The Cybersecurity Maturity Model Certification (CMMC) provides a framework for companies throughout the Defense Industrial Base (DIB) and allied industries to adopt Cybersecurity policies and procedures.
The Department of Defense sets periodic deadlines for CMMC certification, which began with a self-audit for current contractors in November 2020 and will be implemented in January 2021. By the fiscal year 2026, all new defense contracts will require CMMC certification.
What is CMMC?
The CMMC is the Department of Defense‘s new certification method for evaluating contracted firms’ Cybersecurity environments. This certification validates that contractors have in place appropriate cybersecurity controls and policies to fulfill military security standards. Companies may self-certify their compliance under the relevant Defense Federal Acquisition Regulations (DFARS), based on NIST standards, prior to the CMMC. Enterprises in the Defense Industrial Base (DIB) were not obliged to show that they followed optimal security standards. This approach permitted companies with security flaws to continue selling products and services to customers. Inevitably, breaches, interruptions, and other IP theft occurred in the defense supply chain due to these factors.
The DoD aims to accomplish the following through the CMMC:
- Verify that contractors have robust procedures to safeguard the DIB’s network and systems from existing and future cyber threats.
- Provide confidence by demanding independent third-party validation
- Establish compliance levels aligns with the different degrees of risk
- Encourage increased security at a sustainable cost to the federal government
What are the Benefits of CMMC Certification?
What are the 5 Levels of CMMC?
The degree of certification necessary for a specific contract will be indicated in the DOD’s RFIs and RFPs. The higher the CMMC level, the more DOD contracts can be bid. The DOD provides a thorough overview of the process and practice requirements for each level.
The minimum CMMC certification level needs just basic cyber hygiene and the execution of processes. The 17 practice standards correspond to the 15 practices specified in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21. They are also identical to 17 NIST SP 800-171 Rev 1 procedures. Among the measures include mandating the use of antivirus software and cleaning or destroying any media containing FCI before destruction or reuse. If a company is currently obliged to safeguard FCI, it should have all of the procedures to fulfill CMMC Level 1.
An organization seeking Level 1 certification will typically just need certification from a third-party assessor organization because these criteria are already in place for government contractors. The evaluators will check an organization’s 17 practices, but they will not be required to provide recorded information on procedures or assess process maturity.
Securing and documenting data is essential to reaching Process Maturity Level 2. This level demands intermediate cyber hygiene and written information on all CMMC procedures and policies in addition to the first level’s requirements. Evaluators will also expect the business to have a comprehensive set of policies.
There are a total of 72 practices necessary at Level 2, which includes 55 new practices in addition to the 17 at Level 1. A subset of 48 practices specified in NIST SP 800-171 Rev. 1 is included in the practices. Seven more practices additionally support cyber hygiene at the intermediate level. These practices include regulations about account access privilege levels, establishing an incident response strategy, and other mid-level cyber hygiene procedures.
A Level 3 certification involves the use of proper cyber hygiene measures. Aside from recording procedures and regulations, an organization must maintain and resource a comprehensive plan that covers all operations. A Level 3 accreditation shows that a company has attained the “Managed” process maturity classification.
At the third level, there are a total of 130 practices, including all of the activities from NIST SP 800-171 Rev 1 plus 20 more practices to promote good cyber hygiene. At this level, a company must implement procedures such as evaluating its incident response capabilities and labeling all media with CUI indications and distribution restrictions.
To increase detection and response capabilities, the second highest certification level adds proactive practices. Organizations are now more prepared for cybersecurity events and can prevent them from happening. Additionally, an organization’s procedures must periodically assess their performance and conformity with standards. The senior management receives an update about the findings.
It includes all of the practices from Levels 1-3 and 11 practices from NIST SP 800171B Draft and 15 other practices. Practical exercises and training are necessary at Level 4, as is the use of a security operations center with 24/7 reaction capability. To get Level 4 certification, an organization must have practices to identify and respond to changes in tactics, methods, and procedures (TTP) using Advanced Persistent Threat (APTs).
Cybersecurity procedures are advanced/progressive at Level 5, and the process maturity status is “optimizing.” Process optimization is standardized and documented across the whole organization at this level of certification.
As of level 5, there are a total of 171 practices to be certified. The NIST SP 800-171B Draft includes four new cybersecurity practices and 11 new practices contributing to a sophisticated cybersecurity program. Cybersecurity systems are typically more complex as a result of procedures implemented at Level 5.
Who must comply with CMMC?
Any military firm doing business with the Department of Defense (excluding those handling COTS) will be required to achieve one of the five CMMC levels in the future. This requirement applies to prime contractors and their subcontractors and any suppliers with whom the prime works along the supply chain.
The DoD contract specifies the degree of compliance that an individual contractor must fulfill. While certain portions of the contract stipulate that the contractor must achieve CMMC Level 3, other subcontractors may be required to reach Level 1.
The CMMC Accreditation Body (CMMC-AB) is currently working with the Department of Defense to guarantee that contractors have access to an independent third-party evaluation. DOD contractors who deal with CUI will be subject to the CMMC standards. The Executive Branch safeguards the following types of information:
• Export Control
• Law Enforcement
• Natural and Cultural Resources
• Procurement and Acquisition
• Proprietary Business Information
What are CMMC requirements?
The CMMC certification criteria will vary depending on the degree of certification desired. Each level adds to the criteria of the levels that come before it. As a result, a Level 2 certification contains all of the Level 1 standards, but a Level 5 certification requires an organization to satisfy the Levels 1-4 requirements. The certification criteria for each of the five levels are as follows:
• 43 capabilities spanning 17 capability domains
• Five processes to measure process maturity
• 171 practices to measure technical capacity
The standards that an organization must satisfy will vary according to the degree of certification. Practices and methods are used to categorize the requirements. To obtain each certification level, a contractor must fulfill the standards for both the level’s practices and procedures across a wide range of skills. These are the capability domains:
2. Incident Response (IR)
3. Risk Management (RM)
4. Asset Management (AM)
5. Maintenance (MA)
6. Security Assessment (CA)
8. Media Protection (MP)
9. Situational Awareness (SA)
10. Audit and Accountability (AU)
11. Personnel Security (PS)
12. System and Communications Protection (SC)
14. Physical Protection (PE)
15. System and Information Integrity (SI)
16. Identification and Authentication (IA)
17. Recovery (RE)
A Checklist for CMMC Compliance
While no two paths to compliance are the same, there are a number of best practices that consultants and MSPs recommend. The following 4 steps present the checklist for CMMC Compliance.
Establishing a baseline: Assess the present level of CMMC preparedness.
- Determine if the company manages CUI and how to protect it
- Create a gap assessment between where the company is now and where it needs to be
- Create Plan of Action & Milestones (POAMs) for the controls that don’t currently meet
- Develop a focused plan with a consultant to determine the current state of readiness and what requires to achieve the desired level of compliance
- Execute against the POAM and put the activities you selected into action.
- Fill the gaps
- Put in place new procedures, training, and tools to close the gaps.
- Monitor the required systems
- Training for staffs on the new security standards should begin as soon as possible.
- Resolve any ongoing problems that may have occurred. Work through the SSP and make adjustments as needed.
- Assist C3PAO with an audit and be prepared to provide documentation that implements controls.
- Always be on the lookout for new ways to improve.
Preparation for a CMMC Certification
Companies should not wait to begin certification activities, even if the complete implementation of the CMMC will take around five years. It will take a long time to write policy, deploy solutions, and implement the necessary adjustments. Companies should prepare for at least six months to achieve compliance, depending on their present environment and level of cyber hygiene. There is no time to waste on certification preparations, as the Department of Defense plans to release recommendations mandating CMMC compliance by the end of the year.
To begin CMMC compliance efforts, the company should:
- Determine which CMMC level the company hopes to achieve and begin reviewing the cyber hygiene requirements required for compliance
- Begin drafting a budget for CMMC compliance, which should include costs for enhancing security requirements, updating policies, leveraging applications, contracting a third-party assessor, and a CMMC compliance audit
- Create a Plan of Action and Milestones (POA&M) to guarantee ongoing compliance with NIST 800-171 and current contracts, as well as set timeframes and resource needs
- Align current security environment to NIST 800-171 standards; contractors who have implemented all controls should achieve CMMC Level 5 success
- Keep up with the newest CMMC developments by regularly checking the Department of Defense’s website for updates
How to Get CMMC Certified?
Companies are not permitted to self-certify under the CMMC and audited by a certified third-party assessment organization (C3PAO) or a credited individual assessor to obtain compliance. C3PAOs are allowed to oversee the assessment process for businesses pursuing CMMC compliance. C3PAOs provide consulting services, schedule assessments, employ and train individual assessors, and evaluate the findings with Quality Auditors from the CMMC-Accreditation Body (AB).
Companies seeking a CMMC Certificate must first determine the maturity for audit in ensuring compliance. Companies must next locate a C3PAO who is available to schedule the assessment with the certified independent assessor. When completing the assessment, the independent assessor will look for security holes and weaknesses and if the company’s environment satisfies the CMMC standards for that level. Companies will have up to 90 days to fix any concerns with the C3PAO.
The CMMC certification notification becomes public if a company achieves compliance at any level.
The certification is an acceptable, reimbursable expenditure with a three-year validity period. By 2021, the Department of Defense hopes to have 1,500 CMMC certified contractors, with 48,000 by 2025.