The Cybersecurity Maturity Model Certification (CMMC) is coming - whether you’re ready or not. Today, it’s primarily meant for the Department of Defense (DoD) and its subcontractors, but this comprehensive framework could be coming to an enterprise like yours in the future.
CMMC is a holistic look at cybersecurity. With cybercrime becoming ever more sophisticated, there’s a real need for a change in the way we assess our current state of cybersecurity readiness.
Related Reading: Does CMMC Immunize You to Ransomware?
Working towards certification, there are five CMMC Levels consisting of multiple controls, together with 17 domains. A participant must determine which level of certification applies best for their business requirements.
At first glance, this new set of requirements looks daunting. You should understand that they are a set of practices and processes across 17 domains that are cumulative. To achieve a certain CMMC Level, you must have completed the preceding level.
Let’s review and get a better understanding of the basic CMMC Levels:
Processes: Performed - Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene - Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21
Level one is comprised of 17 practices and 0 processes.
Processes: Documented - Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
Practices: Intermediate Cyber Hygiene - Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 [4] as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI.
Level two is comprised of 55 practices and 34 processes.
Processes: Managed - Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene - Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 [4] as well as additional practices from other standards and references to mitigate threats.
Level three is comprised of 58 practices and 17 processes.
Processes: Reviewed - Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher-level management of status or issues on a recurring basis.
Practices: Proactive - Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B [6] as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.
Level four is comprised of 26 practices and 17 processes.
Processes: Optimizing - Level 5 requires an organization to standardize and optimize process implementation across the organization.
Practices: Advanced/Proactive - Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Level five is comprised of 15 practices and 17 processes.
Related Reading: Threat-Based Security at the Intersection of MITRE ATT&CK and NIST CSF (Whitepaper)
For approved pilots, all offerers will undergo the appropriate CMMC assessment, an awardee must achieve the required CMMC level at the time of contract award, and flow down the appropriate CMMC requirement to subcontractors. This allows for additional time to meet the CMMC certification requirement.
*Source: Cybersecurity Maturity Model Certification | Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC Version 1.02
As of January 2021, assessments will begin being submitted for a score. All assessments must be completed by a certified third party organization or a registered provider organization (RPO) Q1 overall - formal training program will begin that enables companies and cybersecurity firms to become certified professionals or assessors. Certification levels 1-3 are anticipated to come first (as early as March or April).
STEP 1
Once you understand the CMMC requirements outlined above, you can determine the maturity level you need to reach. This begins with defining the CUI stored, processed, and transmitted within your environment.
STEP 2
While the DoD has expressed some degree of concern around the potential financial impact of reaching these CMMC requirements on small to medium-sized businesses, it has not outlined any provisions to assist these businesses with reaching the certification requirements. That’s why it’s important to outline a reasonable timeline and necessary resources (budget, personnel, etc.) around tasks like:
STEP 3
While we don’t know all of the rules and stipulations around CMMC quite yet, we do have a general idea of which steps you can begin taking action on today:
STEP 4
With CMMC, you cannot be self-certified. Therefore, enlisting the right partners- partners that have compliance expertise and are on the path to becoming a certified third-party assessment organization (C3PAO)- to conduct an assessment and gap analysis is recommended. You can ask your current cybersecurity provider if they’re a registered provider organization (RPO) for CMMC - this is often a good indicator of whether or not they’re on the path to becoming a C3PAO.
Related Reading: The Cybersecurity Maturity Model Certification: Are You in Compliance?
Avertium, a CMMC registered provider organization (RPO), is an expert in CMMC Assessment, Readiness, and Program Creation. Avertium will get to know your organization, set a baseline maturity index, and work with you tailoring a path to compliance and security program improvement that fits the way you do business. Here’s what you can expect: