The Cybersecurity Maturity Model Certification (CMMC) is becoming essential for any contractors that want to do work for the U.S. Department of Defense (DoD). CMMC requirements will begin to appear in DoD contracts in the near future and will be part of all such contracts by 2025. Contractors need to start their journey towards obtaining CMMC now to ensure they’re eligible for future DoD contracts.
CMMC is a unified standard for cybersecurity practices across the entire defense industrial base (DIB), a supply chain with over 300,000 contractors. All of these contractors will need to comply with CMMC at some point, making this process a huge undertaking for many. Contractors that process sensitive DoD information are currently responsible for implementing, monitoring and certifying their own security standards prior to CMMC certifications becoming available.
The Defense Federal Acquisition Regulation Supplement (DFARS) covers many of the standards for protecting Controlled Unclassified Information (CUI) and has been in place since 2016. DoD contractors and subcontractors must comply with DFARS requirements, which is comparatively less difficult to accomplish because a Plan of Actions and Milestones (POA&M) is allowed. These requirements include protocols to protect CUI and report security events.
CMMC is similar to DFARS in many ways, except that CMMC has multiple maturity levels and must reach that compliance level in order to receive a certification from a CMMC Third-Party Assessor Organization (C3PAO). DFARS, on the other hand, allows for the self-assessment of a contractor's cybersecurity compliance posture.
A third-party CMMC certification assessment ensures that a contractor has implemented the controls needed to protect sensitive information. These controls must be able to respond to today’s rapidly evolving security threats. CMMC will eventually replace DFARS completely on DoD contracts, although the DoD is still ironing out the details. This post provides an overview of CMMC and outlines the steps needed to achieve the desired CMMC maturity level.
Schedule a free consultation or demo with Beryllium InfoSec Collaborative if you need to be DFARS 252.204-7012 compliant. We can help you avoid fines or the loss of a contract by showing you how to implement all NIST 800-171 controls. Call us at 763-546-8354 or contact us online today.
The CMMC Accreditation Body (CMMC-AB) is in charge of developing the procedures needed to certify Third-Party Assessor Organizations (CP3AOs). These organizations will provide assessors who evaluate the CMMC compliance levels of contractors who wish to do business with the DoD. The CMMC-AB will also create and maintain a CMMC Marketplace where contractors can locate an accredited C3PAO in their area and schedule a CMMC assessment. The specific assessment that the CP3AO performs depends on the CMMC maturity level that the requesting contractor wants to achieve, based on the type of data they store, process and transport.
CMMC has five maturity levels as follows:
These maturity levels are hierarchical such that Level 1 provides the lowest level of security, while Level 5 provides the highest. The requirements for each higher level include all the requirements of the ones immediately below it. For example, achieving Level 3 compliance means that a contractor must meet all the Level 1 & 2 requirements, in addition to the requirements that are new for Level 3.
CMMC Level 1 focuses on the protection of Federal Contract Information (FCI), which is information not intended for public release that’s provided or generated for the government as part of a contract. It includes information that’s part of a product or service for the government but doesn’t include transactional information needed to process payments. FCI also excludes information that the government publishes on public sources such as a public website.
Contractors at CMMC certification Level 1 must perform the 17 basic security practices required in FAR 52.204-21, such as using antivirus (AV) software and training employees on safe passwords. Current DoD contractors should already be meeting the requirements for FAR, and thereby already be in compliance with CMMC Level 1, without changing any of their practices, because this clause has been in many DoD contractors for years Level 1 will typically serve as a contractor’s starting point in their journey towards the CMMC level they require, especially in the case of companies contracting with the DoD for the first time.
The 55 new requirements for CMMC Level 2 generally consist of emerging practices that will typically require some preparation on the part of DoD contractors. CMMC Level 2 requirements are a subset of NIST SP 800-171. This level is generally intended as an intermediate step to CMMC Level 3, rather than a maturity level that contractors will have permanently. Its primary purpose is to ensure contractors have these practices in place before receiving their assessment for CMMC Level 3.
This level includes the use of a high sensitivity category of information called Controlled Unclassified Information (CUI), which is information the federal government creates or possesses, or that another organization creates or possesses for the government. A government-wide law, policy or regulation must also permit or require the government to handle this information with safeguards and dissemination controls for the information to qualify as CUI. This level requires thorough documentation of its protocols, which an accredited assessor must certify.
CMMC Level 3 maturity adds 58 new security procedures and protocols, bringing the cumulative total to 130 in Levels 1, 2 and 3. This level encompasses the requirements specified in NIST SP 800-171, which mostly deal with the protection of CUI. CMMC Level 3 also includes practices from other standards that mitigate security threats. All DoD contractors who handle CUI will eventually need this level, although the DoD hasn’t yet provided a specific date for this requirement.
Notable examples of the new requirements for CMMC Level 3 include the use of authorization and encryption protocols to protect wireless access and control these connections. It also requires encryption to ensure the confidentiality of remote access sessions. The authorization of privileged commands executed remotely is also a requirement for this maturity level.
CMMC Level 4 requires contractors to implement a total of 156 security policies, including 26 that are new for this maturity level. This will likely be the minimum level that primary DoD contractors need based on current information, as apposed to sub-contractors further down the supply chain.
These contractors must be able to identify security threats and respond to them proactively. They also need to handle advanced persistent threats (APTs), which come from attackers with the expertise and resources needed to launch an attack from multiple vectors. In particular, contractors with CMMC Level 4 must be prepared to deal with threats from attacks sponsored by other governments. They must also be able to measure the effectiveness of their security measures for remediation purposes.
CMMC Level 5 focuses on the protection of classified information from APTs, including Confidential, Secret, and Top Secret information. It has a total of 171 requirements, such that the 15 new requirements increase the sophistication of the contractor’s security policies and procedures compared to the Level 4 maturity level. The new requirements primarily deal with improving a contractor's incident response to continually evolving security threats rather than the implementation of new technology.
Identifying the data that’s subject to CMMC is one of the first steps in preparing for a CMMC assessment. An organization can quickly begin to estimate the effort this process will require by answering the following five questions:
CUI and FCI are closely related types of government information, but it’s essential to understand their differences when obtaining CMMC.
CUI is any information that a government agency creates or possesses. It requires safeguards for a contractor to access, which may take various forms such as a law, permit, policy or regulation. CUI may be further categorized into two types based on the strength of the safeguards required to protect them, which consist of CUI Basic and CUI Specified.
CUI Basic still requires protection, but the government doesn’t specify the exact methods of doing so. CUI Specified must be protected by specific safeguarding methods provided by the government. Neither type of information is possessed by a non-executive branch of the government unless an executive agency created, uses or possesses that information.
FCI is generally any information given to or generated by a contractor that’s associated with the delivery of a product or service to the government through a contract. However, it excludes information that the government has released to the public and transactional information needed for payment purposes.
The Committee on National Security Systems Instruction (CNSSI) further specifies in FAR 4.1901 that FCI includes any “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”
A contractor’s site probably has CUI if it is a prime contractor on a DoD contract or a supplier on such a contract.
Applying the controls needed for CMMC is easier when the CUI is isolated to a specific set of applications. The effort required for this process generally becomes more expensive and time-consuming as the number of applications that process, store or transmit CUI increases. However, it may still be less burdensome to apply CMMC controls broadly than to consolidate the CUI.
CUI requires controls to monitor, protect and audit it, although the mere fact that CUI is isolated to a particular set of systems doesn't guarantee control. The assessor must consider factors such as infrastructure, network, physical location and authentication procedures to ensure that only authorized users can access the CUI.
Many CMMC security controls focus on good IT practices that are specifically related to the protection of CUI. This includes regular backups and OS upgrades, especially those that hatch security vulnerabilities. The installation and regular use of AV software is also a standard IP practice.
The NIST Guide for Developing Security Plans for Federal Information Systems defines the scope for the purpose of obtaining CMMC. This document describes scope as the degree to which CUI affects the implementation of security controls in an information system. Considerations in this determination include infrastructure, technology, scalability, risk management, and public access to the system containing CUI.
Contractors who have previously performed work for the DOD will already have experience with data protection requirements, particularly NIST SP 800-171. However, there are also additional security standards that DoD contractors may already be most familiar with such as the Federal Information Security Modernization Act (FISMA) and ISO 27001. The security requirements in these standards often overlap with those of CMMC, especially for its lower maturity levels.
NIST 800-171 is highly relevant for CMMC compliance because it was one of the foundations of the CMMC framework. As a result of the close relationship between these two standards, a contractor is already compliant with CMMC Level 1 and Level 2 if it's compliant with NIST 800-171. CMMC contains all 110 security controls in NIST 800-171, although higher maturity levels also include additional controls.
A thorough review of the CMMC assessment guides and their appendices should be one of the first steps towards CMMC compliance, as these documents have remained quite consistent throughout their development. Specific items to study include the definition and intent of each control. Contractors should also ensure they understand the differences between the five CMMC maturity levels, including their purpose, controls, and the practices that a C3PAO will evaluate during its assessment.
The great majority of DoD contractors will need CMMC Level 1 or Level 3 at this time. An initial review of the CMMC guidelines should therefore focus on which of these two levels a contractor currently possesses and which one they will need to achieve in order to continue working on their existing contracts.
To review, CMMC Level 1 requires no maturity capabilities at all, although it does require 17 controls. In comparison, CMMC Level 3 has three maturity capability requirements and 113 additional controls for a total of 130. CMMC Level 2 generally won't be a maturity level for contractors to achieve for its own sake, as it's considered a stepping stone from Level 1 to Level 3. CMMC also provides guidance on the process for transitioning from Level 1 to Level 3. Details on achieving maturity Levels 4 and 5 aren't currently available.
A gap assessment against the assessment objectives within the assessment guides and NIST 800-171A identifies the areas in which an organization's security posture fails to meet the requirements of a particular standard. A contractor that's already working for the DoD will typically want to begin this process with an NIST 800-171 gap assessment to ensure it has implemented all of these controls.
The next step should be to perform a CMMC gap analysis for the desired maturity level to identify new controls that the contractor hasn’t implemented yet. Both of these assessments are performed by the contractors themselves before the formal assessment by the C3PAO.
A System Security Plan is a document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems.
A POAM is a plan that develops the specific measures a member of the DIB must take to correct the deficiencies identified in the CMMC or NIST 800-171 gap assessment. It should identify specific tasks to perform, and the resources needed to complete them. Noncompliance with NIST 800-171 was acceptable, provided the contractor prepared a POAM to correct deficiencies. However, that won’t be the case under CMMC, since it requires an assessment from a third party. Non-compliance now means no more contract awards.
A C3PAO must perform the assessment that will assign a particular CMMC maturity level to each contracting organization. Prior to that assessment, it’s highly recommended that contractors work with trusted and experienced vendors to prepare correctly. This trusted vendor will be a partner in this process rather than just a third-party auditor, making it crucial to find one with the right qualifications.
Many of the additional certifications that a contractor will require before winning a contract will interact with CMMC in some way, so a long-term partnership with both a C3PAO and trusted subject matter expert vendors, are essential for developing the best strategy for achieving CMMC compliance. For example, streamlining a contractor's audit process is also one of the first steps a C3PAO performs to prepare the contractor for an audit.
The best C3PAOs are already taking various actions to become CMMC experts, even though the final rule on CMMC isn’t scheduled to be published until later in 2021. Attending CMMC-AB town halls is one of the most important ways for these organizations to remain informed on this evolving process. These events can help ensure that a C3PAO can effectively guide contractors through the journey of obtaining CMMC.
Getting started with CMMC may seem daunting since it’s such a new framework with many unanswered questions. However, a CMMC compliance checklist can help identify the controls that an organization still needs to implement.
Beryllium helps contractors start their CMMC compliance journey by meeting the requirements for processing, storing, and transmitting CUI. Cuick trac™ assists in this process by implementing the 110 NIST 800-171 controls that CMMC Level 3 compliance requires. Click here to learn more about why DoD contractors trust our CMMC compliance services.