The announcement of the Cybersecurity Maturity Model Certification (CMMC) from the Office of the Under Secretary of Defense for Acquisition and Sustainment, states the OUSD recognizes:
That security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
You may be asking, “Why is the CMMC being created?”
Per the OUSD, the DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
That is a mouth full. Here are some of the key takeaways:
As more information is released about how the CMMC process might look, what has been presented thus far looks pretty straight forward.
Per the OSUD:
CMMC levels will range from basic hygiene to “State-of-the-Art” and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.
The required CMMC level (notionally between 1 – 5) for a specific contract will be contained in the RFP sections L & M, and will be a “go/no-go decision”.
As many expected, a contractor’s CMMC Level will be measured by how many NIST SP 800-171 (rev 2 and NIST SP 800-172) controls are implemented. In addition, a few other practices and processes will also be required.
For example, the more you have implemented (with proof!), the higher your CMMC Level certification goes.
Based on what has been presented, here are what the CMMC Levels will consist of:
CMMC Level 1 | Basic Cyber Hygiene
CMMC Level 2 | Intermediate Cyber Hygiene
CMMC Level 3 | Good Cyber Hygiene
CMMC Level 4 | Proactive
CMMC Level 5 | Advanced/Progressive
CMMC Model Version 1.02, released in March of 2020, will be in document form with clarifications for Levels 1-5.
*CMMC 1.0 is built upon existing requirements of DFARS 252.204-7012: DIB SCC TF WG Top 10, NIST Cybersecurity Framework 1.1, ISO 27001:2013, AIA NAS 9933, CIS Critical Security Controls 7.1, CERT Resilience Management Model®, Additional DIB Inputs, and Subject Matter Experts.
Key takeaways here are that regardless of how the CMMC Levels look, contractors will need to prove their implementation of security controls in order to be awarded DOD contracts.
Many of these controls were supposed to be implemented by contractors who handle Controlled Unclassified Information (CUI) by December 31, 2017.
Over two years ago!
Contractors who are able to prove their implementation plan has reached adequate security, now have a competitive advantage over other contractors.
Before getting any further into the Cybersecurity Maturity Model Certification, here is information for better understanding of DFARS and NIST SP 800-171.
It is clear the DoD is taking the process of securing the Defense Industrial Base (DIB) even more seriously than they already were.
Implementation can be challenging for small-to-medium size businesses. That said, it doesn’t have to be.
Subject matter expertise is not only needed, it should be embraced.
Remember what is really at stake and why DFARS and the CMMC exist:
Our national security.
Hackers with malicious intent, potentially against the United States of America, want (and are getting) data to our defense systems.
DFARS, NIST SP 800-171 and the CMMC should be prideful accomplishments by any contractor doing business with the DoD.
Collaborating with a company who has NIST subject matter expertise, validates that security controls are implemented correctly and efficiently.
Naturally, when cybersecurity is combined with the magnitude of something like the Cybersecurity Maturity Model Certification, there will be questions.
More questions will come, while some are still not answered. For now, you can find a lengthy list of frequently asked questions on the OSUD.
We pulled out some of the more critical questions every contractor of the DoD will want the answers to.
When will the first CMMC Framework be released to the public?
Version 1.0 of the CMMC framework was made available in January 2020 to support training requirements. In late 2020, industry should begin to see the CMMC requirements as part of Requests for Information.
What is the relationship between NIST SP 800-171 rev 1 and CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
How will CMMC be different than NIST SP 800-171?
Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
How can organizations become certified?
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifying organizations.
How much will CMMC certification cost?
The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested.
Will there be a self-certification?
How do I request a certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.
Who will perform the assessments?
An independent 3rd party assessment organization will normally perform the assessment. Some of the higher-level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
How often does my organization need to be reassessed?
The duration of certification is still under consideration.
If my organization is certified CMMC and I am compromised, do I lose my certification?
You will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be re-certified.
What if my organization cannot afford to be certified? Does that mean my organization can no longer work on DoD contracts?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
Yes. All companies conducting business with the DoD must be certified. The level of certification required depends upon the CUI a company handles or processes.
How will I know what CMMC level is required for a contract?
The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.
The problem today, as we see it, is not compliance…it is implementation.
Malicious hackers do not care if you are compliant, they care if you ARE NOT implemented. That means they can more easily access your CUI!
Fortunately for contractors of the DoD (big or small), Beryllium InfoSec Collaborative has worked strategically with industry leaders in both security and information technology, to develop a solution.
Every SMB faces the same challenges with cybersecurity implementations:
With CUICK TRAC, contractors can achieve the maturity of Cybersecurity Maturity Model Certification Level 3 implementation (as it is currently laid out) in weeks, not months, so they are prepared for their audit from a C3PAO.
No additional hardware, software, or technology is required. Be in a position to pass your CMMC certification once the assessment guides are released by utilizing CUICK
TRAC’s NIST 800-171 compliant enclave.
Regardless of where a contractor is in the process of DFARS 252.204-7012 compliance/implementation of NIST SP 800-171, CUICK TRAC is the solution to getting there faster and for less.