Integris has seen a sharp uptick in people requesting immediate support regarding the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).
We felt it would be helpful to put together a brief beginner’s guide so that our readers could better understand a new certification that might impact how they do business if they do business with the United States Department of Defense as a part of its supply chain.
What is CMMC?
CMMC is an auditable security standard designed to help ensure contractors in the DoD’s supply chain are limiting exposure to sensitive controlled unclassified information (CUI) by having secure information systems.
The certification was developed in-house by the DoD with input from universities across the country, federally funded research, and direct input from the defense contractor industry.
The first version of that certification was released by the DoD on January 31, 2020. CMMC is currently on version 1.02.
Essentially, your company must be audited by a third party on your level of cyber maturity, and you must show a level of maturity (1-3 with 3 being the highest level) in order to bid on contracts or support the Prime contractors as a subcontractor.
CMMC’s main aim is to ensure that defense contractors don’t get hacked, which might result in the loss of sensitive defense information that could fall into U.S. adversaries’ hands.
Why was CMMC Implemented?
In the past, independent military contractors had to self-attest to the security of their cybersecurity ecosystem. Unsurprisingly, the DoD realized over time that many of the contractors were overestimating their cybersecurity posture and the self-attestation model wasn’t working, consequently, the DoD’s cybersecurity posture was only as strong as its weakest supply partner.
What Tools do I Need for CMMC Implementation?
CMMC is a maturity model, not a tool or checkbox compliance model. This means that you need to have policies and procedures in place, and execution of the policies and procedures with tools, training, resource allocation, and compliance efforts to show that you have cyber security maturity in your company.
Because of the way CMMC is designed, if you do these things, your company will be very secure.
What Does CMMC Implementation Entail?
There are various levels of CMMC certification, five in total. The five levels of CMMC certification are:
- Basic Cyber Hygiene
- Intermediate Cyber Hygiene
- Good Cyber Hygiene
- Proactive Cybersecurity
- Advanced/Progressive Cybersecurity
Except for level 1 each level of certification requires a set number of practices and procedures. The controls implemented can vary greatly from contractor to contractor.
Security control families include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- System and Communications Protection
- System and Information Integrity
- And more…
As mentioned above, the previous self-attestation model had failed, and as a result, after implementing the practices and procedures, the contractor needs to undergo a third-party audit to assess their compliance and gain certification.
Those third-party organizations are referred to as CMMC Third Party Assessment Organizations (C3PAO). These organizations also need to meet several DoD requirements, including the implementation of ISO/IEC 17020.
ONLY authorized and accredited C3PAOs listed on the CMMC-AB Marketplace are able to conduct CMMC assessments. The certificate is valid for up to 3 years after being obtained.
What are the Levels of CMMC Compliance?
Level 1: A company must perform “basic cybersecurity practices” such as using antivirus software and ensuring employees change their passwords regularly. This should be done to protect Federal Contract Information (FCI).
Note: It is important to remember that FCI information is not intended for public release or use. It is provided by or generated for the Government under contract to develop or deliver a product or service to the government.
Level 2: Level 2 is an intermediate level between Level 1 and Level 3 where a company can establish good cyber hygiene, but not yet have the maturity to show consistency over time which Level 3 requires. This level must be completed if you intend to hold CUI (Controlled Unclassified Information) on your network. This is likely to be the category that most contractors fall into and should be the level your company strives for.
In Level 2: Advanced a company must have an institutionalized management plan to put into effect good cybersecurity practices to safeguard CUI. This means using all of the United States Department of Commercial National Institute of Standards and Technology’s special Publication 800-171 Revision 2 security requirements.
Level 3: Expert: A company must have implemented a process to review and measure the effectiveness of the aforementioned practices. They must also establish additional enhanced practices to detect and respond to changing tactics and techniques of advanced persistent threats (APT). A company must have standardized and optimized processes established across the organization along with additional enhanced practices that provide more sophisticated capabilities to detect and respond to advanced persistent threats
What is the Path to CMMC Compliance?
This is not as hard as you might think. You need to:
- Be Audited: This means proving that you are already doing the things you already said that you were doing under the DFARs (Defense Federal Acquisition Regulations). In broad terms this would be a CMMC level 1 audit. We recommend first getting CMMC level 1 quickly, and then;
- Moving up the chain to Level 2 (add policies and procedures and a few controls) and then;
- Level 2 if you need to handle CUI (additional controls and evidence of maturity and compliance). Remember, you only need to show the level of compliance that the contract requires, and you can scope it in a way to make it easier to comply with.
How Much does CMMC Compliance Cost?
It is hard to tell currently, but the military is allocating funds to the prime contractors to help pay for this. We encourage you to ask your primes about funds they may be able to make available to implement this security.
Certified third party organizations (or C3PAOs) will responsible for conducting the CMMC assessments of contractors’ unclassified networks. They will do the certifications, but cannot advise on how to reach these levels.
Registered Provider Organizations exist to assist C3PAOs and also help companies prepare for a certified auditor to come.
The process of accreditation through CMMC is likely to take a while, at least until the CMMC-AB certifies more C3PAO organizations. Currently there are very few C3PAO organizations, and they must audit over 300,000 companies by 2025, so the process is likely to take time.
For now, we recommend that contractors familiarize themselves with the requirements for the CMMC, starting at level 1 and working upward. Don’t think of the CMMC as a one-time check, since in order to maintain compliance, organizations will need to be thinking about cybersecurity as part of their operational function going forward.
Right now, it looks like a CMMC certification will be valid for three years. Documentation is not security, but when documentation of institutional cybersecurity knowledge happens, longevity is much easier. For instance, when key personnel leave an organization, security can be kept from deteriorating. Documentation can provide the justification for certain security practices in place and keep the ship moving forward.
Do I Really Need to be CMMC Compliant?
If you do not sell to the military or sell to a prime contractor who sells to the military, you might not need to be CMMC compliant. Additionally, if you sell COTS (Commercial Off the Shelf) products to the military, you might not need to be CMMC compliant either.
COTS is a special case in that if you modify the COTS product before the military receives it, the modification likely removes the product from COTS designation, and it falls back under CMMC.
Additionally, if you hold information about the contracts on your network, you will fall under CMMC level 1 anyway. Even quantity changes on an order which might tip off a bad nation-state about staffing changes at a military base may fall under CUI (Controlled Unclassified Information) regulations, indicating you would need a CMMC level 2 to comply and continue selling to the military.
If You’re a Defense Contractor, What Steps Should You Take to Achieve CMMC?
The Department of Defense has set up a helpful CMMC FAQ page on their website. It includes some of the information I’ve shared here as well as more specific information that might be helpful.
There are 26 questions and Security7 suggests reading through them if you’re looking for a bit more clarity.
Is Integris a C3PAO?
No. We are not. But we can help an organization achieve CMMC by partnering with them to implement the practices and procedures necessary to achieve the certification.
Authorized and accredited C3PAOs are responsible for conducting the CMMC assessments of Defense Industrial Base (DIB) companies’ unclassified networks and then issuing the appropriate CMMC certification based on those results.
Authorized C3PAOs must meet DoD requirements as well as a subset of the ISO/IEC 17020, Conformity Assessment -Requirements. The CMMC-AB can authorize C3PAOs to conduct CMMC assessments before the C3PAO achieves accreditation. An accredited C3PAOs must meet all DoD requirements and achieve full compliance with ISO/IEC 17020.
The process of accreditation through CMMC is likely to take a while, at least until the CMMC-AB certifies more C3PAO organizations. Currently, there are very few C3PAO organizations and they must audit over 300,000 companies by 2025. Odds are, the process is likely to take time.
For now, our team recommends that contractors familiarize themselves with the requirements for the CMMC, starting at level 1 and working upward.
Don’t think of the CMMC as a one-time check. To maintain compliance, organizations will need to be thinking about cybersecurity as part of their operational function going forward.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.
