The announcement of the Cybersecurity Maturity Model Certification (CMMC) from the Office of the Under Secretary of Defense for Acquisition and Sustainment, states the OUSD recognizes:
That security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
You may be asking, “Why was the CMMC created?”
Per the OUSD, the DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC serves as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
That is a mouth full. Here are some of the key takeaways:
Now that CMMC v1.02 is out, the five levels of CMMC looks pretty straight forward.
Per the OSUD:
CMMC levels will range from basic hygiene to “State-of-the-Art” and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.
The required CMMC level between 1 – 5) for a specific contract will be contained in the RFP sections L & M, and will be a “go/no-go decision”.
As many expected, a contractor’s CMMC Level will be measured by how many NIST SP 800-171 (rev 2 and NIST SP 800-172) controls are implemented. In addition, a few other practices and processes will also be required.
For example, the more you have implemented (with proof!), the higher your CMMC Level certification goes.
Based on CMMC v1.02, here are what the CMMC Levels consist of:
CMMC Level 1 | Basic Cyber Hygiene
CMMC Level 2 | Intermediate Cyber Hygiene
CMMC Level 3 | Good Cyber Hygiene
CMMC Level 4 | Proactive
CMMC Level 5 | Advanced/Progressive
CMMC Model Version 1.02, released in March of 2020, will be in document form with clarifications for Levels 1-5.
*CMMC 1.0 is built upon existing requirements of DFARS 252.204-7012: DIB SCC TF WG Top 10, NIST Cybersecurity Framework 1.1, ISO 27001:2013, AIA NAS 9933, CIS Critical Security Controls 7.1, CERT Resilience Management Model®, Additional DIB Inputs, and Subject Matter Experts.
Key takeaways here are that regardless of how the CMMC Levels look, contractors will need to prove their implementation of security controls in order to be awarded new DoD contracts.
Many of these controls were supposed to be implemented by contractors who handle Controlled Unclassified Information (CUI) by December 31, 2017.
Over three years ago!
Contractors who are able to prove their implementation plan has reached adequate security, now have a competitive advantage over other contractors.
Before getting any further into the Cybersecurity Maturity Model Certification, here is information for better understanding of DFARS and NIST SP 800-171.
It is clear the DoD is taking the process of securing the Defense Industrial Base (DIB) even more seriously than they already were.
Implementation can be challenging for small-to-medium size businesses. That said, it doesn’t have to be.
Subject matter expertise is not only needed, it should be embraced.
Remember what is really at stake and why DFARS and the CMMC exist:
Our national security.
Hackers with malicious intent, potentially against the United States of America, want (and are getting) data to our defense systems.
DFARS, NIST SP 800-171 and the CMMC should be prideful accomplishments by any contractor doing business with the DoD.
When NIST SP 800-172 was announced, it showed the path to compliance and full implementation is not always the same for everyone.
Collaborating with a company who has NIST subject matter expertise, validates that security controls are implemented correctly and efficiently.
Naturally, when cybersecurity is combined with the magnitude of something like the Cybersecurity Maturity Model Certification, there will be questions.
More questions will come, while some are still not answered. For now, you can find a lengthy list of frequently asked questions on the OSUD.
We pulled out some of the more critical questions every contractor of the DoD will want the answers to. (Updated)
When will the first CMMC Framework be released to the public?
Version 1.02 of the CMMC framework was made available in March 2020 to support training requirements. In early 2021, industry should begin to see the CMMC requirements as part of Requests for Information as part of a pathfinder program.
What is the relationship between NIST SP 800-171 rev 2 and CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC also measures the maturity of a company’s institutionalization of cybersecurity practices and processes.
How will CMMC be different than NIST SP 800-171?
Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes. NIST SP 800-171 is the backbone of the CMMC, thus following the NIST SP 800-171A assessment guide is highly recommended.
How can organizations become certified?
An organization seeking certification (OSC) will coordinate directly with an accredited and independent third party commercial certification organization (C3PAO) to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifying organizations.
How much will CMMC certification cost?
The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested with C3PAOs pricing at their discretion.
Will there be a self-certification?
How do I request a certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification through the CMMC Accreditation Body (AB) website.
Who will perform the assessments?
An independent 3rd party assessment organization will normally perform the assessment. Some of the higher-level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
How often does my organization need to be re-certified?
Every three years.
If my organization is certified CMMC and I am compromised, do I lose my certification?
You will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be re-certified.
What if my organization cannot afford to be certified? Does that mean my organization can no longer work on DoD contracts?
The cost of the certification process and whether it will be an allowable cost is still not clear (at the time of this blog being written). Cost of implementation is expected to be completed by OSCs prior to their certification. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
Yes. once CMMC requirements begin to appear in solicitations, all DoD contractors must be certified at CMMC Level 1, at minimum. All contractors who handle CUI must be certified at CMMC Level 3, at minimum. The level of certification required depends upon the data a company handles or processes.
How will I know what CMMC level is required for a contract?
The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP).
The problem today, as we see it, is not compliance…it is implementation.
Malicious hackers do not care if you are compliant, they care if you ARE NOT implemented. That means they can more easily access your CUI!
Fortunately for contractors of the DoD (big or small), Beryllium InfoSec Collaborative has worked strategically with industry leaders in both security and information technology, to develop a solution.
Every SMB faces the same challenges with cybersecurity implementations:
With CUICK TRAC, contractors can achieve the maturity of Cybersecurity Maturity Model Certification Level 3 implementation, mapped to both CMMC v1.02 and the CMMC Assessment Guides in a matter of weeks, not months, so they are prepared for their audit from a C3PAO.
No additional internal hardware, software, technology or configuration is required. We have it done already! Be in a position to pass your CMMC certification by utilizing CUICK
TRAC’s NIST 800-171 compliant enclave, which allows for a programmatic approach to implementing the administrative and physical controls as well.
Regardless of where a contractor is in the process of DFARS 252.204-7012 compliance/implementation of NIST SP 800-171, CUICK TRAC is the solution to getting there faster and for less.