The Cybersecurity Maturity Model Certification (CMMC) is coming - whether you’re ready or not. Today, it’s primarily meant for the Department of Defense (DoD) and its subcontractors, but this comprehensive framework could be coming to an enterprise like yours in the future.
CMMC is a holistic look at cybersecurity. With cybercrime becoming ever more sophisticated, there’s a real need for a change in the way we assess our current state of cybersecurity readiness.
To secure unclassified networks - The CMMC was created as a means to ensure that the Defense Industrial Base (DIB) Community is utilizing proper cybersecurity practices in protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) contained in their unclassified networks. It was created in Jan 2020 with the goal of improving the security of CUI and FCI that may be in possession of their federal contractor network.
To offer levels of compliance that make sense for the level of involvement for each business - DoD contractors have been required to comply with NIST SP 800-171 – a comparable security framework - since January 1, 2018 (currently in Rev 2, 1/21). The majority of NIST SP 800-171 can be found within CMMC, but unlike the entirety which can be difficult to manage for some businesses, CMMC takes a different approach stepping through five levels as mentioned.
It’s intended to reduce third-party risk - In short, the DoD realized that while their own systems were secure, they could not ensure the security of the various third parties connecting to their networks, providing personnel, or executing government service contracts. CMMC was designed to mitigate that risk by ensuring that primary and subcontractors are tightening their controls with Controlled Unclassified Information (CUI), as well as thoughtful measures around where it’s stored, transmitted, or processed.
CMMC 2.0 release date is March 2023 and contracts go into effect in July 2023.
Related Reading: Does CMMC Immunize You to Ransomware?
Working towards certification, there are three CMMC Levels, and each is linked to a specific number of controls consisting of several assets: domains, capabilities (or a collection of practices), practices, and processes defined as maturity levels corresponding to the specific certification level. (see chart above for level specifications)
At first glance, this new set of requirements looks daunting. You should understand that they are a cumulative set of practices and processes across all 17 domains. To achieve a certain CMMC Level, you must have completed the preceding level. A participant must determine which level of certification applies best to their business requirements.
Let’s review and get a better understanding of the basic CMMC Levels:
Processes: Performed - Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene - Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21
Level one is comprised of 17 practices.
Processes: Managed - Level 2 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene - Level 2 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171  as well as additional practices from other standards and references to mitigate threats.
Level two is comprised of 110 practices.
Processes: Optimizing - Level 3 requires an organization to standardize and optimize process implementation across the organization.
Practices: Advanced/Proactive - Level 3 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Level three is comprised of 110+ practices.
Related Reading: Threat-Based Security at the Intersection of MITRE ATT&CK and NIST CSF (Whitepaper)
The standard is evolving. There may be new controls over the next quarter.
The CMMC timeline is subject to change. Some CMMC specifications apply to only some contracts now and are expected to become part of DoD procurement in 2026.
CMMC is still being developed. In the National Defense Authorization Act that was just passed, you’ll find the following text: “1742. Department of Defense cyber hygiene and Cybersecurity Maturity Model Certification framework (a) Cybersecurity practices and capabilities in the Department of Defense (1) In general, not later than March 1, 2021, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cybersecurity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.”
CMMC certification requirements will likely extend beyond the Department of Defense. Other branches of the government may and likely will choose to adopt CMMC.
Once you understand the CMMC requirements outlined above, you can determine the maturity level you need to reach. This begins with defining the CUI stored, processed, and transmitted within your environment.
While the DoD has expressed some degree of concern around the potential financial impact of reaching these CMMC requirements on small to medium-sized businesses, it has not outlined any provisions to assist these businesses with reaching the certification requirements. That’s why it’s important to outline a reasonable timeline and necessary resources (budget, personnel, etc.) around tasks like:
Here is what we know regarding the rules for CMMC 2.0:
While we don’t know all of the rules and stipulations around CMMC quite yet, we do have a general idea of which steps you can begin taking action on today:
With CMMC, you cannot be self-certified. Therefore, enlisting the right partners- partners that have compliance expertise and are on the path to becoming a certified third-party assessment organization (C3PAO)- to conduct an assessment and gap analysis is recommended. You can ask your current cybersecurity provider if they’re a registered provider organization (RPO) for CMMC - this is often a good indicator of whether or not they’re on the path to becoming a C3PAO. Avertium is currently on under review to become a C3PAO.
Related Reading: The Cybersecurity Maturity Model Certification: Are You in Compliance?
Avertium, a CMMC registered provider organization (RPO), is an expert in CMMC Assessment, Readiness, and Program Creation. Avertium will get to know your organization, set a baseline maturity index, and work with you to tailor a path to compliance and security program improvement that fits the way you do business. Here’s what you can expect:
We’ll collaborate with your team, providing a Gap Analysis Report with a detailed matrix comparing baseline controls in place today with appropriate CMMC domain and control level requirements.
We’ll provide an Executive Summary Report to communicate findings and their implications to company decision-makers in support of your security efforts.
We’ll provide a detailed Remediation Roadmap based on the order of criticality to guide remediating deficiencies.
We’ll conduct Regular Touchpoint Meetings to review progress, and update your team on DoD guidance and CMMC changes, all while keeping you abreast of the latest technology trends and industry best practices.
Lastly, we can implement programs, technologies, and processes to help you become compliant and maintain your certification if you don’t have the resources or personnel to do so.
* Avertium is currently in the application process to become a CMMC Third Party Assessment Organization (C3PAO). A C3PAO is a certified CMMC assessor responsible for conducting CMMC assessments on behalf of the DoD. Once the assessment is completed, the C3PAO can appropriately issue CMMC certificates.*