DIB companies must stay aware as CMMC-like programs appear abroad
By: Logan Hamilton, NDIA Junior Fellow
In early 2020, the U.S. Department of Defense unveiled its Cybersecurity Maturity Model Certification (CMMC) program, which seeks to bolster defense contractors’ cybersecurity postures with respect to critical unclassified information (CUI). Although the specifics of the CMMC’s implementation are still being reviewed through DoD’s rulemaking process and are subject to change, CMMC generally requires defense contractors to adhere to certain cybersecurity standards depending on the sensitivity of the contract at issue. NDIA has already extensively covered the CMMC program since its inception and has both engaged in town halls with government and worked to educate its members on compliance.
For multinational defense corporations, however, the CMMC may be just one CUI-related cybersecurity legal regulatory regime they may be required to comply with. U.S. allies, such as the United Kingdom and Canada, two of this country’s closest defense allies, have implemented their own cybersecurity regulations for defense contractors which are functionally similar to the U.S.’s CMMC, though differing in specific requirements. The potential for conflicting cybersecurity regulations illustrates that companies must remain vigilant of regulatory requirements, which can be more or less strict than American standards, when doing business in foreign markets to avoid violations.
In the United Kingdom, the “UK Defence Supply Base” (DSB) is required to comply with the UK Ministry of Defense’s (MOD) Cyber Security Model, which builds upon the basic elements of the UK’s Cyber Essentials Scheme (CES). As further outlined in Defence Standard 05-138 Issue 3 and Defense Cyber Protection Partnership Cyber Security Model Industry Buyer and Supplier Guide, the contracting authority (for example, the Royal Air Force) first conducts a risk-assessment of the contract and creates a “Cyber Risk Profile.” Depending on the assessed risk profile, a contractor must implement various cyber security measures to protect MOD information. For example, a not-applicable risk profile “does not require specific cyber control measures,” a very low risk profile requires compliance with CE, and risk profiles low and greater require compliance with CEP plus additional restrictions, such as implement and test regular backups of data offline and off-site, deploy network-based IDS sensors on ingress and egress points within the system, undertake personnel risk assessments of employees/contractors, and etc.
Bidding contractors then complete a self-assessed Supplier Assurance Questionnaire (SAQ) to determine if they can meet the cybersecurity requirements of the project. If the contractor is unable to meet the cybersecurity requirements, the contractor can provide a Cyber Implementation Plan (CIP), which outlines what steps and timelines will be taken to meet those requirements, and which is incorporated into any resulting contract. Finally, the contracting authority chooses a contractor based on the SAQs with supporting documentation (such as a CIP). The chosen contractor must meet the contractual cybersecurity requirements and must recomplete the SAQ annually as well as “comply with the contract’s conditions regarding record keeping and audit and make available all records associated with compliance to DEFCON 658 on request.” All-in-all, the UK regime for cybersecurity regulation of defense contractors imposes baseline cybersecurity requirements with some prerequisite certifications required, and with verification reliant on SAQs.
Somewhat analogous to the U.S.’ CMMC, defense contractors in Canada are subject to the Contract Security Program (CSP) to ensure sufficient cybersecurity requirements are met. Like CMMC, the CSP security requirements are tailored to the individual contract as opposed to a minimum standard that must be met. Unlike the CMMC, however, CSP validation is subsequent to award of the contract and preliminary physical security measures confirmation. Foreign organizations are also required to undergo additional security authorizations and clearances
Under the CSP, in order to produce, process, or store sensitive information, defense contractors must have valid clearances and are required to appoint a company security officer, who must complete a security checklist and technical documentation. This is reviewed by a CSP IT security inspector, who evaluates the contractor’s systems to ensure appropriate safeguards and may interview all individuals working on the contract. The security inspector then furnishes their recommendations, which the contractor must then attest in a declaration letter that they have completed the recommendations. Only once the attestation letter is received and the PSPC issued an Authority to Process IT approval letter, can the defense contractor store sensitive information electronically.
This brief overview of two of the U.S.’s closest allies’ regulatory cybersecurity regimes indicates that, especially in the highly sensitive defense industry, multinational corporations can face conflicting directives. In addition to the DoD’s ongoing CMMC, allied nations all have their own specific cybersecurity regulations which can conflict, especially given national security concerns for information analogous to CUI. However, companies with strong data security practices already in place will find it easier to adjust to individual nations’ regulations. Moreover, the US and allied nations are likely to either reach bilateral agreements concerning their respective cybersecurity regulations or a more comprehensive multilateral agreement that sets minimum cybersecurity standards.
NDIA remains committed to helping its members navigate the growing regulatory apparatus in cybersecurity. Stay tuned for an announcement of our next CMMC webinar during Summer 2022 and be sure to join the conversation on NDIA Connect!
Logan Hamilton is a NDIA Junior Fellow.
 It is also important to note that if a contractor will be processing information that includes personal data, they would likely also be subject to additional requirements under the E.U.’s General Data Protection Regulation (GDPR) and the U.K.’s The Data Protection Act of 2018.
 CES provides two levels of cybersecurity certification and annual assessed that companies can apply for, although Cyber Essentials (CE) is self-assessed and Cyber Essentials Plus (CEP) requires independent auditing.
 MOD information, also referred to as MOD Identifiable Information (MODII), can be seen as analogous to CUI. As defined in Cyber DEFCON 658, MODII is “all Electronic Information which is attributed to or could identify an existing or proposed MOD capability, defence activities or personnel and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure.”
 Defense Cyber Protection Partnership, Defense Cyber Protection Partnership Cyber Security Model Industry Buyer and Supplier Guide, June 2018 3.
DEFCON 658 is a cybersecurity protocol applicable to contracts involving transfer of MODII to adhere to specific requirements (such as record keeping and audits), meet DEFSTAN 05-138 standards, and applies to both prime and subcontractors.
 Under the auspices of the Policy on Government Security, Defence Production Act, Public Works and Government Services Canada Act, and the Controlled Goods Regulations.
 Canada designates information based upon who could be harmed by unauthorized disclosure. Somewhat analogous to the US’ CUI and UK’s MODII, Canada designates certain information as Protected (Protected A, B, or C) depending upon the level of harm unauthorized disclosure would cause to a non-national interest such as an individual or organization.