What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment. CMMC was designed to help better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), intending to regulate and heighten cybersecurity measures and protocols across the Defense Industrial Base (DIB). It’s based on the existing regulations of DFARS clause 252.204-7012, requiring contractors to implement NIST SP 800-171.
The primary difference between the CMMC and the former regulations is the requirement of a Third-Party Assessment Organization (C3PAOs). These C3PAOs will verify the implementation of cybersecurity measures within companies handling Department of Defense (DoD) contracts. In contrast, the previous regulations were based on self-assessment.
Contractors working with the DoD handle high volumes of sensitive information, prompting immediate attention to the implementation of mandated cybersecurity measures for those wanting to do business with the DoD. The DoD can no longer assume the required security measures have been implemented, and certified contractors will give them the assurance that they’ve met the updated standards. Contractors working with the DoD should already have these processes in place, but it’s now going to be verified rather than self-assessed. Ultimately, the main goal is to protect CUI and FCI.
But does it apply to your company? If so, what do you need to know about the certification process? We’re here to help answer your questions as you begin to get your company prepared for CMMC.
What’s Covered In The Current Model?
The Cybersecurity Maturity Model covers a wide range of areas depending on the required certification Level. Here’s are a few areas the model focuses on:
Training – Are systems in place? Have all employees conducted training?
Encryption – What information are you encrypting? Are you using devices to encrypt?
Remote Access – Do you know who’s logging into your systems? Do you know where and when they are logging in?
Access Privilege – Are you giving people access to only the programs and databases they need?
Physical Barriers – Where are things physically stored, and how are they secured?
User Identification – Does everyone have a unique login?
Incident Response – Would your team know what to do if an incident happened or was suspected of having happened?
CUI Marking – Is your CUI marked correctly? Does your team know how to mark printed CUI versus a computer?
Network Isolation – Do you have a subnetwork for guests coming in or anyone in need of temporary access to the system?
Who Does the CMMC Affect?
CMMC will affect everyone with access to CUI that needs protecting. Whether you have a contract to plow snow, clean offices, or design weaponry, you’ll be required to obtain some Level of CMMC. New contracts will have CMMC requirements included before the official deadline, so the sooner you get started, the easier it will be. As a result, you’ll have better cybersecurity practices with good rules in place to protect information.
The CMMC Framework
CMMC framework consists of “maturity processes and cybersecurity best practices from multiple standards, frameworks, and other references, as well as inputs from the DIB.” The CMMC is organized by processes and practices within domains over five security levels. Each Level contains both a cumulative process and practice, where each builds upon the previous. An ability to demonstrate both the processes and practices of a Level is requisite for lower levels to achieve the higher one. For example, if a business wants to be a Level 3, it must also meet Level 1 and 2 requirements.
What Are Domains?
The CMMC is composed of 17 Domains mapped across five security levels. Within each domain are processes and practices that either stays the same or increases among the five levels.
The 17 Domains Within CMMC:
- AC Access Control
- AS Asset Management
- AU Audit and Accountability
- AT Awareness and Training
- CM Configuration Management
- IA Identification & Authentication
- IR Incident Response
- MA Maintenance
- MP Media Protection
- PS Personnel Security
- PE Physical Protection
- RE Recovery
- RM Risk Management
- CA Security Assessment
- SA Situational Awareness
- SC System and Communication Protection
- SI System and Information Integration
Each contractor must meet a different CMMC Level based on the nature of the contract and the information handled, but everyone who holds DoD contracts will need to at least achieve Level 1. It’s up to each contractor to know what Level they need to achieve.
Levels 1-5:
- Level 1: Basic Cyber Hygiene
- Level 2: Intermediate Cyber Hygiene
- Level 3: Good Cyber Hygiene
- Level 4: Proactive
- Level 5: Advanced/Progressive·
What Is The Assessment Process Like?
Level 1 assessments are straightforward and a type of foundation of basic cybersecurity requirements. Level 2 is a transitional Level to help organizations obtain Level 3. The Level 3 assessments are in-depth and should be executed with detail. As organizations ready themselves for their audit, the best place to start is with the assessment guide. The assessment guide is the document assessors use to conduct CMMC audits. The authoritative sources for all CMMC information, including the assessment guides, are on the OUSD CMMC website.
How Should You Prepare For An Audit?
Read the Guides
Organizations should begin by reading the NIST 800-171 to familiarize themselves with the requirements. The assessment guide walks through every requirement, including how assessors evaluate whether the conditions have been satisfied.
Perform a Gap Analysis
Gap analyses determine how close the contractor is to being fully compliant and the areas that need improvement. An essential first step is to identify the CUI within an organization.
What Are Auditors Looking For?
Depending on the organization’s size, the average time frame the audit will take is between 1.5-3 months, so you’ll want to make this process as smooth as possible.
The first thing the auditors will evaluate is the environment:
- How many servers are there?
- How many workstations?
- What does it physically look like? How large or small is it? – if it’s big, it will increase the load and timeline of engagement with an auditor.
Before auditors get started, they must understand precisely what they need to evaluate. Organizations should map the controls to their environments for all in-scope systems like workstations, servers, etc. Time and date stamps are necessary; auditors need to see the evidence they are being presented isn’t from a year ago.
Once they understand the environment, they’ll dig into policies, procedures, and everything is written down. If something isn’t written down, they’ll need to know why not and what is being done. Keep in mind that all areas of requirements will need tangible policies the auditors can review, and you should anticipate anything they are going to want. This is usually in the Security System Plan (SSP), and organizations without SSPs will not pass their audit if it is a Level 2 or higher.
What Happens If An Organization Doesn’t Pass?
The biggest challenge of this certification is that it has many requirements that all need to be proven to work effectively. When organizations are not compliant, the auditors will let them know the areas they need to improve, but they will not help them solve the problems. The organizations will need to hire a remediator to help them get the problems solved. They can confirm if a solution will work for compliance, such as reviewing things like log repositories and also help vet vendors.
When it comes to the Cybersecurity Maturity Model Certification, the sooner organizations meet the requirements; the more accessible certification will be. It’s important to remember the many resources and services available to assist with this transition.
Sources
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf
https://cmmcab.org/marketplace/
https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
https://www.acquisition.gov/dfars