Cybersecurity Maturity Model Certification (CMMC)The CMMC Knowledge You Need to Succeed
In November 2021, the US Department of Defense (DoD) announced Version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) information security framework and audit program. Driven by internal review and public comment, CMMC 2.0 updates the requirements for CMMC Version 1.02, released in January 2020 and now suspended. CMMC 2.0 is designed to improve cybersecurity within the Defense Industrial Base (DIB) by ensuring contractors and subcontractors can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Back in October 2016, the DoD specified requirements for protecting Covered Defense Information (CDI) and reporting cyber incidents in its Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. In addition, DFARS 252.204.7019 mandates DoD suppliers implement security controls consistent with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This regulation—which has been in effect all along—relies on suppliers to self-attest to the status of their security controls and to compliance with NIST SP 800-171.
In contrast to CMMC 1.0, CMMC 2.0 requires organizations whose contracts mandate compliance with CMMC 2.0 Level 2 (Advanced) and which are participating in “prioritized acquisitions” to undergo third-party assessments to achieve CMMC 2.0 certification, and to be reassessed on a triannual basis. Firms participating in “non-prioritized acquisitions” at CMMC 2.0 Level 2 (Advanced) plus all organizations at CMMC Level 1 (Foundational) can demonstrate compliance through an annual self-assessment with an affirmation by company leadership.
The changes from CMMC 1.0 to CMMC 2.0 will be implemented through the US federal government’s rulemaking process to Code of Federal Regulations (CFR) Parts 32 and 48. DIB businesses will be required to comply with the new rules as soon as they go into effect; an estimated timetable is “9 to 24 months.”
Struggling with all the new terminology in the CMMC? Learn all the Key CMMC Terms & Acronyms here.
Why is the CMMC Important?
The CMMC is critically important because keeping CUI, CDI and FCI (Federal Contract Information) secure is vital to US national security and to the US economy. The current self-attestation approach has proven ineffective, as shown by multiple high-profile breaches of critical DoD data.
Exfiltration of sensitive defense-related data is estimated to cost the US economy $600 billion per year, and has verifiably narrowed US armed forces technological advantage over its adversaries. The DoD is determined to eliminate this data leakage.
CMMC represents a higher, more exacting level of assurance that emphasizes not only compliance but also data security, and which ensures more consistent implementation and execution of controls. CMMC will make it significantly more difficult for adversaries to breach DIB contractors, including sub-tier suppliers. This also includes assurance the government and your investors your organization is equipped to identify and triage cyber incidents.
How is the CMMC Different from Today’s Requirements?
CMMC will significantly impact both the DoD’s acquisition process and suppliers’ cybersecurity postures. Most importantly:
- To achieve certification at any of the five CMMC levels, organizations must pass a third-party assessment conducted by an accredited C3PAO (Certified 3rd Party Assessor Organization).
- CMMC certification to at least Level 1 will be mandatory for DoD contract award/participation. If you have Federal Contract Information (FCI), you must achieve level 1.
- The CMMC certification level required for prime contractors and their subcontractors will be specified in DoD RFIs and RFPs.
- Suppliers will need to be recertified every three years. Further, the CMMC will continue to evolve in response to the threat landscape.
- The CMMC is even more comprehensive than NIST 800-171. It defines additional controls and places more emphasis on operationalization of processes (e.g., policies, procedures, documentation) to manage the environment.
- Unlike the current “one size fits all” self-attestation to NIST 800-171, CMMC defines five levels of requirements, from “Basic Cyber Hygiene” (Level 1) to “Advanced” (Level 5). Level 3, “Good Cyber Hygiene,” is just a notch above NIST 800-171 compliance.
Summary of the Cybersecurity Maturity Model Certification (CMMC) Levels, Domains, Practices & Processes (Maturity Levels)
Referenced directly on DoD RFI’s and RFP’s, these tiers specify the number of practices and processes in each domain a company needs to be certified to in order to win that RFI/RFP. Level overview:
- Level 1: Meant to ensure a company can safeguard Federal Contract Information (FCI)
- Level 2: This is a temporary level meant to serve as a “transaction step” from Level 1 to Level 3
- Level 3: Meant to ensure a company can protect Controlled Unclassified Information (CUI)
- Level 4-5: Meant to ensure a company can protect Controlled Unclassified Information (CUI) and Advanced Persistent Threats (APTs)
A CMMC Domain is a collection of practices. CMMC has 17 total domains each with its own set of capabilities.
|Access Control (AC)||· Establish system access requirements
· Control internal system access
· Control Remote system access
· Limit data access to authorized users and processes
|Asset Management (AM)||· Identify and document assets|
|Audit and Accountability (AU)||· Define audit requirements
· Perform auditing
· Identify and protect audit information
· Review and manage audit logs
|Awareness and Training (AT)||· Conduct security awareness activities
· Conduct training
|Configuration Management (CM)||· Establish configuration baselines
· Perform configuration and change management
|Identification and Authentication (IA)||· Grant access to authenticated entities|
|Incident Response (IR)||· Plan incident response
· Detect and report events
· Develop and implement a response to a declared incident
· Perform post incident reviews
· Test incident response
|Maintenance (MA)||· Manage maintenance|
|Media Protection (MP)||· Identify and mark media
· Protect and control media
· Sanitize media
· Protect media during transport
|Personal Security||· Screen personnel
· Protect CUI during personnel actions
|Physical Protection (PE)||· Limit physical access|
|Recovery (RE)||· Manage back-ups|
|Risk Management (RM)||· Identify and evaluate risk
· Manage risk
|Security Assessment (CA)||· Develop and manage a system security plan
· Define and manage controls
· Perform code reviews
|Situational Awareness (SA)||· Implement threat monitoring|
|Systems and Communications Protection (SC)||· Define security requirements for systems and communications
· Control communications at system boundaries
|System and Information Integrity (SI)||· Identify and manage information system flaws
· Identify malicious content
· Perform network and system monitoring
· Implement advanced email protections
CMMC Practices are what most information security standards call “controls”. They are the specific measures you need to put in place to gain certification. Examples of these are Multi Factor Authentication (MFA), end-to-end encryption of CUI, implementing logging with alerting (most often through a Security Incident and Event Management (SIEM) solution), email spam protection and sand-boxing, etc.
CMMC uses a 1–5 maturity level scale, which allows the standard to define “Appropriate Security” for different types of information with different risk levels (ML.2.999, ML.2.998, ML.2.999, ML.3.997, ML.4.996, ML.5.995
When Does Your Business Need to Be CMMC Compliant?
CMMC requirements have already appeared in select RFIs, and will appear in RFPs after a DFARs rule change is complete in October 2020. The DoD will gradually apply CMMC requirements starting with a chosen subset of contracts (about 1,500) to be awarded in 2021.
From there, the CMMC rollout will accelerate to about 7,500 companies in 2022, ramping up to about 50,000 in 2025. It is expected that the entire DoD supply chain (about 350,000 businesses) will be CMMC certified by 2026. Companies must continue to comply with current DFARS regulations while the two sets of requirements coexist.
Since only CMMC certified companies can participate in contracts that mandate CMMC, there is a clear competitive advantage to achieving CMMC certification sooner rather than later.
How Do You Get CMMC Certified?
The DoD in cooperation with the defense industry has “self-formed” a nonprofit accreditation body, called the CMMC Accreditation Body (CMMC-AB). This entity will onboard the Certified 3rd-Party Assessment Organizations (C3PAOs) needed to certify suppliers across the DIB. The C3PAOs, in turn, will train and certify the many auditors who will conduct CMMC audits.
The DoD expects that certified auditors will be trained and ready to begin assessing suppliers by late 2020, in line with its plan to issue RFIs specifying CMMC at that time. Anyone in the DIB seeking a CMMC assessment should connect with a C3PAO to schedule an audit.
How Does CMMC Compare to NIST 800-171?
Because it defines five compliance levels, CMMC is more flexible than NIST 800-171, and “right-sizes” a supplier’s compliance footprint based on the data it is handling.
Here is a simple way to describe the five CMMC “cyber hygiene” certification levels:
For suppliers that won’t be handling sensitive data, certification to CMMC Level 1 specifies only 17 controls, while Level 2 specifies 63 controls. These levels should be straightforward to achieve for businesses that are self-attesting to NIST 800-171 compliance today.
Suppliers that will handle CUI will need to be certified to CMMC Level 3 or higher. Level 3 includes all 110 NIST 800-171 controls, plus 20 additional controls, making it comparable to the current DFARS guidance.
CMMC levels 4 and 5 are intended to protect CUI pertaining to high-value assets from advanced persistent threats and nation state actors. These levels define more controls (156 and 171 respectively and processes); attaining them will entail a rigorous audit process.
What certification level should your organization pursue?
That depends on your company’s role in the DIB, as well as your current cybersecurity maturity level. CMMC Level 3 is equivalent to the current regulations and will be required to handle CUI. For example, suppliers that have a Section 7012 clause in their current contract will need to be CMMC Level 3 certified when those contracts are renewed.