Developed by the US Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) is a new standard for implementing cybersecurity measures across their supply chain and network of contractors. The DoD engages with over 300,000 contracting companies across the Defense Industrial Base (DIB) in the acquisition of technologies, products, and services.
To perform their duties, contractors require access to Controlled Unclassified Information (CUI). Prior to the CMMC, contractors were required to implement, and self-regulate their information security systems to protect the CUI. Due to gaps in the previous regulation, there have been significant compromises of sensitive defence information across contractors’ databases and information systems – ultimately leading to the creation of the certification.
With the CMMC, contractors are still responsible for developing controls and maintaining the security of their information technology systems, but the assessment of their information systems and compliance audit are performed by an accredited third-party or C3PAO
What Is The CMMC Framework?
The CMMC framework encompasses 17 capability domains mapped across 5 levels, each with organized processes and respective cybersecurity best practices. The levels measure the maturity level and technical capabilities of a company’s cybersecurity infrastructure with how it protects sensitive defense information across their information systems.
Here is an overview of the 5 levels with the practices, processes, and relations to existing regulations and frameworks.
|Level 1||This level performs basic cyber hygiene, e.g., regularly changing passwords. Its practices are equivalent to those in the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21. Level 1 is about the basic safeguarding of the Federal Contract Information (FCI).|
|Level 2||This is a transitional documentation step towards the protection of CUI. It is concerned about intermediate cyber hygiene. It includes a select subset of 48 practices from the NIST SP 800-171 r1 and complies with the FAR.|
|Level 3||Management of processes that protect CUI and good cyber hygiene is done at this level. It encompasses all the practices from NIST SP 800-171r1 and complies with the FAR.|
|Level 4||This is the proactive cybersecurity level that reviews implemented processes and the effectiveness of practices. This level complies with FAR, encompasses all practices from NIST SP 800-171 r1, and includes a select subset of 11 practices from Draft NIST SP 800-171B.|
|Level 5||Optimizing advanced/progressive cybersecurity practices occurs at this level. The level encompasses all practices from NIST SP 800-171 r1, includes a select subset of 4 practices from Draft NIST SP 800-171B, and complies with FAR. Level 4 and 5 secure CUI and require active cybersecurity processes and reduce the risk of advanced persistent threats (APTs).|
The CMMC applies to entities required to protect CUI or safeguard sensitive defence information related to the DoD’s procurement processes. Hence, all DoD contractors, subcontractors, and all suppliers along the supply chain will need to comply with the CMMC. In case of non-compliance, there won’t be bidding for the contractors.
Companies seeking to be successful at meeting the certification’s requirements can prepare with these five steps;
- Identify the desired maturity level
- Decide whether to engage a trained professional/go in-house for compliance and external security services.
- Conduct a self-assessment and update security documentation
- Remediate gaps
- Schedule and complete the CMMC assessment
Under the CMMC, companies are not allowed to self-certify. They will be evaluated, audited, and validated by certified independent third-party assessment orgs (C3PAO’s) and assessors. The DoD will coordinate directly with the CMMC Accreditation Body (CMMC-AB) for the certification’s operational aspects.
Currently, there are no third-party entities that have the credentials to assess a contractor against the CMMC since the requirements for becoming a C3PAO are not yet established. Also, the DoD is incorporating CMMC requirements in Requests for Proposals (RFPs) this November. According to CMMC-AB, there is only a training criteria publication. The timeline for certified training is clocked at the 2020/21 winter, and the commercial assessments will be available from winter/spring of 2021.
Due to the cycle of contracts, all DoD suppliers will need to be CMMC compliant by 2025. Nonetheless, even without the complete finalization, organizations are already requesting alignment with CMMC. This can be attributed to the industry’s competitive nature and the extreme security awareness level in the supply chain/industry. Most defense contractors are already compliant with FAR 52.204-21 and NIST 800-171 requirements, which constitute part of the CMMC – already making them largely CMMC compliant.
CMMC is quickly gaining traction, and now is a great time to start aligning your security controls and policies to the CMMC level that you need to meet. Organizations have a plethora of software at their disposal to manage compliance – each with its own merits, but GRC solutions are best suited to scale with your company’s compliance requirements and goals. Get a head start on your CMMC compliance using a comprehensive GRC tool to support you along your path to compliance and request your demo today!