Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity rarely seems to leave the news headlines, with cyber-exploits affecting all industry sectors. One of the areas that cybercriminals target is the supply chain. In evidence of this, a 2019 Symantec study found that supply chain attacks increased by 78% in 2018.

One of the biggest problems with supply chains is that they extend across entities, often connecting over multi-cloud infrastructures and with disparate uncontrolled endpoints. The Department of Defense (DoD) supply chain is a perfect example of an extended supply chain. With a value of over $93 billion across over 300,000 contractors, the DoD supply chain offers plentiful opportunities for cybercriminals to exploit.

To counterbalance the tsunami of security threats to the supply chain, the DoD has established the Cybersecurity Maturity Model Certification (CMMC) program. This is a unified framework designed to tackle cybercrime using best practices. The CMMC is part of the Defense Federal Acquisition Regulation Supplement (DFARS) and used as a requirement for contract award.

What is the scope of the CMMC?

The CMMC is based on the principles of a ‘cybersecurity maturity model’, a concept that NIST has explored in detail. Maturity models provide best fit, achievable levels of cybersecurity practice, with each level being dependent on the previous level.

The CMMC advisory sets out the scope of the Cybersecurity Maturity Model Certification, starting with the types of information that require protection. The CMMC sets a baseline of protection for:

Controlled Unclassified Information (CUI): Defined as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls…” and,
Federal Contract Information (FCI): Information not intended for public release.

The CMMC applies five “levels of maturity” to the protection of CUI and FCI. The five levels range from level 1, ‘basic cyber hygiene” to level 5, “advanced/progressive”. A third-party audit of a company determines which CMMC level the organization meets.

An online registry of CUI is available which has details on the category types and specifically related groupings such as “Critical Infrastructure”, “Financial”, “Export Control”, etc.

Who is affected – who must comply?

Any company that does business with the DoD must adhere to, and then be certified as compliant with the CMMC, at one of the levels.

The CMMC advisory, specifically states that “The initial implementation of the CMMC will only be within the DoD.” By assigning the CMMC as a requirement in a tender, the DoD has ensured that all DoD contractors and subcontractors must be compliant to win a contract.

Any contractor that is part of the defense industrial base will be required to be independently audited and certified against the CMMC’s five “maturity levels”. Which level you certify to will depend on your organization’s cybersecurity program and posture. If you are not certified to an expected project level, you will not be able to bid on a contract.

Key dates for compliance

The following dates should be scheduled into your CMMC calendar:

January 2020: Release of Version 1.0 of the CMMC
June 2020: Requests for Information (RFI) inclusion. Any RFI put out by DoD to the market from June 2020 and beyond will contain provisions for what CMMC level is needed in order to apply.
September 2020: Requests for Proposals (RFP) inclusion. All DoD RFPs will include provisions for what CMMC level is needed to apply.
October 2020: DoD certification date. All existing DoD contractors need to be certified by an accredited third-party.

There is likely a two-year period for CMMC compliance to take full effect, but contractors should show a move towards becoming compliant now.

Quick Overview of the Five CMMC Levels

The CMMC is a unified model, creating five levels. The CMMC is based on the following standards, advisories, and frameworks:

NIST SP 800-171
NIST SP 800-53
ISO 27001
ISO 27032
AIA NAS9933
FISMA

Each of the five levels of the CMMC builds upon the previous levels. For example, level 3 requires that a contractor has previously met the requirements for levels 1 and 2.

The five levels integral to the CMMC reflect the risk to CUI and FCI. DoD contracts will expect a bidding organization to meet the level appropriate to the sensitivity of the project. As such, an organization does not necessarily ever need to be certified across all 5-levels; which level they meet depends on what data they handle and the type of projects they wish to bid on. Accredited certification and audit vendors can advise on the most appropriate level for a specific organization.

The five CMMC levels are:

Level 1: Basic Cyber Hygiene

This level covers the basic safeguarding of Federal Contract Information (FCI). This level is about the basic principles of security when working with non-sensitive data. Examples are the use of anti-virus software, good password use, etc. This requires sign-off that the principles are performed, no documentation is necessary.

Level 2: Intermediate Cyber Hygiene

This level is the first that introduces CUI protection. Documentation showing the application of required security practices is required. The requirements of level 2 are based on NIST Special Publication 800-171 Revision 2. The level includes areas such as access control, security awareness and training, incident response, and risk assessment.

Level 3: Good Cyber Hygiene

This level builds on the previous two levels. Level 3 has 47 security controls. While this may seem an onerous level to reach, the use of accredited third-party advisors can help in putting the correct processes in place to meet the level requirements.

Level 4: Proactive

Being proactive in securing data means having the right tools, policies, and procedures in place to measure, detect, and mitigate cyber-threats. Any DoD prime contractors are likely to be needed to meet this level as they will be required to show evidence they can deal with the sophistication of state-sponsored attacks. The detection and response to Advanced Persistent Threats (APTs) is a criterion for certification at level 4.

Level 5: Advanced/Progressive

If you can meet level 4, chances are you will be able to move onto level 5, which contains 30 additional security controls. This level is about management and process in dealing with the sophisticated and challenging cybersecurity landscape.

Why do you need to be CMMC compliant?

If you wish to work on DoD projects, your company, no matter what size, will need to show appropriate CMMC compliance at one of the five levels. Compliance with CMMC shows that your firm is ready to deal with the exacting nature of government cybersecurity issues and threats across the supply chain.

CMMC compliance is proof of a proactive approach to security hygiene in line with an increasingly complicated threat matrix

How to achieve CMMC certification

The CMMC advisory states that:

“Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC Advisory Board can perform CMMC assessments.”

To certify to the correct level for your organization, you must use an accredited third-party. Since these assessments can be high stakes and costly to fail, many companies opt to prepare for certification process with the support of specialized firms who help implement the necessary security operations and controls for compliance.