CMMC Certification GuideEnsure You Will Keep & Grow Your DoD Business
Your Guide to Successful CMMC Certification
- Achieve NIST 800-171 Provable Conformance -
- Protect CUI -
- Be Irresistible to Your Prime's Capture Team -
- Be Ready for Your CMMC Certification Audit -
- Grow Your Business! -
The DOD and the CMMC AB continue to offer more guidance and details on how the CMMC roll out.
Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy.
Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
It would be presumptuous for us to call ourselves CMMC experts. We are, however, experts at developing and managing information security and privacy management systems that comply with government and industry regulations. We have helped organizations ranging from $500K to $3B comply with DFARS clause 252.204-7012 and NIST SP 800-171 which cover 110 of the 130 controls required for CMMC Level 3 certification. So, while CMMC is a new certification scheme — the process of preparing for CMMC certification isn’t new to us.
The Stakes are High… Make Sure You Have the Chips to Stay in the Game
CMMC certification will be an absolute requirement to bid on DoD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DoD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.
CMMC Compliance Can Make You Stronger
We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.
New to the CMMC? Lets get you up to speed quickly
The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity standard for US Department of Defense (DoD) suppliers. The CMMC will impact more than 300,000 companies in the US Defense Industrial Base (DIB).
The CMMC is important because many DoD contractors are currently vulnerable to attack. Breaches of intellectual property across the DIB have and continue to reduce US defense superiority and threaten our national security.
First released in January 2020 after several years in development, the CMMC requires DoD contractors undergo independent, third-party audits. Compliance is measured against one of the five levels in the CMMC’s “maturity model,” which align with the specific maturity level mandated in each new DoD contract.
What is CMMC Certification?
The CMMC certification process assesses the cybersecurity posture of DoD contractors through third-party audits. The audit process is intended to verify that a company’s security controls, policies and procedures comply with the CMMC standard at the contractually mandated level. The CMMC’s goal is to improve the protection of sensitive data in contractor’s systems, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The security assessment program that the CMMC replaces allowed businesses to self-attest their compliance to the NIST SP 800-171 standard per the Defense Federal Acquisition Regulations (DFARS) as specified in their DoD contracts. Unless explicitly requested to do so, DIB companies were not required to provide evidence of compliance. This perpetuated security vulnerabilities and resulted in significant data breaches, operational interruptions and intellectual property theft at a cost of at least $300 billions per year.
The CMMC was developed in collaboration with university research centers, federally funded R&D centers and industry experts. It unifies several existing security standards into one comprehensive framework, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, FISMA and AIA NAS9933.
Why is CMMC Certification Important?
The CMMC is business-critical for DIB suppliers because they will soon need to achieve CMMC certification at one of the five CMMC levels to participate in DoD contract awards.
The CMMC will gradually replace the DoD’s current cybersecurity compliance program, based on the DFARS, which began in 2015. This outdated approach mandates compliance with NIST 800-171 for all contractors, regardless of the type and volume of data they handle.
Many contractors, especially SMBs with limited resources, have been challenged to comprehend the NIST 800-171 requirements, let alone implement them. Others have either outsourced their compliance programs or employed significant expertise to sustain compliance in-house.
Overall, NIST 800-171 compliance has been lax, though the DoD has endeavored to make compliance a competitive advantage in the contract award process. Moreover, the DoD has stepped up DFARS enforcement, fining suppliers that have claimed to be compliant under the False Claims Act over $250 million in 2019.
The core issue that the DoD is looking to address with CMMC certification is companies falsely claiming compliance with its cybersecurity guidelines, whether intentionally or out of ignorance. By achieving CMMC certification, DoD suppliers will verifiably have appropriate cybersecurity processes and controls in place. CMMC also gives companies a way to assess the maturity of their current environment, as well as a roadmap for how to progressively improve their security postures.
Who Must Achieve CMMC Certification?
Any organization—prime contractor or subcontractor—that participates in DoD contracts will need to achieve some level of CMMC certification within the next few years. Even companies that provide nontechnical services like custodial services will need to demonstrate “basic cyber hygiene” (CMMC Level 1).
Businesses that handle CUI will need to be certified to at least CMMC Level 3, which roughly corresponds to the “security maturity” already mandated by DFARS. Those that handle FCI but not CUI will need CMMC Level 1 certification. Companies that “solely produce Commercial-Off-The-Shelf (COTS) products” purchased as part of a DoD contract do not require a CMMC certification, according to the DoD.
What are the CMMC Certification Levels?
The CMMC organizes cybersecurity preparedness controls and processes into five maturity levels, which protect against progressively higher levels of risk to FCI and/or CUI. Each level incorporates the preceding levels; for example, attaining CMMC Level 3 certification means compliance with CMMC levels 1 and 2. Each level also includes associated process levels.
Here are brief descriptions of the five CMMC levels:
Basic cyber hygiene (Level 1) focuses on protecting FCI. It includes only 17 practices as specified in 48 CFR 52.24-21, Basic Safeguarding of Covered Contractor Information Systems. These include fundamental controls like using up-to-date antivirus software and providing staff with cybersecurity awareness training. To be certified at CMMC Level 1, a supplier only needs to demonstrate that it can perform the required practices in an ad hoc manner, potentially without accompanying documentation.
Intermediate cyber hygiene (Level 2) is an intermediary step for companies transitioning from CMMC Level 1 to CMMC Level 3. At Level 2, processes must be documented and should be practiced accordingly. Level 2 also obliges suppliers to implement 55 of the controls required to protect CUI at Level 3.
Good cyber hygiene (Level 3) focuses on protecting CUI. It includes all the 110 controls specified in NIST 800-171 plus about 20 additional controls. To gain CMMC Level 3 certification, a business must show that it has documented and is actively managing cybersecurity policies and processes in alignment with an established plan. Organizations that are compliant with NIST SP 800-171 today should not find CMMC Level 3 certification to be a big hurdle.
Proactive (Level 4) is an intermediate step for companies seeking to attain CMMC Level 5. At this level, firms must demonstrate that they can proactively defend CUI against advanced persistent threats (APTs) and other ongoing, sophisticated and dynamic attacks. Level 4 requires implementation of 26 additional controls beyond CMMC Level 3. It also requires companies to evaluate the effectiveness of its controls, document threats and responses on an ongoing/historical basis, and take corrective action where needed to detect and defeat threats, in coordination with management.
Advanced/progressive (Level 5) focuses on protecting CUI from multi-vector, state-of-the-art APTs mounted by government-sponsored hackers. It requires the demonstrable ability to audit, optimize and standardize cybersecurity controls and processes. Demanding a robust security posture, CMMC Level 5 incorporates an additional 15 practices beyond prior levels. This will be a challenging level for many SMBs to meet with in-house staff and expertise.
What are the CMMC Control Domains?
The CMMC model defines 17 control domains. Many of these are derived from NIST 800-171 and the associated security areas in Federal Information Processing Standards (FIPS) Publication 200 plus three additional domains (Asset Management, Recovery and Situational Awareness).
The 17 CMMC control domains are:
- Access Control—who has access to your systems (including remote access) and what are their roles and limitations?
- Asset Management—Can you locate, identify and inventory your assets?
- Audit and Accountability—Can you track the users who have access to your CUI, so they are accountable for their actions?
- Awareness and Training—Do all staff have security awareness training?
- Configuration Management—Do you have configuration baselines for your systems so you can gauge their effectiveness?
- Identification and Authentication—Does your organization have properly defined roles with appropriate data access levels, including processes for reporting and accountability?
- Incident response—Do you have an Incident Response Plan that documents how you will detect, report and respond to incidents, including post incident analysis?
- Maintenance—Do you have procedures in place to maintain and operate your cyber controls?
- Media Protection—Is your media identified and marked for quick access, and do you have media protection, transportation and disposal protocols in place?
- Personnel Security—Have staff been properly screened, and do you have controls in place to protect CUI during staff turnover?
- Physical Protection—Do you have provably adequate physical security protecting your assets?
- Recovery—Do you have a robust, tested process for making and logging backups to protect your sensitive data from data loss and damage?
- Risk Management—Do you have a process to periodically identify and assess risks to your FCI and/or CUI, including vendor-related risks?
- Security Assessment—Do you have a system security plan in place?
- Situational Awareness—Do you have a threat monitoring system in place?
- System and Communications Protection—Do you have verifiable control of communications at system boundaries?
- Systems and Information Integrity—Can you effectively monitor your environment to identify and mitigate vulnerabilities and flaws?
How Will Your Company Get CMMC Certified?
Unlike the current DFARS scenario that it will gradually supersede, CMMC certification at any level involves an audit by a Certified Assessor (CA) working for a Certified 3rd-Party Assessor Organization (C3PAOs). The CMMC Accreditation Body (CMMC-AB) authorizes C3PAOs to schedule and conduct assessments for Organizations Seeking Certification (OSCs).
To become certified, the first step is to identify the CMMC level your business needs to comply with, as specified in the contract(s) you are competing for. This determines the compliance requirements for the assessment.
Next, you will need to choose a C3PAO and schedule an assessment. Your CA will identify any vulnerabilities and gaps in your security posture in relation to the requirements at your specific level. Depending on the severity of a finding, you may need to rectify the issue before being certified or establish a Plan of Actions and Milestones (POA&M) for doing so.
A company’s successful achievement of a CMMC certification at a particular level will be a matter of public record. Other information specific to audits, including failed certification efforts and audit findings, will not be made public.
What is the Current Timeline for the CMMC Rollout?
Despite COVID-19, the CMMC rollout has stayed largely on track to date. In particular, the CMMC-AB is up-and-running and launching the programs needed to train professionals and assess and certify suppliers. A small number of select Requests for Information (RFIs) that include CMMC requirements are now being released, with Requests for Proposals (RFPs) to follow by the end of 2020.
The first contract awards that specify CMMC compliance are still planned for early 2021, with CMMC requirements appearing in all new RFIs by 2026. The DoD has stated that it will not modify existing contracts to insert CMMC compliance requirements.
Here are some important milestones on the CMMC timeline:
- January 2020—the DoD introduced CMMC Version 1.0.
- June 2020—The CMMC-AB announced various program requirements and opened registration for C3PAOs, CAs and other professional roles.
- July 2020—The CMMC-AB opened registration for Licensed Partner Publishers (LPPs) that will conduct training for CMMC auditors and advisors.
- Late Summer/Fall 2020—The Office of Management and Budget (OMB) will approve a rule change to the DFAR to allow the DoD to mandate CMMC compliance in RFIs and RFPs.
- Fall 2020—The phased rollout of CMMC language in RFIs and RFPs will begin.
- 2021—The DoD expects that 7,500 DIB companies will have achieved CMMC certification by the end of 2021.
- 2022-2026—New DFARS mandating CMMC certification will gradually replace the remaining DFARS specifying NIST 800-171 compliance.
- By EOY 2026—CMMC certification will be a requirement for all 300,000+ DoD suppliers, and self-attested NIST 800-171 compliance will no longer be in force in DoD contracts.
When Do You Need to Be Ready for CMMC?
While full enforcement of the CMMC framework is still a year or more away for most DIB companies, DoD contractors should take steps immediately to become familiar with CMMC technical requirements and assessment programs. Many suppliers will need to invest significant time and effort (at least six months in most cases) to evaluate their current security postures and prepare for CMMC assessment at Level 3 or above.
Here are some commonsense steps your business can take now to help ensure a smooth CMMC certification process:
- Determine what CMMC level you will eventually need to attain.
- Review the technical requirements for that level.
- Begin aligning your current environment with NIST 800-171, as the DoD may ask you to demonstrate compliance at any time. Further, this will position you to achieve CMMC Level 3 certification with relative ease.
- Connect with a trusted third-party information security consultant to get support for CMMC planning, gap assessment and implementation if you plan to outsource some part of the process.
- Check in with relevant vendors (e.g., email and file sharing service providers, cloud service providers) on their CMMC and NIST 800-171 compliance status.
- Conduct a CMMC “readiness assessment” and/or “gap analysis” so you can prioritize next steps leading to a “remediation plan” or compliance roadmap.
- Begin documenting your cybersecurity practices and policies as you’ll need to do this eventually if you handle CUI.
- Start planning your budget for CMMC certification, including consulting fees, internal resourcing, software purchases, audit costs, etc. Keep in mind that the DoD has stated that CMMC certification will be an “allowable cost” and thus reimbursable.
- Stay current with news about the CMMC rollout by checking online sources like the CMMC FAQ page and the CMMC-AB site.
Because primes are already looking at CMMC and NIST 800-171 compliance when choosing capture teams, companies that are slow to respond to the CMMC and/or fail to achieve certification based on their first assessment may be unable to participate in contracts or offer products and services to the DoD for some period of time.
Now is the time to get familiar with CMMC requirements, connect with compliance experts and start aligning your cybersecurity controls and policies with the CMMC framework. While CMMC certification will be nontrivial for many DoD suppliers, the process will support adoption of cybersecurity best practices that all businesses must have in place today to assure customers, management and other stakeholders that they can protect sensitive data.