If you do any work with the U.S. Department of Defense (DoD), then you have surely heard about the Cybersecurity Maturity Model Certification (CMMC). With requirements beginning to show up in projects as early as September, you may have questions about compliance and requirements so you don’t lose out on future contracts with the DoD.
We have provided an overview of the standard and laid out the steps you need to take now to make sure you’re checking off all of the CMMC boxes.
What is the Cybersecurity Maturity Model Certification (CMMC)?
CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). With more than 300,000 companies in the supply chain, there is a large number of companies that need to comply with this new standard.
Prior to the CMMC standard, contractors were responsible for the implementation, monitoring, and security certification of their IT systems, as well as any confidential or sensitive information stored on or transmitted by their systems. Much of this was covered by the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS has been in effect since 2016 as a means to better protect Controlled Unclassified Information (CUI).
All DoD contractors and subcontractors must meet DFARS regulations, and compliance is relatively simple to understand—organizations must have the proper security protocols in place to protect CUI, and you must have a process in place to report cybersecurity events.
CMMC is similar to DFARS in many ways, but compliance is divided into maturity levels and companies must undergo an assessment by a third party (self-assessment is no longer an option). The assessment will ensure they are compliant with certain practices and procedures to certify that the proper controls are in place to protect sensitive data. The goal is to make sure that contractors are capable of defending against and responding to the ever-changing cybersecurity landscape, as new threats constantly emerge. While details are still being ironed out, all indications are pointing to CMMC eventually completely replacing DFARS as the requirement needed for DoD contracts.
CMMC compliance standards consist of several pre-existing compliance processes and procedures combined into one framework:
- NIST SP 800-171—Governs CUI in non-federal information systems and organizations. CUI is information that is sensitive, but not classified.
- NIST SP 800-53—Provides standards and guidelines for federal agencies to architect and manage their information security systems.
- ISO 27001—Provides requirements for an Information Security Management System (ISMS).
- ISO 27032—Provides guidance for improving the state of cybersecurity.
- AIA NAS9933—Regulates the requirements for aerospace cybersecurity.
- Federal Information Security Management Act (FISMA)—A law requiring federal agencies to develop, document, and implement an information security and protection program.
The standard has been in the works for several years, and the first version of the CMMC was finally released on January 31, 2020. By September of 2020, contractors should expect to see CMMC requirements in the Request for Proposal (RFP) process. Starting in October, DoD contractors will need to get certified by an accredited assessor.
While a full timeline of compliance is not yet available, CMMC requirements will apply to all DoD contractors, including all companies throughout the supply chain. There is a chance that smaller contractors or subcontractors may not be required to obtain the highest level of compliance, but our best advice is to prepare for a high level of compliance now so you don’t risk missing out on projects.
The CMMC Accreditation Body (CMMC-AB) is in charge of developing procedures to certify Third-Party Assessment Organizations (CP3AOs) and assessors that will be in charge of evaluating compliance levels. The CMMC will also set up a CMMC Marketplace where companies will be able to go and find an accredited C3PAO and schedule an assessment.
Assessments will be based on the level designated by the requesting company. There are five levels of CMMC certification:
- Level 1: Basic cyber hygiene
- Level 2: Intermediate cyber hygiene
- Level 3: Good cyber hygiene
- Level 4: Proactive
- Level 5: Advanced/Progressive
Each level builds upon the one beneath it, meaning that in order to meet Level 2 compliance, a company must also meet all Level 1 requirements.
The CMMC model as a whole consists of 17 domains.
- Access control
- Asset Management
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident Response
- Media protection
- Physical protection
- Personnel security
- Risk management
- Security assessment
- Situational awareness
- System and communications protection
- System and information integrity
The distribution of practices within each domain varies across the compliance levels, but the majority of all practices required fall under access control, Audit and accountability, incident response, risk management, system and communication protection, and system and information integrity.
Let’s take a closer look at what each level entails.
Level 1: Basic cyber hygiene
This level focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as information necessary to process payments.”
Companies at this level must carry out basic cyber hygiene practices, such as using antivirus software and training employees about safe passwords. Most current DoD contractors should already meet this level without having to change what they are doing, and it will likely serve as a starting point for newer firms to the DoD contract space. There are 17 cybersecurity practices required at this level.
Level 2: Intermediate cyber hygiene
Level 2 includes the new emerging requirements that DoD contractors will really need to prepare for. At this level, a new category of information is defined—Controlled Unclassified Information (CUI). CUI is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
Level 2 compliance is largely based on a subset of NIST SP 800-171. It is meant to be an intermediate step to progress companies from Level 1 to Level 3, and it requires that firms have 72 cybersecurity practices in place.
Level 3: Good cyber hygiene
Level 3 compliance is a further extension of Level 2. This level focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 , as well as additional practices from other standards and references to mitigate threats. Although official guidance has not been given to date, this is the level many believe any DoD contractors will need to achieve at a minimum if they handle CUI. Level 3 requires that organizations have a long list of 130 specific security procedures and protocols in place. Examples include:
- Protecting wireless access through authorization and encryption
- Controlling the connection of mobile devices
- Using cryptography to keep remote access session confidential
- Authorizing remote executions of privileged commands
As with Level 2, all of these protocols must be well documented and will have to be certified through an accredited assessor in order to achieve compliance.
Level 4: Proactive
As its name implies, Level 4 requires organizations to take proactive measures in identifying and responding to cybersecurity threats. Companies also must be able to measure the effectiveness of their cybersecurity strategy.
Companies at this level must be prepared to deal with threats from attackers sponsored by other governments. Specifically, companies must demonstrate their ability to handle advanced persistent threats (APTs), which come from adversaries who have a high level of expertise and the resources to launch an attack from multiple vectors.
Based on the information currently available, we expect this level to be the minimum requirement for those companies wishing to be main contractors for the DoD. In total, there are 156 cybersecurity policies that need to be in place to meet this compliance level.
Level 5: Advanced/Progressive
Level 5 focuses on protecting Confidential, Secret, or Top Secret information from APTs, with additional requirements above Level 4 that increase the sophistication of a company’s cybersecurity policies and procedures. There are a total of 171 requirements.
Level 5 requirements are less technical in nature and focus more on how an organization can respond to the changing cybersecurity threat landscape.
Additional details on all of the levels can be found here.
CMMC compliance checklist
Conduct a readiness assessment and gap analysis
This will determine how prepared your organization is for a compliance audit and which areas require immediate attention. We recommend basing your analysis on the NIST 800-171, since it is the basis for Level 3 and something all DoD contractors should be meeting. Once the gap analysis is complete, the results should be used to determine your current CMMC level compliance and to create a plan to achieve the desired or required CMMC level.
The plan should cover:
- Areas requiring attention
- Prioritization of areas identified
- Who will work on the gaps
- Timeline for completion
- Estimated cost
- Process for tracking goals and milestones to ensure completion
Implement a cybersecurity detection and alerting system
Most companies will want to achieve Level 4 or 5 compliance, which means you must be able to report on how well your company identifies and responds to threats. If you don’t already have such a system in place, now is the time to do so.
We recommend leveraging Security Operations Center as a Service (SOCaaS). This is a managed security service that provides continuous data analysis, threat intelligence, and security incident reporting. A Managed Security Operations Center includes a fully managed cloud security information and event management (SIEM), baseline and SIEM tuning, indicator of compromise alerting, remediation and countermeasure recommendations, proactive support for initial investigation, and more.
SOCaaS helps your organization achieve a higher level of CMMC compliance, making it essential for DoD contractors to have this type of system in place.
Develop a System Security Plan (SSP)
A System Security Plan documents the security controls in place for all the systems a contractor has that store or transmit CUI, and it is a requirement for CMMC compliance. If you don’t have one in place, it’s time to get working on it. Seek expert help if you’re not sure where to start.
If you do have documentation, make sure it is updated on a regular basis and includes every security protocol required for the level of compliance you will want to achieve.
Stay up to date
New information is constantly emerging around CMMC compliance and the associated timeline. It’s important to keep up with the new information as soon as it becomes available. This FAQ from the Office of the Under Secretary of Defense for Acquisition & Sustainment is an excellent way to stay on top of the situation.
Talk to your subcontractors and suppliers
Prime DoD contractors should engage with subcontractors throughout their supply chain to help them achieve the compliance level they will require. This is an essential step to make sure prime contractors don’t miss out on contract opportunities due to non-compliance issues further down the chain.
Evaluate your internal resources
Do you have the expertise in-house to achieve compliance? If not, reach out to a team of cybersecurity experts with extensive experience in compliance frameworks.
While the DoD will be requiring CMMC compliance, the ultimate goal is to make sure all DoD contractors are prepared to handle the quickly changing threat landscape. In other words, once compliance is achieved, your work is not done.
Companies must be proactive in their approach to detect and respond to new threats as they emerge if they want to remain prime contractors for the DoD well into the future. If you need guidance on what steps to take and how to continue to stay ahead of cybersecurity threats, consider a virtual Chief Information Security Officer (vCISO), who can provide the guidance you need at the fraction of a cost.
The cost issue of CMMC compliance
Many companies (especially small and mid-sized organizations) are wondering how they will pay for the upgrades in cybersecurity required for CMMC compliance. Depending on the maturity level you need to achieve, you may need to invest a substantial amount of money in your cybersecurity program to achieve and maintain compliance.
Even large contractors for DoD projects often work smaller companies into their supply chain to remain competitive on price and timeline when submitting bids. In other words, no one (including the DoD), wants to see the smaller players in the market have to step aside because the financial burden of compliance is too much to bear. In fact, the DoD has stated that “the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
It’s important for organizations of all sizes to pay attention to the fine details when it comes to CMMC compliance reimbursement. We recommend seeking expert assistance to make sure you get the maximum financial assistance.
A contractor’s readiness to meet CMMC compliance requirements will make all the difference when it comes to winning or losing bids for DoD projects. Make sure your company is prepared by taking the necessary steps now to obtain an accredited assessment to make sure you’re on the winning side.