The Cybersecurity Maturity Model Certification (CMMC) is coming – whether you’re ready or not. Today, it’s primarily meant for the Department of Defense (DoD) and its subcontractors, but this comprehensive framework could be coming to an enterprise like yours in the future.
CMMC is a holistic look at cybersecurity. With cybercrime becoming ever more sophisticated, there’s a real need for a change in the way we assess our current state of cybersecurity readiness.
Reasons for the creation and enforcement of CMMC:
- To secure unclassified networks – The CMMC was created as a means to ensure that the Defense Industrial Base (DIB) Community is utilizing proper cybersecurity practices in protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) contained in their unclassified networks. It was created in Jan 2020 with the goal of improving the security of CUI and FCI that may be in possession of their federal contractor network.
- To offer levels of compliance that make sense for the level of involvement for each business – DoD contractors have been required to comply with NIST SP 800-171 – a comparable security framework – since January 1, 2018 (currently in Rev 2, 1/21). The majority of NIST SP 800-171 can be found within CMMC, but unlike the entirety which can be difficult to manage for some businesses, CMMC takes a different approach stepping through five levels as mentioned.
- It’s intended to reduce third party risk – In short, the DoD realized that while their own systems were secure, they could not ensure the security of the various third parties connecting to their networks, providing personnel, or executing government service contracts. CMMC was designed to mitigate that risk by ensuring that primary and subcontractors are tightening their controls with Controlled Unclassified Information (CUI), as well as thoughtful measures around where it’s stored, transmitted, or processed.
CMMC Model – Levels
Working towards certification, there are five CMMC Levels consisting of multiple controls, together with 17 domains. A participant must determine which level of certification applies best for their business requirements.
At first glance, this new set of requirements looks daunting. You should understand that they are a set of practices and processes across 17 domains that are cumulative. To achieve a certain CMMC Level, you must have completed the preceding level.
Let’s review and get a better understanding of the basic CMMC Levels:
CMMC Level 1
Processes: Performed – Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene – Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21
Level one is comprised of 17 practices and 0 processes.
CMMC Level 2
Processes: Documented – Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
Practices: Intermediate Cyber Hygiene – Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171  as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI.
Level two is comprised of 55 practices and 34 processes.
CMMC Level 3
Processes: Managed – Level 3 requires that an organization establish, maintain, and resource a plan
demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene – Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171  as well as additional practices from other standards and references to mitigate threats.
Level three is comprised of 58 practices and 17 processes.
CMMC Level 4
Processes: Reviewed – Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Practices: Proactive – Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B  as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.
Level four is comprised of 26 practices and 17 processes.
CMMC Level 5
Processes: Optimizing – Level 5 requires an organization to standardize and optimize process implementation across the organization.
Practices: Advanced/Proactive – Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Level five is comprised of 15 practices and 17 processes.
CMMC Timeline + Status
- January 2020 – DoD intros version 1.0 of the CMMC
- June 2020 – CMMC-AB released program requirements and opened registration for C3PAOs and third-party assessors
- September 29th, 2020 – CMMC is a requirement for DFARS 252.204-7021
- DFARS 252.204-7021 requires NIST 800-171
- The Department of Defense (DoD) issued an interim rule on Sept. 29, 2020 to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) framework. This interim rule includes new DFARS clause 252.204-7021, which specifies CMMC requirements and enables the department to verify the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the unclassified networks of Defense Industrial Base (DIB) companies. The interim rule became effective on Nov. 30, 2020, following the 60-day public comment period. (Source: U.S. DoD)
- FY 2021 – The department will pilot the implementation of CMMC requirements for Level 3 and below on select new acquisitions. In support thereof, the CISO team is currently reviewing the following pilot nominations from the military services and defense agencies and anticipates awards in late 2021:
- U.S. Navy
- Integrated Common Processor
- F/A-18E/F Full Mod of the SBAR and Shut off Valve
- DDG-51 Lead Yard Services / Follow Yard Services
- U.S. Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
- Missile Defense Agency
- Technical Advisory and Assistance Contract
- Technical Advisory and Assistance Contract
- U.S. Navy
For approved pilots, all offerers will undergo the appropriate CMMC assessment, and awardee must achieve the required CMMC level at time of contract award, and flow down the appropriate CMMC requirement to subcontractors. This allows for additional time to meet the CMMC certification requirement.
*Source: Cybersecurity Maturity Model Certification | Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC Version 1.02
As of January 2021, assessments will begin being submitted for a score. All assessments must be completed by a certified third party organization or a registered provider organization (RPO) Q1 overall – formal training program will begin that enable companies and cybersecurity firms to become a certified professional or assessor. Certification levels 1-3 are anticipated to come first (as early as March or April).
The “Known Unknowns”
- The standard is evolving. There may be new controls over the next quarter.
- The CMMC timeline is subject to change. Some CMMC specifications apply to only some contracts now and are expected to become part of DoD procurement in 2026.
- CMMC is still being developed. In the National Defense Authorization Act that was just passed, you’ll find the following text: “1742. Department of Defense cyber hygiene and Cybersecurity Maturity Model Certification framework (a) Cyber security practices and capabilities in the Department of Defense (1) In general, not later than March 1, 2021, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cybersecurity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.”
- CMMC certification requirements will likely extend beyond the Department of Defense. Other branches of the government may and likely will choose to adopt CMMC.
What You Can do to Prepare for CMMC
Determine the maturity level that you want to be audited for compliance (CMMC Level 1-5).
Once you understand the CMMC requirements outlined above, you can determine the maturity level you need to reach. This begins with defining the CUI stored, processed, and transmitted within your environment.
Create room in the budget for CMMC certification.
While the DoD has expressed some degree of concern around the potential financial impact of reaching these CMMC requirements on small to medium sized businesses, it has not outlined any provisions to assist these businesses with reaching the certification requirements. That’s why it’s important to outline a reasonable timeline and necessary resources (budget, personnel, etc.) around tasks like:
- Enhancing security requirements,
- Updating policies,
- SIEM technology, and
- Third-party assessor costs.
Take steps that can proactively address some of the issues impeding CMMC certification today.
While we don’t know all of the rules and stipulations around CMMC quite yet, we do have a general idea of which steps you can begin taking action on today:
- Align with NIST 800-171
- Develop and enforce policies and procedures that align with CMMC-related controls
- Establish The Scope of The CMMC Assessment Boundary.
- Create a Data Flow Diagram (DFD) that shows how CUI flows from the DoD all the way down to subcontractors;
- Create a detailed asset inventory for all systems, applications, and services for both in-scope and out-of-scope assets;
- Create a detailed network diagram that includes where CUI is stored, transmitted and/or processed; and
- Inventory Third-Party Service Providers (TSP) to determine TSP access to CUI and/or in-scope systems, applications and /or services.
- Have a system security plan (SSP, and a plan of action and Milestones in place (POA&M)
Have a third party conduct an assessment and gap analysis.
With CMMC, you cannot be self-certified. Therefore, enlisting the right partners– partners that have compliance expertise and are on the path to becoming a certified third-party assessment organization (C3PAO)– to conduct an assessment and gap analysis is recommended. You can ask your current cybersecurity provider if they’re a registered provider organization (RPO) for CMMC – this is often a good indicator of whether or not they’re on the path to becoming a C3PAO.
How Avertium Can Help
Avertium, a CMMC registered provider organization (RPO), is an expert in CMMC Assessment, Readiness, and Program Creation. Avertium will get to know your organization, set a baseline maturity index, and work with you tailoring a path to compliance and security program improvement that fits the way you do business. Here’s what you can expect: