1. What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”, a new level of certification of your company’s cybersecurity efforts, that the Department of Defense is requiring for all contractors selling to the military by 2025.
Essentially, your company must be audited by a third-party on your level of cyber maturity, and you must show a level of maturity (1-5 with 5 being the highest level) in order to bid on contracts, or support the Prime contractors as a subcontractor.
CMMC’s main aim is to ensure that defense contractors don’t get hacked, which might result in the loss of sensitive defense information which could fall into the hands of U.S. adversaries.
2. What Tools Do I Need for CMMC?
CMMC is a maturity model, not a tools or checkbox compliance model. What this means is you need to have policies and procedures in place, and execution on the policies and procedures with tools, training, resource allocation and compliance efforts in order to show that you have cyber security maturity in your company.
Because of the way CMMC is designed, if you do these things, your company will be very secure.
3. Do I really need to be CMMC Compliant?
Possibly not. If you do not sell to the military, or sell to a prime contractor who sells to the military, you might not need to be CMMC compliant. Additionally, if you sell COTS (Commercial Off the Shelf) products to the military, you might not need to be CMMC compliant either. COTS is a special case in that if you modify the COTS product before the military receives it, the modification likely removes the product from COTS designation, and it falls back under CMMC.
Additionally, if you hold information about the contracts on your network, you will fall under CMMC level 1 anyway. Even quantity changes on an order which might tip off a bad nation state about staffing changes at a military base may fall under CUI (Controlled Unclassified Information) regulations, indicating you would need a CMMC level 3 to comply and continue selling to the military.
4. What is the path for getting to CMMC compliance?
This is not as hard as you might think. You need to:
- Be Audited: This means proving that you are already doing the things you already said that you were doing under the DFARs (Defense Federal Acquisition Regulations). In broad terms this would be a CMMC level 1 audit. We recommend first getting CMMC level 1 quickly, and then;
- Moving up the chain to Level 2 (add policies and procedures and a few controls) and then;
- Level 3 if you need to handle CUI (additional controls and evidence of maturity and compliance). Remember, you only need to show the level of compliance that the contract requires, and you can scope it in a way to make it easier to comply with.
5. Why is the government doing this?
In reality, people have not been very honest about their compliance, and the military needs to know in truth, whether they are compliant or not.
The official answer is, however, “The aggregate loss of Controlled Unclassified Information (CUI) from the DIB sector increases risk to national economic security and in turn, national security,” the DOD said on its website. “In order to reduce this risk, the Department has continued to work with the DIB (Defense Industrial Base) sector to enhance its protection of CUI in its unclassified networks.”
CMMC was created as a response to the significant compromises of sensitive defense information located on contractors’ information systems. The United States Department of Defense (DoD) released the first Cybersecurity Maturity Model Certification on January 31st, 2020.
The hope is that the CMMC framework will be able to help the DoD assess and enhance the cybersecurity posture of the Defense Industrial Base sector. The CMMC will act as a verification mechanism to ensure that all DIB companies are using appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
6. How much will all this cost?
It is hard to tell currently, but the military is allocating funds to the prime contractors to help pay for this. We encourage you to ask your primes about funds they may be able to make available to implement this security.
Certified third party organizations (or C3PAOs) will responsible for conducting the CMMC assessments of contractors’ unclassified networks. They will do the certifications, but cannot advise on how to reach these levels.
Registered Provider Organizations exist to assist C3PAOs and also help companies prepare for a certified auditor to come.
The process of accreditation through CMMC is likely to take a while, at least until the CMMC-AB certifies more C3PAO organizations. Currently there are very few C3PAO organizations, and they must audit over 300,000 companies by 2025, so the process is likely to take time.
For now, we recommend that contractors familiarize themselves with the requirements for the CMMC, starting at level 1 and working upward. Don’t think of the CMMC as a one-time check, since in order to maintain compliance, organizations will need to be thinking about cybersecurity as part of their operational function going forward.
Right now, it looks like a CMMC certification will be valid for three years.
Documentation is not security, but when documentation of institutional cybersecurity knowledge happens, longevity is much easier. For instance, when key personnel leave an organization, security can be kept from deteriorating. Documentation can provide the justification for certain security practices in place and keep the ship moving forward.
7. When do I need to be Level 1 and when do I need to be Level 3?
We recommend you begin your Level I journey immediately. Getting Level I quickly (whether certified or not) will keep your company safer and show your commitment to this process. A CMMC Level I audit is likely to be rather quick, and much cheaper than a Level 3 audit.
You will need to be Level 3 before you begin fulfilling any contract which designates it requires Level III compliance, especially if you will store CUI on your network. If your prime can build a system where CUI is accessible to you at your location, but is not stored at your location, Level 3 may not be required, even if it is a level 3 contract that you are a sub-contractor on.
8. What will my audit be like?
At this point in august of 2021, we have not seen enough audits to be able to answer this question yet. Check back here in the future. It is out intent to participate in some audits to find out what will be required, so we will be able to better prepare you for the audits to come.
9. Can the same people who help me get compliant be my auditors?
No. This is a bright line in the ethics regulations around the CMMCab (CMMC authorizing board), that auditors cannot be implementers in the same company. They can be implemented in other companies, but not in ones they audit, and vice versa.
10. How long will this process take?
It will take a while. Likely, your cyber stance is not CMMC compliant currently, and as such, change is coming. We can make it palatable, however, since we have a few years to raise your cyber maturity. Just get Level 1 first, then add in Level 2 and then Level 3 can be gotten ready for, and you will be there before all the contracts require CMMC certification.
Does Every Company Get Judged the Same Way?
No, not really.
The CMMCab (advisory board) establishes five certification levels that were designed to reflect the maturity and reliability of a company’s cybersecurity infrastructure. This is done to safeguard sensitive government information on contractors’ information systems.
Each level is built on the one below it, so compliance with the lower-level requirements and the use of additional processes is needed to implement the cybersecurity-based practices. Here is an overview of the processes and practices of each level:
Level 1: A company must perform “basic cybersecurity practices” such as using antivirus software and ensuring employees change their passwords regularly. This should be done to protect Federal Contract Information (FCI).
Note: It is important to remember that FCI information is not intended for public release or use. It is provided by or generated for the Government under contract to develop or deliver a product or service to the government.
Level 2: Level 2 is an intermediate level between Level 1 and Level 3 where a company can establish good cyber hygiene, but not yet have the maturity to show a consistency over time which Level 3 requires. It has more controls and adds in Policies and Procedures which prepares a company for an attempt at Level 3.
Level 3: Level 3 is the level you must be at if you intend to hold CUI (Controlled Unclassified Information) on your network. This is likely to be the category that the most contracts will fall into, and should be a level your company strives for.
There are 130 controls (processes to ensure procedures are being followed) with Level 3, plus a new category of plan, called a Resource Plan, which indicates in essence, who will be doing the work of each control.
In Level 3 a company must have an institutionalized management plan to put into effect good cybersecurity practices to safeguard CUI. This means using all of the United States Department of Commercial National Institute of Standards and Technology’s special Publication 800-171 Revision 2 security requirements, along with additional standards as needed.
Level 4: A company must have implemented a process to review and measure the effectiveness of the aforementioned practices. They must also establish additional enhanced practices to detect and respond to changing tactics and techniques of advanced persistent threats (APT).
What Is an APT?
An advanced persistent threats (APT) is defined as an adversary that possesses sophisticated levels of expertise and significant resources to create opportunities to achieve its objective (often to steal sensitive information) by using multiple attack vectors/strategies.
Level 5: A company must have standardized and optimized processes established across the organization along with additional enhanced practices that provide more sophisticated capabilities to detect and respond to advanced persistent threats.
Most contracts will be Level 3 and below, so these are the key ones to work for.
What Is the Path for Getting to CMMC Compliance?
Your business needs to certify that it is already taking cybersecurity measures that it was supposed to be taking under the Defense Federal Acquisition Regulations (DFARs). Typically, this means that your business would need to be certified under CMMC level 1.
Blue Jean Networks IT Specialists suggests that your business focus on getting CMMC level 1 certification quickly and then continue to make changes and advancements (through implementing new policies and procedures along with a few more controls to make it up to level 3 certification. Your business only needs to be able to prove it is certified under the level of compliance that is being required in the contract. For most businesses this will fall between level 1 and level 3.
What Is a CMMC Third Party Assessment Organization (C3PAO)?
Authorized and accredited C3PAOs are responsible for conducting the CMMC assessments of Defense Industrial Base (DIB) companies’ unclassified networks and then issue the appropriate CMMC certification based on those results.
Authorized C3PAOs must meet DoD requirements as well as a subset of the ISO/IEC 17020, Conformity Assessment -Requirements. The CMMC-AB can authorize C3PAOs to conduct CMMC assessments before the C3PAO achieves accreditation. An accredited C3PAOs must meet all DoD requirements and achieve full compliance with ISO/IEC 17020.
The process of accreditation through CMMC is likely to take a while, at least until the CMMC-AB certifies more C3PAO organizations. Currently, there are very few C3PAO organizations and they must audit over 300,000 companies by 2025. Odds are, the process is likely to take time.
For now, our team recommends that contractors familiarize themselves with the requirements for the CMMC, starting at level 1 and working upward.
Don’t think of the CMMC as a one-time check. To maintain compliance, organizations will need to be thinking about cybersecurity as part of their operational function going forward.
How Often Will My Organization Need to Be Reassessed for CMMC Compliance?
A CMMC certification will be valid for three years before the company needs to be recertified.
Need Help Understanding CMMC Certification or What More Information on How You Can Get Certified?
Blue Jean Networks has been DFW’s leading provider of IT services since our founding in 2008. We understand that new certifications and processes can be overwhelming, which is why we work with you to help create understanding while making sure your organization gets certified. Contact Blue Jean Networks today for information on CMMC or about how our team can help you get certified.