The DoD Pushes forward with the CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a DOD framework designed to promote a baseline level of information security across the entire defense supply chain. It will serve as an enforcement mechanism for existing security standards like FAR 52.204-201 and NIST 800-171. Those standards, although technically mandatory for DOD contractors, rely on voluntary self-assessments. Thanks to low compliance rates, defense contractors have become lucrative targets for foreign intelligence agencies seeking DOD data.
CMMC security compliance will be validated by external third-party auditors. There are five levels of certification, with Level 1 certifying basic cyber hygiene, and Level 5 attesting to cutting-edge cybersecurity. The DOD plans to incorporate CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS) and make certification mandatory for all future contract awards. The CMMC level required will depend upon the sensitivity of data associated with each contract. CMMC will be incorporated into procurements beginning November 2020, with all DOD contracts requiring CMMC compliance by 2025.
Who Will Require CMMC Certification?
Ultimately, each of the roughly 300,000 defense contractors, suppliers, and vendors will need to be certified through the CMMC process. This includes both prime and subcontractors, although it excludes companies that exclusively produce Commercial Off-the-Shelf (COTS) products.
At a minimum, every DOD contractor will require CMMC Level 1 because each will produce nonpublic Federal Contract Information (FCI) as a byproduct of contract performance. CMMC Level 2 or 3 will be required for organizations that process Controlled Unclassified Information (CUI), which is an umbrella term to describe sensitive DOD information that requires safeguarding.
Future procurements will include the CMMC level required for bidders; companies without the requisite level will be ineligible to compete. Organizations are best served by seeking the highest level within their capability and budget in order to minimize the chance of being excluded from future procurements.
Who Supports the CMMC Process?
Assessors are third-party, cybersecurity experts who will audit DOD contractors, then award an appropriate CMMC level. In order to ensure these standards are universally applied, each assessor must be trained and authorized by a C3PAO. The assessor’s audits and decisions are subject to review by the CMMC Accreditation Body.
C3PAOs (Certified Third-Party Assessment Organizations) are private organizations responsible for training and licensing assessors. Their role is to act as a body of knowledge, promoting standardization and fairness throughout the CMMC process. The DOD has warned of unscrupulous companies falsely claiming to be C3PAOs; this is impossible since no C3PAOs have been appointed at this time. Eventually, contractors will be able to search for accredited C3PAOs in an official CMMC Marketplace.
The CMMC Accreditation Body is an independent, nonprofit organization that has been authorized by the DOD to oversee the CMMC process. The CMMC AB will accredit C3PAOs, operate the CMMC Marketplace, resolve disputes, perform quality control, and publish CMMC certificates in a nonpublic DOD database.
Cybersecurity consultants will play a critical role in helping DOD contractors achieve CMMC compliance. Although major multinational defense corporations employ full-time teams of cybersecurity experts, this is often cost-prohibitive for small- and medium-sized businesses. Totem levels the playing field by providing the subject-matter expertise necessary to prepare for a successful CMMC assessment.
What Are the Steps for CMMC Compliance?
Step 1: Identify Your Target Level.
Your organization should start by determining which CMMC level you are most likely to require. Keep in mind that the levels are cumulative: each level contains all the requirements of the preceding levels.
• Level 1 attests that an organization performs basic cyber hygiene. The 17 practices are equivalent to FAR Clause 52.204-21, which mandates the steps necessary to protect contractor information systems handling FCI. The DOD expects Level 1 to be the most common CMMC level, with succeeding levels being progressively rarer.
- Level 2 validates intermediate cyber hygiene as a transitory step towards protecting CUI. Its 72 practices combine several unique requirements with a subset derived from NIST 800-171.
- Level 3 shows that your organization is actively managing security processes associated with good cyber hygiene. At this level, your organization is certified to protect CUI. The 130 practices are a combination of unique requirements and the full list of practices from NIST 800-171.
- Level 4 demonstrates proactive cybersecurity practices that provide strong CUI protection. It includes 156 practices, including many sourced from NIST 800-171B. Note that this draft document, like much of the CMMC initiative, is still very much a work in progress.
- Level 5 certification requires an advanced cybersecurity program with continuously optimized processes. The 171 practices in this level support strong CUI protection and defend against Advanced Persistent Threats (APTs), which are sophisticated adversaries like foreign government hackers. Only a tiny percentage of the Defense Industrial Base is expected to require certification at this level.
Step 2: Conduct a Self-Assessment.
Once you’ve identified your target level, the DOD encourages organizations to conduct self-assessments. You’ll need to review the requirements for your desired CMMC level and the levels below it. Because Levels 1-3 rely heavily on practices described in NIST 800-171, existing DOD assessment guidance can guide your review. We have also simplified and created layman terms for this assessment in our DoD Assessment Methodology blog.
Step 3: Develop a Strategy
Your self-assessment is likely to reveal gaps between your organization’s current cybersecurity posture and your desired CMMC level. Review your human, financial, and technological resources, then develop a strategy for closing the gap. Are your existing resources sufficient for your organization to pass a CMMC assessment? If the answer is anything short of a resounding yes, you should request expert cybersecurity consultant support.
Step 4: Close the Gap.
This is where the rubber meets the road. Your organization must develop and maintain a System Security Plan (SSP) that describes system boundaries, operating environments, how security requirements are implemented, and connections with other systems. The gaps that you identified should be listed in a Plan of Action and Milestones (POAM) document, along with your corrective action plans and the date that each milestone will be achieved.
Companies familiar with NIST 800-171 may recall how POAMs could serve as a band-aid during audits. The documents were used to illustrate an organization’s intent to eventually implement security fixes. CMMC provides no such leniency: the POAM will help you track everything that must be completed before your assessment.
Because each CMMC level builds upon the previous levels, you should ensure you meet the basic requirements before advancing to the higher-level ones. After all, what use is installing an expensive Security Information and Event Management system (as required by Level 5: SI.5.222) when your system doesn’t even require a password to log on (as required by Level 1: IA.1.077)?
Step 5: Schedule Your Audit.
The CMMC Marketplace is expected to launch around summer 2020 (to stay up-to-date, scroll to the bottom of this page and subscribe to our newsletter). Contractors will access the Marketplace, review the list of accredited C3PAOs, and request an assessment for their desired CMMC level. The C3PAO will send a trained assessor to inspect the contractor’s cybersecurity program. Once the assessor has completed their inspection, they will send their findings to the CMMC AB. If the contractor successfully met the requirements for their target CMMC level, they will receive a 3-year certification from the CMMC AB.
Step 6: Maintain and Improve.
CMMC isn’t about simply checking boxes on a checklist. It’s about defending sensitive DOD information from foreign adversaries in a dynamic, constantly evolving security environment. Organizations must continuously monitor the effectiveness of their cybersecurity program and adapt to changes in the threat landscape. This will reduce the risk of security incidents that could prompt the CMMC AB to demand additional audits and recertification. As contractors grow more confident in their cybersecurity abilities, they can pursue higher-level certification to expand their range of eligible DOD contracts.
Ready To Begin?
Take the time to familiarize yourself with the terminology and processes of CMMC by reading other posts on our cybersecurity blog. Pay particular attention to our post on the DOD Assessment Methodology— when you’re ready to conduct your Self-Assessment, our Free NIST 800-171 Assessment Methodology Scoring Sheet will give an idea of where your organization stands. If your self-assessment shows full compliance with NIST 800-171, then you are well on your way to meeting CMMC Level 3 requirements.
If you still have a ways to go, Totem is here to help! Our seasoned cybersecurity consultants can provide expert CMMC security guidance via our Cybersecurity Virtual Classroom. Each class includes support for developing your System Security Plan, even in organizations with limited resources. Our virtual classroom syllabus and instructor Q&A sessions will give you a confident, thorough understanding of NIST 800-171 and by extension, put you on the path to CMMC success.
Feel free to contact us if there are other ways that Totem can support you!