April 5, 2024

Last Updated on May 20, 2024

If your company participates in the US Department of Defense (DoD) supply chain, you already know about the Cybersecurity Maturity Model Certification (CMMC) 2.0 audit program, which will progressively roll out through 2025. CMMC certification “raises the bar” over the current NIST 800-171 self-attestation scenario and promises significant compliance impacts for many firms.

But for organizations that have achieved or are working towards ISO 27001 certification, how close will ISO 27001 get you to CMMC certification?

This article explores the synergy between ISO 27001 and CMMC compliance requirements.

 

Can ISO 27001 play a role in CMMC certification?

There is no question that an ISO 27001 certified information security management system (ISMS) can strongly support CMMC certification and greatly reduce CMMC compliance effort. Both are comprehensive, up-to-date cybersecurity standards based on best practices.

The real question is: What is most vital for your business to specifically focus on so your ISO 27001 ISMS can also efficiently cover CMMC?

 

How are CMMC and ISO 27001 different?

ISO 27001 helps you build a holistic cybersecurity program that lets you identify your sensitive information assets and implement safeguards to protect them.

CMMC has a more specific focus on protecting controlled unclassified information (CUI) belonging to the US government that resides on your systems.

With ISO 27001, you select controls based on risk management and risk assessment. With CMMC, the controls you must implement are based on the CMMC maturity level you need to achieve, as specified in your contract.

  • CMMC Level 1 (Foundational) is for organizations that will not handle CUI, but will work only with federal contract information (FCI). Your DoD contract itself is an example of FCI.
  • CMMC Level 2 (Advanced) is for organizations working with CUI. Examples of CUI include engineering drawings, research data, and personally identifiable information (PII) on employees or contractors. Many DoD contracts mandate CMMC Level 2 because they require you to handle CUI.
  • CMMC Level 3 (Expert) is reserved for certain organizations working on the DoD’s most sensitive defense programs, such as fighter aircraft or nuclear submarine programs. CMMC Level 3 compliance supports the ability to block advanced persistent threats (APTs) from nation state actors.

In simple terms, ISO 27001 lets you decide what controls are applicable to your ISM based on risk assessment for your specific environment. With the CMMC model, there is less flexibility. The cybersecurity practices you must implement are defined by your CMMC level.

 

Can you build CMMC Level 2 compliance into your ISO 27001 ISMS?

A key reason why ISO 27001 is considered the premier third-party attested information security certification worldwide is that it is extremely flexible and can be applied to any use case.

So, if your business is looking to achieve both CMMC and ISO 27001 certification, can you architect your ISO 27001 ISMS so that the CMMC requirements are part of your ISMS scope?

Done right, can this approach yield an ISMS that can also pass a CMMC Level 2 certification audit?

The answer is yes: If you architect your ISMS scope with CMMC fully considered, you should end up with a cybersecurity program that can be both ISO 27001 certified and CMMC certified.

However, there is an important caveat. ISO 27001 is less prescriptive than CMMC, so there may be specific technical concerns with CMMC that go beyond what you would implement for ISO 27001 compliance based on risk assessment.

The bottom line is that even if you architect your ISO 27001 ISMS with CMMC compliance in mind, you will probably need additional resources and/or technology to satisfy the CMMC requirements.

 

Does it make sense to pursue CMMC and ISO 27001 certifications in parallel?

Organizations that want to achieve both CMMC and ISO 27001 certification should definitely look into pursuing them at the same time. There is significant overlap between the two standards, making a parallel effort potentially cost- and time-effective.

However, achieving CMMC certification based on an ISO 27001 ISMS requires careful planning.

According to expert auditor Thomas Price, “The government felt that ISO 27001 wasn’t going far enough, and they lacked confidence that the controls were being implemented adequately.”

For this reason, plus its laser focus on protecting CUI on non-federal systems, CMMC is both more prescriptive and more demanding than ISO 27001 overall. CMMC mandates a number of specific requirements to protect CUI that would not be essential for ISO 27001 certification.

Therefore, your initial CMMC certification audit would not be a slam-dunk.

 

What’s next?

ISO 27001 does not map directly onto CMMC 2.0 controls. However, CMMC Level 2 is virtually identical to the NIST 800-171 standard.

NIST 800-171 Rev. 2 Appendix D (available as “supporting materials” in NIST 800-171 Rev. 3) maps the NIST 800-171 controls to the ISO 27001 controls.

For additional guidance on leveraging an ISO 27001 ISMS to gain CMMC 2.0 Level 2 compliance, check out CBIZ Pivot Point Security’s free CMMC 2.0 Certification Guide.