What Is CMMC?
A data breach in a contractor’s IT system could be disastrous for the Department of Defense (DoD). That’s why the DoD has established detailed cybersecurity policies for DoD contractors. Recently, the DoD has created a new model of security standards known as the Cybersecurity Maturity Model Certification (CMMC). This is more than a set of standards. It’s also a program to help contractors understand the strength of their cyber hygiene and, if needed, work toward achieving higher levels.
What Is CMMC?
Cybersecurity Maturity Model Certification measures the level of cybersecurity or “cyber hygiene” an organization has in place. CMMC specifically deals with the way organizations store and access controlled unclassified information (CUI).
Classified information must be kept on highly secure IT systems while unclassified information can be kept on privately owned IT systems belonging to the DoD’s industry partners. CUI is a type of unclassified government information that is still sensitive enough to merit careful cybersecurity measures to protect it from vulnerability.
CMMC defines various levels of cybersecurity maturity, from basic cyber hygiene at Level 1 to advanced cyber hygiene at Level 5. Lower levels are characterized by more minimal cybersecurity measures, while higher levels exemplify more robust security processes and practices.
The CMMC program is unique to its predecessors in its tiered approach to defining an organization’s cybersecurity maturity. CMMC is also unique in that it is a guide that includes a crucial audit program for compliance. Rather than self-assessing, contractors must seek certification from a third party.
Why Was the CMMC Created?
The DoD created the CMMC to establish a consistent standard all DoD contractors can use to ensure they’re meeting the necessary cybersecurity levels. Of course, this is not the first resource offering cybersecurity best practices.
Before the DoD created the CMMC, DoD contractors and subcontractors had to complete a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M), following the National Institute of Standards and Technology’s (NIST) 800-171 standard. Contractors bore the responsibility of ensuring their IT systems were compliant. However, this model proved to be inadequate as the rate of compliance across the Defense Industrial Base (DIB) was unfortunately low.
That’s why the DoD obtained Congressional approval to create a new program that is detailed and yet simple to follow to determine an organization’s cybersecurity hygiene level. In this system, the responsibility of certification shifts to accredited CMMC third-party assessment organizations (C3PAOs).
Ultimately, the CMMC should help DoD contractors more effectively prepare for and mitigate cybersecurity threats, thereby better protecting sensitive data across the DoD supply chain.
Who Has to Comply?
Who needs to pay attention to CMMC requirements? The short answer is almost any prime contractor or subcontractor who is working on behalf of the DoD. The one exemption is contractors who only produce Commercial-off-the-shelf (COTS) products.
Contractors who only possess Federal Contract Information (FCI) — government information not intended for public release but not as sensitive as CUI — may think the CMMC does not apply since it focuses on CUI. However, these contractors still must meet the minimum standard of CMMC Level 1.
Since the CMMC consists of distinct levels, there is no single CMMC standard that applies to all contractors. The level of compliance an organization must meet will depend on the extent to which they handle CUI. The DoD is starting to require some contractors bidding on defense contracts to demonstrate that they are certified at Level 1 or higher.
The Cybersecurity Maturity Model Certification
Each level of the CMMC represents a more mature and robust approach to cybersecurity. Each level’s requirements are defined within domains, or topics, that contain controls, or required practices and processes. Many of these controls are compiled from other preexisting frameworks. The domains include:
- Domain AC: Access Control
- Domain AM: Asset Management
- Domain AT: Awareness and Training
- Domain AU: Audit and Accountability
- Domain CA: Security Assessment
- Domain CM: Configuration Management
- Domain IA: Identification and Authentication
- Domain IR: Incident Response
- Domain MA: Maintenance
- Domain MP: Media Protection
- Domain PE: Physical Protection
- Domain PS: Personnel Security
- Domain RE: Recovery
- Domain RM: Risk Management
- Domain SA: Situational Awareness
- Domain SC: Systems and Communications Protection
- Domain SI: System and Information Integrity
The nature of this tiered program is such that each level contains all the controls from previous levels in addition to new ones. Therefore, Level 5 consists of all controls across all domains in the program. There are no controls that are unique to lower levels and not included in higher levels.
Let’s look at a basic overview of what each level of the CMMC entails.
Level 1
Level 1 serves as a baseline of basic cyber hygiene and provides a solid foundation for all subsequent levels. According to the DoD chief information security officer for acquisition, this level covers basic cybersecurity skills we should do every day, such as using antivirus software and updating passwords.
The level consists of 17 controls categorized under the following domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, Systems and Communications Protection and System and Information Integrity. All of these controls directly relate to the Federal Acquisition Regulation (FAR) 52.204.21.
Level 2
Level 2 is where the process maturity aspect of CMMC comes in. This level builds on Level 1 and is considered intermediate cyber hygiene.
Whereas Level 1 focuses only on basic cybersecurity practices, Level 2 requires organizations to document their actions and look for ways to improve them. Another difference is that this level begins to address protecting CUI rather than just FCI. In all, CMMC Level 2 has a total of 72 controls, which contain the 17 from Level 1. The controls are grouped into 15 domains.
You won’t often see defense contracts that require Level 2 certification. That’s because Level 2 essentially functions as a bridge from Level 1 to Level 3. If an organization’s goal is to reach Level 3 certification, they need to ensure their practices are in line with Level 2 requirements first.
Level 3
Level 3 is considered good cyber hygiene, so it’s an important step in the CMMC program. In all, Level 3 entails 130 controls that are contained in all 17 domains.
Compared to Levels 1 and 2, Level 3 places a new emphasis on proactively planning for how you will implement and maintain your cybersecurity policies and practices. This means you must have regulations in place, but you also need to actively monitor your organization’s adherence to those policies.
While Level 3 is considered good cyber hygiene, it still sits in the middle of the CMMC tiered program, so it is limited compared to the two levels that come after it. For some contractors, Level 3 certification is enough to provide reasonable CUI security. However, this level may not prepare organizations to defend themselves adequately against advanced persistent threats (APTs) where they exist.
Level 4
Organizations certified at CMMC Level 4 have a proactive cybersecurity program in place. This is a definitive step up from the good cyber hygiene of Level 3.
Level 4 includes 157 controls. Most of these controls come from five existing frameworks: the Community Emergency Response Team Resilience Management Model (CERT-RMM) v1.2, NIST 800-53, NIST 800-171B, the International Organization for Standardization (ISO) 27002 and the Center for Internet Security Critical Security Controls (CIS CSC) 7.1. The remaining ones are unique to CMMC.
Level 4 goes beyond protecting against standard threats by safeguarding CUI against APTs more effectively. Organizations must review their practices and evaluate how effective they are. When employees detect a potential problem, they must inform their superiors and take action to correct the issue. This ongoing monitoring and correcting allow organizations to adapt to changing tactics, techniques and procedures (TTPs) that adversaries may use.
Level 5
Level 5 is the most mature stage of the program and is considered advanced and progressive. This level contains a total of 171 security controls, grouped across the 17 domains. Like Level 4, Level 5 focuses on protecting against APTs. However, this final tier turns up the level of vigilance an organization must maintain.
Whereas previous levels focus on implementing and reviewing cybersecurity processes, Level 5 emphasizes the need to optimize these procedures and continually guard against potential threats. Since this year’s threats can differ from last year’s, this means routinely reevaluating practices using the latest threat intelligence. Level 5 also confirms that an organization maintains security hygiene consistently across the board.
When Will Certification Be Enforced?
The short answer is that CMMC certification (as of this writing) is still being mapped out. Of course, there is no one-size-fits-all CMMC certification — the conditions for certification will always specify a particular level in the program.
The DoD released version 1.0 of CMMC on January 31, 2020. Since then, these requirements have taken on a more prominent role. As of September 2020, the DoD has encouraged contractors to develop the applicable measures to achieve the appropriate level of CMMC certification as a prerequisite for bidding on Requests for Proposal (RFPs). The intent of requiring contractors to have CMMC certification will ensure they are prepared to meet the necessary security requirements involved in a contract.
CMMC vs. NIST 800-171
The National Institute of Standards and Technology Special Publication (NIST SP) 800-171 shares similarities with CMMC in that it lays out requirements for contractors regarding the way they handle and protect CUI. The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 calls for contractors and subcontractors to have adequate cybersecurity measures in place, and NIST 800-171 specifies what constitutes these measures.
How does NIST 800-171 differ from CMMC? Unlike CMMC, NIST 800-171 is not a tiered program with different certification levels. Instead, it consists of 110 security controls. It was also not designed for third-party certification. Instead, organizations have to self-assess to determine their compliance with these controls.
CMMC includes the requirements contained in NIST 800-171 in the lower levels of the program. CMMC also contains requirements sourced from other standards related to cyber defense. This makes CMMC a more comprehensive set of practices and processes to aid contractors in developing effective cybersecurity protocols.
Currently, NIST 800-171 is in effect as the DoD and DIB transition to CMMC as the prevailing method of ensuring adequate cybersecurity. NIST 800-171 compliance is still important. As of Dec. 2020, the new/additional requirement for DIB organizations is to submit a NIST score to the DOD’s Supplier Performance Risk System (SPRS) database. CMMC will begin taking over as more contracts specify levels of CMMC compliance. Eventually, CMMC will completely eclipse NIST 800-171.
How to Prepare for CMMC
Contractors should begin preparing to achieve at least Level 1 CMMC. How can your organization begin these preparations? If you’re familiar with NIST 800-171 and DFARS 252.204-7012, this is an excellent place to start. Assess your current security operations and determine how compliant they are with these requirements. Look for areas of noncompliance so you know what issues your organization needs to address. Create an SSP and POA&M to outline the ways you will ensure compliance with the security controls.
Any subcontractors in your supply chain must also adhere to cybersecurity protocols. Consulting with a company that can help you optimize your supply chain is a helpful way to make sure there are no weak links in the chain. A consultant such as NTS Unitek can also help you ensure your organization has achieved the proper level of cyber hygiene before you undergo an audit.
By employing NTS Unitek as a consulting solution, you benefit from services that help you improve your efficiency, cost savings and quality assurance processes. If you are struggling to improve productivity levels, meet current CMMC requirements or control supply chain activities, we can conduct those tasks for you so you’ll have more time to focus on your organization’s core competencies.
Finally, you’ll need to partner with an accredited C3PAO (such as NTS Unitek’ s sister organization NQA) that the DoD has approved to audit and certify contractors. This way, you can demonstrate your CMMC certification when you bid on a contract that specifies a minimum CMMC certification level.
Consulting Services From NTS Unitek
How is your organization’s cyber hygiene? Now is the time to begin preparing for CMMC compliance. The next RFP you see may specify that contractors need CMMC Level 1 compliance to put in a bid.
Reevaluating your cybersecurity practices is critical, and it’s an excellent opportunity to analyze your processes more broadly. NTS Unitek can help your organization prepare for certification and optimize your supply chain. We are a Performance Management Supply Chain Services Company with proven results. Our experts have over 45 years of experience helping contractors in the DIB mitigate risk, comply with prescribed standards and improve their policies and procedures.
Contact us to learn more about how we can help you work toward CMMC certification.