CMMC 101: Understanding The Cybersecurity Maturity Model Certification
What is the CMMC?
The US Department of Defense (DoD) released the first version of the highly-anticipated Cybersecurity Maturity Model Certification (CMMC) in January 2020. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which encompasses over 300,000 companies in the supply chain.
The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. This compliance assessment will measure the maturity of a company’s institutionalization of cybersecurity practices and processes, combining various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933 into one, unified standard for cybersecurity.
In previous years, contractors were responsible for implementing, monitoring, and certifying their IT systems’ security, as well as any sensitive DoD information stored on or transmitted by those systems. While contractors remain responsible for implementing critical cybersecurity requirements, the CMMC evolves this standard practice by requiring third-party assessments of contractors’ compliance levels. The establishment of mandatory practices, procedures, and capabilities can help contractors adapt to new and ever-evolving cyber threats.
The Five Levels of The CMMC
The CMMC categorizes the maturity and reliability of a company’s cybersecurity infrastructure on five different certification levels. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to permit the implementation of specific cybersecurity-based practices.
Level 1: Performing basic cyber hygiene practices. This level focuses on the protection of Federal Contract Information (FCI) and is concerned with basic cybersecurity processes appropriate for small companies. “Basic cyber hygiene” includes customary routines such as regular password changes and functional antivirus software.
Level 2: Documenting intermediate cyber hygiene processes. This level requires that you meet universally accepted cybersecurity best practices, in addition to a subset of the security requirements specified in NIST SP 800-171 and practices from other standards and references.
Level 3: Managing good cyber hygiene processes. This level focuses on safeguarding Controlled Classified Information (CUI). This includes coverage of all NIST SP 800-171 controls and additional CMMC components.
Level 4: Proactive reviews. This level focuses on the effectiveness of protecting CUI from advanced persistent threats (APTs), encompassing a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other sophisticated cybersecurity best practices.
Level 5: Optimizing advanced & progressive processes. This level requires that your entire organization meet highly advanced cybersecurity practices and standards. Like Level 4, it also focuses on the protection of CUI from APTs.
CMMC Compliance: Who, When, and How?
It will soon be a requirement for all DoD contractors to obtain a CMMC certification. This includes suppliers of all tiers within the supply chain, from small businesses and commercial item contractors to foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop certification procedures, delegating independent Third-Party Assessment Organizations (CP3AOs) and assessors to conduct CMMC assessments.
The DoD has reported the prospects of including minimum certification requirements in requests for information (RFIs) as early as June 2020, and in select requests for proposals (RFPs) around September 2020.
Prepping for CMMC compliance begins now. DoD contractors should familiarize themselves with the CMMC’s technical requirements to prepare not only for certification, but durable cybersecurity agility. DoD contractors have already begun to reevaluate their practices, procedures, and gaps to navigate the assessment process and meet the soon-to-be mandatory criteria of a CMMC contract.
Proactivity is the best way to secure an efficient assessment with positive results. Contractors should begin taking immediate steps to:
- Thoroughly document practices and procedures that already comply with CMMC practices or processes.
- Plan for and implement improved procedures and practices to obtain the highest certification level possible.
- Work with subcontractors throughout the supply chain and assist with developing or reviewing compliance programs.
CMMC Certification & Beyond
The CMMC is simply a starting point for transforming contractors’ internal cybersecurity culture. Industries must focus on continuously preparing for and combating threats well past achieving their CMMC certification. Contractors that nurture a resilient and flexible cyber culture within their organization will be best suited for their marketplace, which will continue to tighten its cybersecurity posture.