maturity Model Certification (CMMC) program after years of government efforts to fix systemic weaknesses in how the federal government and its contractors handle sensitive information. |
Politics
How CMMC is addressing years of systemic failures in protecting sensitive data
The Defense Department is on the cusp of implementing the Cybersecurity Maturity Model Certification (CMMC) program after years of government efforts to fix systemic weaknesses in how the federal government and its contractors handle sensitive information.
The origin story of CMMC goes back more than 20 years — to the post-9/11 series of reforms like the Homeland Security Act of 2002 and the Intelligence Reform and Terrorism Prevention Act of 2004, which triggered a governmentwide effort to improve the information sharing environment of not just classified but also sensitive information. Spurred by the 9/11 Commission Report, which found deep flaws in how government agencies shared critical intelligence, the federal government kicked off a concerted effort to better identify and protect sensitive unclassified information.
The term controlled unclassified information (CUI) emerged during this period, as federal agencies started to better understand and explain the concept of unclassified data that still needed protection.
In 2010, President Barack Obama issued Executive Order 13556, which directed the National Archives and Records Administration to implement uniform program for managing controlled unclassified information.
“At present, executive departments and agencies employ ad hoc, agency-specific policies, procedures and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests and law enforcement investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies and created impediments to authorized information sharing. The fact that these agency-specific policies are often hidden from public view has only aggravated these issues,” the executive order stated.
NARA’s role included establishing a single governmentwide CUI registry, which standardized the way all federal agencies handled CUI. But it was not until 2016 that the federal government formally codified the CUI program through 32 CFR Part 2002, establishing baseline safeguards for how agencies protect and manage the information.
Then there was another effort unfolding in parallel — the federal government’s shift to a standardized, risk-based approach to information security. The Federal Information Security Modernization Act (FISMA), first enacted in 2002 and updated in December 2014, defined a framework for how agencies assess and mitigate cybersecurity risk.
As a result, the National Institute of Standards and Technology (NIST) developed a series of foundational documents — Federal Information Processing Standard (FIPS) 199 provided a framework for categorizing information systems based on their impact on organizational operations; FIPS 200 outlined the baseline security requirements for agencies’ information systems; and NIST Special Publication 800-53 provided a catalog of security and privacy controls for information systems.
Together, these documents helped federal agencies to manage information security in a more coherent manner.
Meanwhile, a series of cyber incidents in the early 2000s prompted the Pentagon to launch the Defense Industrial Base Cybersecurity Program in 2007. And by 2013, the DoD introduced the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 — the oldest of four clauses in the DFARS 70 series — requiring contractors to protect certain sensitive data and implement a set of cybersecurity controls.
Then, on April 15, 2015, IT staffers noticed a strange signal coming from the Office of Personnel Management. The event turned out to be the largest and most significant data breach in the history of the federal government. The breach fast-tracked the publication of a long-in-development set of requirements — NIST SP 800-171 — a streamlined set of 110 controls tailored to protect CUI in non-federal systems.
In 2016, DoD updated DFARS 7012 to require contractors to implement all 110 controls from NIST 800-171, but compliance was largely self-reported, leaving major gaps in implementation and enforcement of critical cybersecurity practices.
Subsequent audits by the DoD Inspector General found widespread noncompliance, all the while foreign adversaries continued to exploit weak links in the defense supply chain.
“We saw the increase in cyber espionage, even some of the large contractors having security incidents regarding foreign adversaries accessing DIB information. You look at critical infrastructure, the estimates are somewhere between 400,000 to 700,000 companies. You combine that with these small, five person companies in the manufacturing sector, or just lower down on the value chain that really were a weak link in the supply chain. They were an opportunity for these foreign adversaries to infiltrate the supply chain and gather data and things that really can cause harm. And I think DoD recognized that their enforcement mechanisms, the FAR clauses, weren’t as effective as they needed to be,” Katie Stewart, who served as a senior member of the technical staff with the Software Engineering Institute of Carnegie Mellon University, told Federal News Network.
Then Congress took notice.
Enter CMMC
The 2020 National Defense Authorization Act directed the Defense Department to develop a framework, now known as CMMC, for verifying contractor cybersecurity are compliant with the Defense Department’s cybersecurity requirements.
Initially released as version 1.0 in 2020, CMMC introduced five levels of cybersecurity maturity, ranging from basic hygiene to advanced cybersecurity practices. The documentation and process requirements mirrored industry standards like CMMI.
“When CMMC 1.0 and the five levels were established, it really had this idea of how we can give industry a tool for improvement. It wasn’t just going to be we are going to grade you and you pass or you fail. It was, ‘Start at level one, move to level two when you’ve accomplished level one. That introduced a lot of challenges and feedback, rightfully so,” Stewart said.
Small and medium-sized businesses found the five-level model to be overly complex and too costly to implement. Plus, businesses argued the model was too burdensome and rushed, especially since it wasn’t yet tied to an official rule.
In 2021, the Defense Department unveiled CMMC 2.0, a more streamlined version of the original framework that reduced the number of levels from five to three and aligned more closely with NIST 800-171. It also removed many of the documentation requirements from the lower levels, allowing self-assessments for Level 1 certification and some Level 2 cases and reserving third-party assessments for contracts involving sensitive CUI.
“The CMMC 1.0 had a lot more documentation requirements that are implied in 2.0 but are not spelled out explicitly. Another kind of challenge was, and I think is one of the hardest things about this model and the development of this model, is that it’s a one-size-fits-all. I think there was value in the 1.0 model structure, but I think in reality the way that the model is today is probably the correct format and it makes more sense that way,” Stewart said.
CMMC applies to any organization supporting the Defense Department and working with Federal Contract Information, CUI, Covered Defense Information, Controlled Technical Information, or export-controlled data.
DoD estimates that there are 220,000 to 300,000 companies in the defense industrial base, and roughly 80,000 will need to achieve a CMMC level 2 certification, and another 1,500 will need to achieve CMMC level 3.
The CMMC final rule went into effect in December 2024, but implementation of the program has not begun since the follow-on rule to update contractual requirements in the DFARS is still in the rulemaking process. In the meantime, DoD has encouraged contractors to start preparing for eventual assessments.
Looking ahead
Stewart said CMMC is here to stay, and that federal civilian agencies will likely follow suit.
“Tying it to 801-171 is good and bad. In a way the program kind of has to wait on this as they make updates. CMMC will always kind of take a little bit of time to kind of adopt the new requirements as they come out. Will it be that way forever? I don’t know. There may be a time where the role of NIST is different in this, but that’s just pure speculation. I think one of the biggest signals that we’ve seen is the CUI rule that is in draft right for the federal civilian space,” Stewart said.
“I have always kind of said that federal civilians are waiting to see how DoD does with CMMC before they kind of put their foot in the water. CUI is not a DoD designation, it’s a NARA designation, it’s governmentwide. So there’s no reason why you’re not going to see other organizations kind of follow suit behind DoD. What I hope is that there is some sort of reciprocity in place, right, that we’re not reinventing the wheel. I’m hoping there’s some consolidation and some efficiency gained for organizations that do work and in both spaces,” she added.
The post How CMMC is addressing years of systemic failures in protecting sensitive data first appeared on Federal News Network.
