Dave Stevens

CIS 720 Seminar – Trends in Cybersecurity: The Cybersecurity Maturity Model Certification (CMMC)

Please join us at the CIS 720 Seminar tomorrow, October 12 (4:30p-5:30p), for David Stevens‘ presentation on “Trends in Cybersecurity: The Cybersecurity Maturity Model Certification (CMMC)”.


The largest buyer of goods and services in the world is the US Federal Government, particularly the Department of Defense (DoD). Almost all acquisitions by US Executive Branch agencies are subject to the Federal Acquisition Regulations (FAR). These include contracts issued by the US Military and NASA. These regulations have supplemental regulations, closely governed by the FAR, placing further restrictions or requirements on contractors and contracting officers. One of these is the Defense Federal Acquisition Regulation Supplement (DFARS), used by the DoD. Issued in Oct. 2016, a new clause in the DFARS (252.204-7012 – aka: 7012) covered the Safeguarding of Covered Defense Information (CDI) and Cyber Incident Reporting.

The DFARS 7012 clause directed DoD Contractors to ensure that CDI and Controlled Unclassified Information (CUI) confidentiality was maintained by self-attesting to the implementation of the security controls, defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, by Dec. 31, 2017. Some DoD contracting organizations self-attested to implementing these controls without actually being in compliance and were later victims of data breaches. The cyber incident investigations into these breeches revealed that the lack of required DFARS 7012 compliance weakened the organization’s computing systems and allowed attackers to steal data from their networks. The US Federal Government sued these organizations for fraud. Some, most notably AT&T and Cisco, paid millions of dollars in damages.

In an attempt to confirm contractor compliance with DFARS 7012, the DoD came up with the Cybersecurity Maturity Model Certification (CMMC) as a verification mechanism designed to ensure that cybersecurity controls and processes adequately protect CDI and CUI, residing on Defense Industrial Base (DIB) systems and networks. The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started the process of creating the CMMC in March 2019, with the finalization of the CMMC v1.0 expected in January 2020. This has been delayed until Spring 2021. After the implementation of the CMMC requirement, contracting organizations must have an official CMMC compliance audit and score, before bidding on, or accepting, DoD contracts. DoD contractors will have to pay for a new audit every three years. These audits could easily cost over $30,000. This CMMC will be difficult to implement, expensive for companies to have an official audit, and impacts over 300,000 companies in the US. The unsustainable recurring audit cost of the CMMC for small and medium businesses (SMBs) could result in the elimination of many DoD contractors. This could have an immediate negative effect on the DIB supply chain.

Why is the CMMC necessary? What does compliance entail? Will it be effective? This presentation will provide an overview of these developments and highlight potential areas for future research.

David Stevens is a first-year CIS PhD student and a full-time Information Technology Instructor at Kapi’olani Community College (KapCC) teaching a range of technology related courses, including programming, databases, network security, project management, cloud-based computing, and ethical hacking. Prior to joining academia, he had a 20-year IT career, which included working as a programmer, website developer, project manager and cryptographer. His interest in cyber-security compels him to continually research, analyze, solve for, discuss, and educate on the ever-increasing number of vulnerabilities associated with most web-based applications that rely on user authentication for access. For his dissertation research, he plans to focus on secure online voting systems and their secure implementation.