Cybersecurity Maturity Model Certification (CMMC) Compliance
What is CMMC Compliance?
CMMC is a comprehensive framework for implementing cybersecurity across the Defense Industrial Base (DIB). Now that CMMC 2.0 is published, there is a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts. DoD does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the rulemaking process. Once CMMC 2.0 is codified through rulemaking, about 9 to 24 months from November 2021, DoD will require DIB companies to adhere to the revised framework.
Learn More About CMMC Compliance
Is your organization prepared to meet the new CMMC compliance requirements? Make sure you don’t miss out on important Department of Defense (DoD) contracts!
Who Needs CMMC Certification?
Prior to CMMC, DIB contractors were responsible for the implementation, monitoring, and security certification of their IT systems, as well as any confidential or sensitive information stored on or transmitted by their systems. Much of this was covered by the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS has been in effect since 2016 to better protect Controlled Unclassified Information (CUI). All DIB contractors and subcontractors must meet DFARS regulations, and compliance is relatively simple to understand—organizations must have the proper security protocols in place to protect CUI, and you must have a process in place to report cybersecurity events.
With CMMC, the framework is divided into progressively advanced tiers and DIB companies must undergo self-assessments, assessments by a third party, or by government officials to verify implementation of the standards. Assessments ensure they are compliant with certain practices and procedures to certify that the proper controls are in place to protect data and information. The goal is to make sure that DIB contractors can defend against and respond to the ever-changing cybersecurity landscape, as new threats constantly emerge.
Request more information about CMMC Compliance Assistance
Cybersecurity Maturity Model Certification
CMMC compliance standards consist of several pre-existing compliance processes and procedures combined into one framework:
- NIST SP 800-171—Governs CUI in non-federal information systems and organizations. CUI is information that is sensitive, but not classified.
- NIST SP 800-172—Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
- NIST SP 800-53—Provides standards and guidelines for federal agencies to architect and manage their information security systems.
- ISO 27001—Provides requirements for an Information Security Management System (ISMS).
- ISO 27032—Provides guidance for improving the state of cybersecurity.
- AIA NAS9933—Regulates the requirements for aerospace cybersecurity.
- Federal Information Security Management Act (FISMA)—A law requiring federal agencies to develop, document, and implement an information security and protection program.
The CMMC Accreditation Body (CMMC-AB) oversees developing procedures to certify CMMC Third-Party Assessor Organizations (C3PAOs) and assessors in charge of evaluating compliance levels.
There is a CMMC-AB marketplace where companies can find an accredited C3PAO and schedule an assessment.
Assessments are based on levels designated by the requesting company depending on the type and sensitivity of the information. There are three levels of CMMC 2.0 certification:
Each level builds upon the one beneath it, meaning that in order to meet Level 2 compliance, a company must also meet all Level 1 requirements.
- Risk management
- Security assessment
- Situational awareness
- Identification and authentication
- System & communications protection
- System & information integrity
- Configuration management
- Incident Response
- Media protection
- Physical protection
- Personnel security
- Access control
- Asset Management
- Awareness and training
- Audit and accountability
Most practices fall under the umbrella of information assurance.
Let’s take a closer look at what each level entails.
This level focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as information necessary to process payments.”
DIB contractors at this level must carry out basic cyber hygiene practices, such as using antivirus software and training employees about safe passwords and required to perform periodic self-assessments. Most DIB contractors already meet this level without having to change what they are doing, and it will likely serve as a starting point for newer firms to the DoD contract space. There are 17 basic cybersecurity practices required at this level.
Level 2 includes advanced requirements aligned with NIST 800-171. At this level, a new category of information is defined—Controlled Unclassified Information (CUI). CUI is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
Level 2 compliance is largely based on a subset of NIST SP 800-171. It is meant to be an intermediate step to progress companies from Level 1 to Level 3, and it requires that firms have 110 cybersecurity practices in place. DIB companies at this level may require third-party or self-assessments, depending on the type of information protected.
- Third-party assessments: companies are responsible for obtaining an assessment and certification prior to contract award
- Self-assessments: companies will complete and report a CMMC Level 2 self-assessment and submit senior official affirmations
Level 3 compliance is a further extension of Level 2 for the highest priority programs. This level focuses on the protection of CUI and encompasses all the enhanced security requirements specified in NIST SP 800-172, as well as additional practices from other standards and references to mitigate threats. Examples include:
- Protecting wireless access through authorization and encryption
- Controlling the connection of mobile devices
- Using cryptography to keep remote access session confidential
- Authorizing remote executions of privileged commands
Level 3 controls must be well documented and certified by a triennial government-led assessment.
As its name implies, Expert level security requires organizations to take proactive measures in identifying and responding to cybersecurity threats. Companies also must be able to measure the effectiveness of their cybersecurity strategy.
Companies at this level must be prepared to deal with threats from attackers sponsored by other governments. Specifically, companies must demonstrate their ability to handle advanced persistent threats (APTs), which come from adversaries who have a high level of expertise and the resources to launch an attack from multiple vectors.
DoD contractors must take the appropriate steps to ensure they achieve the required level of compliance. The experts at Blue Team Alpha can assist in this process to make sure you don’t miss out on potential opportunities for new business.
CMMC compliance assistance from Blue Team Alpha includes:
This will determine how prepared your organization is for a compliance audit and which areas require immediate attention. We recommend basing your analysis on the NIST 800-171, since it is the basis for Level 2 and something all DoD contractors should be meeting. Once the gap analysis is complete, we use the results to determine your current CMMC level compliance and to create a plan to help you achieve the desired or required CMMC level.
The plan we craft will cover:
- Areas requiring attention
- Prioritization of areas identified
- Who will work on the gaps
- Timeline for completion
- Estimated cost
- Process for tracking goals and milestones to ensure completion
New information is constantly emerging around CMMC compliance and the associated timeline. The ultimate goal is to make sure all DoD contractors are prepared to handle the quickly changing threat landscape. Companies must be proactive in their approach to detect and respond to new threats as they emerge if they want to remain prime contractors for the DoD well into the future. A Blue Team Alpha virtual Chief Information Security Officer (vCISO) provides expert guidance and advice at the fraction of a cost.
We make sure you keep up with the new information as soon as it becomes available. We also work closely with prime DoD contractors and help them engage with subcontractors throughout their supply chain to help subcontractors achieve the compliance level they will require. This is an essential step to make sure prime contractors don’t miss out on contract opportunities due to non-compliance issues further down the chain.
Our vCISO also provides guidance when it comes to covering the cost of CMMC compliance. Many companies (especially small and mid-sized organizations) are wondering how they will pay for the upgrades in cybersecurity required for CMMC compliance. Depending on the maturity level you need to achieve, you may need to invest a substantial amount of money in your cybersecurity program to achieve and maintain compliance.
However, no one (including the DoD), wants to see any company have to step aside because the financial burden of compliance is too much to bear. In fact, the DoD has stated that “the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” With our vCISO service, you can rest assured that every detail is attended to when it comes to CMMC compliance reimbursement. You can be confident you will get the maximum financial assistance.
A System Security Plan documents the security controls in place for all the systems a contractor has that store or transmit CUI, and it is a requirement for CMMC compliance. We have the expertise at Blue Team Alpha to create this document if you don’t already have one.
If you do have documentation, we work with clients to make sure it is updated on a regular basis and includes every security protocol required for the level of compliance you will want to achieve.
Most DIB companies want to achieve Level 2 compliance, which means you must be able to report on how well your company identifies and responds to threats. If you don’t already have a system in place to do this, we will help you implement one.
Security Operations Center as a Service (SOCaaS) from Blue Team Alpha is a managed security service that provides continuous data analysis, threat intelligence, and security incident reporting. Our Managed Security Operations Center includes a fully managed cloud security information and event management (SIEM), baseline and SIEM tuning, indicator of compromise alerting, remediation and countermeasure recommendations, proactive support for initial investigation, and more.
SOCaaS helps your organization achieve a higher level of CMMC compliance, making it essential for DoD contractors to have this type of system in place.
Other helpful information to keep in mind:
New information is constantly emerging around CMMC compliance and the associated timeline. It’s important to keep up with the new information as soon as it becomes available. This FAQ from the Office of the Under Secretary of Defense for Acquisition & Sustainment is an excellent way to stay on top of the situation.
Prime DoD contractors should engage with subcontractors throughout their supply chain to help them achieve the compliance level they will require. This is an essential step to make sure prime contractors don’t miss out on contract opportunities due to non-compliance issues further down the chain.
Do you have the expertise in-house to achieve compliance? If not, reach out to a team of cybersecurity experts with extensive experience in compliance frameworks.
While the DoD will be requiring CMMC compliance, the ultimate goal is to make sure all DoD contractors are prepared to handle the quickly changing threat landscape. In other words, once compliance is achieved, your work is not done.
Companies must be proactive in their approach to detect and respond to new threats as they emerge if they want to remain prime contractors for the DoD well into the future. If you need guidance on what steps to take and how to continue to stay ahead of cybersecurity threats, consider a virtual Chief Information Security Officer (vCISO), who can provide the guidance you need at the fraction of a cost.
Many companies (especially small and mid-sized organizations) are wondering how they will pay for the upgrades in cybersecurity required for CMMC compliance. Depending on the maturity level you need to achieve, you may need to invest a substantial amount of money in your cybersecurity program to achieve and maintain compliance.
Thankfully, the DoD will publish a comprehensive cost analysis associated with each level on CMMC as part of rulemaking in the next 9 to 24 months. Costs are projected to be much lower than expected because requirements are streamlined, and companies associated with Level 1 and some in Level 2 are allowed to perform self-assessments.
Large contractors for DoD projects often work smaller companies into their supply chain to remain competitive on price and timeline when submitting bids. In other words, no one (including the DoD), wants to see the smaller players in the market step aside because the financial burden of compliance is too much to bear. In fact, the DoD has stated that “the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
It’s important for organizations of all sizes to pay attention to the fine details when it comes to CMMC compliance reimbursement. We recommend seeking expert help to make sure you get the maximum financial assistance.
Every DoD contractor must be prepared to meet CMMC compliance requirements. Compliance will be the dividing line between winning and losing bids for DoD projects. Contact us today to make sure you take all of the necessary steps to obtain an accredited assessment—and win that next bid.