If you suspect an active attack, call us now at 612-399-9680.
If you suspect an attack, call us at 612-399-9680

Cybersecurity Maturity Model Certification (CMMC) Compliance

Is your organization prepared to meet the new CMMC compliance requirements? Make sure you don’t miss out on important Department of Defense (DoD) contracts!

What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). With more than 300,000 companies in the supply chain, there is a large number of companies that need to comply with this new standard. 

Prior to the CMMC standard, contractors were responsible for the implementation, monitoring, and security certification of their IT systems, as well as any confidential or sensitive information stored on or transmitted by their systems. Much of this was covered by the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS has been in effect since 2016 as a means to better protect Controlled Unclassified Information (CUI). 

All DoD contractors and subcontractors must meet DFARS regulations, and compliance is relatively simple to understand—organizations must have the proper security protocols in place to protect CUI, and you must have a process in place to report cybersecurity events. 

CMMC is similar to DFARS in many ways, but compliance is divided into maturity levels and companies must undergo an assessment by a third party (self-assessment is no longer an option). The assessment will ensure they are compliant with certain practices and procedures to certify that the proper controls are in place to protect sensitive data. The goal is to make sure that contractors are capable of defending against and responding to the ever-changing cybersecurity landscape, as new threats constantly emerge. All indications are pointing to CMMC eventually completely replacing DFARS as the requirement needed for DoD contracts.

CMMC compliance standards consist of several pre-existing compliance processes and procedures combined into one framework:

  • NIST SP 800-171—Governs CUI in non-federal information systems and organizations. CUI is information that is sensitive, but not classified.
  • NIST SP 800-53—Provides standards and guidelines for federal agencies to architect and manage their information security systems.
  • ISO 27001—Provides requirements for an Information Security Management System (ISMS).
  • ISO 27032—Provides guidance for improving the state of cybersecurity.
  • AIA NAS9933—Regulates the requirements for aerospace cybersecurity.
  • Federal Information Security Management Act (FISMA)—A law requiring federal agencies to develop, document, and implement an information security and protection program.

The standard has been in the works for several years, and the first version of the CMMC was finally released on January 31, 2020. Contractors are now seeing CMMC requirements in the Request for Proposal (RFP) process, so DoD contractors will need to get certified by an accredited assessor.

CMMC requirements will apply to all DoD contractors, including all companies throughout the supply chain. There is a chance that smaller contractors or subcontractors may not be required to obtain the highest level of compliance, but it is best to prepare for a high level of compliance now so you don’t risk missing out on projects.

The CMMC Accreditation Body (CMMC-AB) is in charge of developing procedures to certify Third-Party Assessment Organizations (CP3AOs) and assessors that will be in charge of evaluating compliance levels. The CMMC will also set up a CMMC Marketplace where companies will be able to go and find an accredited C3PAO and schedule an assessment.

Assessments will be based on the level designated by the requesting company. There are five levels of CMMC certification:

LEVEL 1

Basic cyber hygiene

LEVEL 2

Intermediate cyber hygiene

LEVEL 3

Good cyber hygiene

LEVEL 4

Proactive

LEVEL 5

Advanced/Progressive

Each level builds upon the one beneath it, meaning that in order to meet Level 2 compliance, a company must also meet all Level 1 requirements.

The CMMC model as a whole consists of 17 domains.

  • Access control 
  • Asset Management
  • Awareness and training 
  • Audit and accountability 
  • Configuration management 
  • Identification and authentication 
  • Incident Response 
  • Maintenance 
  • Media protection 
  • Physical protection 
  • Personnel security 
  • Recovery
  • Risk management
  • Security assessment 
  • Situational awareness
  • System and communications protection 
  • System and information integrity
  • Risk management
  • Security assessment 
  • Situational awareness
  • Identification and authentication 
  • System & communications protection 
  • System & information integrity
  • Configuration management 
  • Incident Response 
  • Maintenance
  • Media protection 
  • Physical protection 
  • Personnel security 
  • Access control 
  • Asset Management
  • Awareness and training 
  • Audit and accountability 
  • Recovery 

The distribution of practices within each domain varies across the compliance levels, but the majority of all practices required fall under access control, Audit and accountability, incident response, risk management, system and communication protection, and system and information integrity.

CMMC Compliance Levels
Level 1: Basic Cyber Hygiene

This level focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as information necessary to process payments.” 

Companies at this level must carry out basic cyber hygiene practices, such as using antivirus software and training employees about safe passwords. Most current DoD contractors should already meet this level without having to change what they are doing, and it will likely serve as a starting point for newer firms to the DoD contract space. There are 17 cybersecurity practices required at this level.

Level 2: Intermediate Cyber Hygiene

Level 2 includes the new emerging requirements that DoD contractors will really need to prepare for. At this level, a new category of information is defined—Controlled Unclassified Information (CUI). CUI is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” 

Level 2 compliance is largely based on a subset of NIST SP 800-171. It is meant to be an intermediate step to progress companies from Level 1 to Level 3, and it requires that firms have 72 cybersecurity practices in place.  

Level 3: Good Cyber Hygiene

Level 3 compliance is a further extension of Level 2. This level focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 [4], as well as additional practices from other standards and references to mitigate threats. Although official guidance has not been given to date, this is the level many believe any DoD contractors will need to achieve at a minimum if they handle CUI. Level 3 requires that organizations have a long list of 130 specific security procedures and protocols in place. Examples include: 

  • Protecting wireless access through authorization and encryption 
  • Controlling the connection of mobile devices 
  • Using cryptography to keep remote access session confidential 
  • Authorizing remote executions of privileged commands 

As with Level 2, all of these protocols must be well documented and will have to be certified through an accredited assessor in order to achieve compliance. 

Level 4: Proactive

As its name implies, Level 4 requires organizations to take proactive measures in identifying and responding to cybersecurity threats. Companies also must be able to measure the effectiveness of their cybersecurity strategy. 

Companies at this level must be prepared to deal with threats from attackers sponsored by other governments. Specifically, companies must demonstrate their ability to handle advanced persistent threats (APTs), which come from adversaries who have a high level of expertise and the resources to launch an attack from multiple vectors. 

Based on the information currently available, we expect this level to be the minimum requirement for those companies wishing to be main contractors for the DoD. In total, there are 156 cybersecurity policies that need to be in place to meet this compliance level. 

Level 5: Advanced/Progressive

Level 5 focuses on protecting Confidential, Secret, or Top Secret information from APTs, with additional requirements above Level 4 that increase the sophistication of a company’s cybersecurity policies and procedures. There are a total of 171 requirements. 

Level 5 requirements are less technical in nature and focus more on how an organization can respond to the changing cybersecurity threat landscape.

Additional details on all of the levels can be found here

CMMC Compliance Assistance from Blue Team Alpha

DoD contractors must take the appropriate steps to ensure they achieve the required level of compliance. The experts at Blue Team Alpha can assist in this process to make sure you don’t miss out on potential opportunities for new business.

CMMC compliance assistance from Blue Team Alpha includes:

This will determine how prepared your organization is for a compliance audit and which areas require immediate attention. We recommend basing your analysis on the NIST 800-171, since it is the basis for Level 3 and something all DoD contractors should be meeting. Once the gap analysis is complete, we use the results to determine your current CMMC level compliance and to create a plan to help you achieve the desired or required CMMC level.

The plan we craft will cover:

  • Areas requiring attention
  • Prioritization of areas identified  
  • Who will work on the gaps 
  • Timeline for completion 
  • Estimated cost 
  • Process for tracking goals and milestones to ensure completion

New information is constantly emerging around CMMC compliance and the associated timeline. The ultimate goal is to make sure all DoD contractors are prepared to handle the quickly changing threat landscape. Companies must be proactive in their approach to detect and respond to new threats as they emerge if they want to remain prime contractors for the DoD well into the future. A Blue Team Alpha virtual Chief Information Security Officer (vCISO) provides expert guidance and advice at the fraction of a cost.

We make sure you keep up with the new information as soon as it becomes available. We also work closely with prime DoD contractors and help them engage with subcontractors throughout their supply chain to help subcontractors achieve the compliance level they will require. This is an essential step to make sure prime contractors don’t miss out on contract opportunities due to non-compliance issues further down the chain. 

Our vCISO also provides guidance when it comes to covering the cost of CMMC compliance. Many companies (especially small and mid-sized organizations) are wondering how they will pay for the upgrades in cybersecurity required for CMMC compliance. Depending on the maturity level you need to achieve, you may need to invest a substantial amount of money in your cybersecurity program to achieve and maintain compliance. 

However, no one (including the DoD), wants to see any company have to step aside because the financial burden of compliance is too much to bear. In fact, the DoD has stated that “the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” With our vCISO service, you can rest assured that every detail is attended to when it comes to CMMC compliance reimbursement. You can be confident you will get the maximum financial assistance.

A System Security Plan documents the security controls in place for all the systems a contractor has that store or transmit CUI, and it is a requirement for CMMC compliance. We have the expertise at Blue Team Alpha to create this document if you don’t already have one. If you do have documentation, we work with clients to make sure it is updated on a regular basis and includes every security protocol required for the level of compliance you will want to achieve.

Most companies will want to achieve Level 4 or 5 compliance, which means you must be able to report on how well your company identifies and responds to threats. If you don’t already have a system in place to do this, we will help you implement one. 

Security Operations Center as a Service (SOCaaS) from Blue Team Alpha is a managed security service that provides continuous data analysis, threat intelligence, and security incident reporting. Our Managed Security Operations Center includes a fully managed cloud security information and event management (SIEM), baseline and SIEM tuning, indicator of compromise alerting, remediation and countermeasure recommendations, proactive support for initial investigation, and more. 

Achieve a higher level of CMMC compliance with SOCaaS.

Win that next DoD contract

Every DoD contractor must be prepared to meet CMMC compliance requirements. Compliance will be the dividing line between winning and losing bids for DoD projects. Contact us today to make sure you take all of the necessary steps to obtain an accredited assessment—and win that next bid. 

Ensure you win your next Government Bid - Contact us now for a free consultation with a CMMC Specialist!