The US Department of Defense recently released the Cybersecurity Maturity Model Certification (CMMC) program. This is the latest evolution of the DoD's program to protect the government's Controlled Unclassified Information (CUI).
The DoD enforces requirements through contract clauses in the Defense Federal Acquisition Regulation Supplement (DFARS). If your company supplies equipment or services to the DoD - directly or through one of their suppliers - then your company has to accept these clauses.
DoD contract clauses include requirements for handling CUI, and these have evolved over the past few years:
DFARS 252.204-7012 outlines the basic requirements for protecting CUI. This is based on 110 controls defined in NIST 800-171. Organizations must assert that they are meeting most of these controls, with a Plan of Action and Milestones (POAM) to meet the remaining controls. This clause also requires the organization to notify the government customer if there is a cyber incident that puts the government CUI at risk.
The -7012 clause was first introduced in 2017. In 2023, the government introduced 3 new clauses that related to CUI: -7019, -7020, and -7021.
DFARS 252.204-7019 expands the reporting requirements of 7012. Organizations must perform an assessment of their systems to generate a score. That score must be reported to the Supplier Performance Risk System (SPRS) website, where government agencies and prime contractors can review these scores. These assessments and scores must be updated every 3 years.
DFARS 252.204-7020 defines different assessment levels for -7019. Depending on the type of CUI data, the assessment may be performed by the organization or by a government team. This clause asserts that the government agency will have access to perform these reviews, if they so decide.
DFARS 252.204-7021 creates the CMMC program. This program defines 3 levels of suppliers with different assessment requirements for each level. Level 1 suppliers must meet 15 basic controls from NIST 800-171 and the assessment is done by that organization. Level 2 suppliers must meet all 110 controls and be assessed by a certified CMMC Third Party Assessment Organization (C3PAO). Level 3 suppliers must be assessed directly by government officials. In a clarification letter, the DoD confirmed that CMMC will align to NIST 800-171 rev. 2, even though rev. 3 was issued in 2024.
The full CMMC program released in late 2024, with first contracts requiring -7021 being issued in early 2025.
CMMC has a clear impact to IT teams. Those teams must ensure that the organization's data systems - email, data storage, office tools, and development tools comply with CMMC requirements. In most companies, IT is the group responsible for complying with CMMC, getting the assessments, and signing the statements asserting compliance.
For the past few decades, test systems have been excluded from many of these security programs. But test systems are handling sensitive government data, including CUI. Test systems connect to the systems that are being deployed to government networks, and a malicious attack on a test system results in compromised government systems. Test systems are an important part of a security defense system, and they must be included in a CMMC assessment.
This means that test systems must comply with the NIST 800-171 controls. But compliance with these controls must be approached differently from mainstream IT systems. For example, IT controls require frequent updates to keep systems up to date. Test systems cannot be updated at the same frequency - the update must be fully tested to ensure continued operation, and the update must be applied between tests. Applying an update in the middle of a test may result in test delays, or even in safety issues.
To make sense of these differences, test equipment is grouped with Operational Technology (OT) instead of Information Technology (IT). NIST 800-82, Guide to Operational Technology (OT) Security, offers some guidance for understanding the difference in security between IT and OT systems. This is an important document for IT teams creating a security strategy for test systems.
NI works closely with test teams around the world to secure their test systems against malicious attacks. Successful teams implement these security principles:
Create a clear and open communication channel with the IT Security team as early as possible. Work to understand their mandates and guidelines, and take time to introduce them to how test operations work.
Adopt a secure development framework into your development process. NIST 800-218 provides a set of practices your team should be following to produce secure solutions.
Work with reputable suppliers who can provide the features and documentation you'll need. It's much easier to demonstrate your system is secure if the components come from companies who take security seriously. You'll reduce your paperwork burden if the supplier can provide documents like SBOMs, Letters of Volatility, compliance matrices, and secure implementation guides.
Develop a culture of security and train your team to take security seriously.
Generate a plan for ongoing security. Updating test systems puts a real burden on a test team. It is disruptive to test workflows. It may require re-validation of the system. You need to consider the ongoing plan for these updates that matches your operational flow, and you need to make sure your customer or your company is ready to fund these ongoing updates.
Learn from others. NI hosts a Test System Security Summit twice per year, and publishes the presentations to the Test System Security Forum. Get involved in these meetings to ask your questions and to learn about industry best practices.
To learn more about the requirements described by NIST 800-171, refer to CMMC Requirements.
Linux® is used pursuant to a sublicense from LMI, the exclusive licensee of Linus Torvalds, owner of the mark on a worldwide basis.