The theft of intellectual property and sensitive information from all industrial sectors because of malicious cyber activity threatens economic security and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 . The Center for Strategic and International Studies estimates that the total global cost of cybercrime was as high as $600 billion in 2017.
Malicious cyber actors have targeted, and continue to target, the Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD). The DIB sector consists of more than 300,000 companies that support the warfighter and contribute toward the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain undercuts U.S. technical advantages and innovation as well as significantly increases risk to national security.
As part of multiple lines of effort focused on the security of the DIB sector, the DoD is working with industry to enhance the protection of the following types of unclassified information within the supply chain:
- Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release.
- Controlled Unclassified Information (CUI): CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.
To this end, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has developed the Cybersecurity Maturity Model Certification (CMMC) framework in concert with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the DIB sector.
This document focuses on the CMMC model. The model encompasses the basic safeguarding requirementsfor FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirementsfor CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision (Rev) 2 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. DFARS clause 252.204-7012 specifies additional requirements beyond the NIST SP 800-171 security requirements, such as incident reporting. CMMC is designed to provide assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for
information flow down to its subcontractors in a multi-tier supply chain.
When implementing the CMMC model, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending on where the information to be protected is handled and stored.