At the end of 2017 the Department of Defense (DoD) started to require organizations that were a part of the Defense Industrial Base (DIB) supply chain to develop and implement a System Security Plan (SSP) and a Plan of Actions & Milestones (POA&M) for assessment of their cybersecurity stance according to NIST 800-171 Standard.
By 2019, the Department of Defense (DoD) realized that very few organizations responded adequately to the regulations leading to the announcement of CMMC mid-way through 2019 and the release of CMMC Version 1.0 at the beginning of 2020.
Due to the highly technical nature of the CMMC and the relatively short timeline, obtaining a CMMC has become a huge challenge for many DoD contractors.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) is a new certification created by the DoD that creates a unified standard for cybersecurity implementation for all businesses that are a part of the Defense Industrial Base (DIB) supply chain.
It specifies a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for Request for Proposals (RFPs) and vendor selection.
While some of the more than 300,000 Defense Industrial Base (DIB) contractors will have the staff, resources, and expertise to meet CMMC requirements and timeline in-house, many will not.
If your organization doesn’t meet the CMMC’s guidelines, then your organization will no longer be able to bid on certain contracts by the end of 2020 and will not be able to bid on any contracts by 2026.
CMMC Timeline
The DoD is working quickly to roll out the CMMC with a target of 10 Request for Informations (RFIs) and 10 Request for Proposals (RFPs) meeting CMMC requirements by the end of 2020. While the first few deadlines were initially delayed because of the COVID-19 pandemic, CMMC has remained relatively on track with the updated timeline below.
- June 2015: NIST 800-171 released
- August 2016: Dod released revision 1 of NIST 800-171
- December 2017: DIB required to meet NIST 800-171
- January 2019: DoD noticed few organizations implemented NIST 800-171
- August 2019: DoD announced they would be creating the CMMC
- January 2020: DoD released version 1.0 of the CMMC
- March 2020: DoD released version 1.02 of the CMMC
- End 2020: DoD to incorporate CMMC requirements in Requests for Proposals (RFPs)
- 2021-2026: Implementation of the CMMC through a phased rollout
- 2026: CMMC a requirement for all companies doing business with the DoD.
Full implementation of the CMMC will be gradually rolled out through 2025 and by 2026 all DoD contractors will be required to have a CMMC to bid on contracts with the DoD.
Who Does CMMC Apply To?
All DoD contractors in the defense contract supply chain will be required to obtain a CMMC certification by 2026.
This includes all suppliers at all tiers along the supply chain. These include:
- Small/medium/enterprise-level businesses
- Sole proprietors
- Commercial item contractors
- Foreign suppliers
For your organization to remain competitive or relevant for RFIs or RFPs you will need to receive a CMMC.
Why CMMC?
The cybersecurity challenges faced by the DoD are enormous with the Pentagon stopping an estimated 36 million emails containing ransomware and phishing attacks each day.
Despite their best efforts, the Pentagon reported a data breach exposing the personnel information of 30,000 DoD employees on a system operated by a third-party contractor in late 2018.
Cybersecurity has always been and always will be a huge issue for the DoD with hypothesis from the Department of Homeland Security stating that things are only going to get worse.
To help circumvent this ongoing cybersecurity threat, the DoD identified specific cybersecurity requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012) back in 2015.
This required DoD contractors to adopt specific cybersecurity standards and practices that were specified by the National Institute of Standards and Technology (NIST) with all organizations required to comply with NIST SP 800-171 regulations by the end of 2017.
The adoption of this framework was slow as most DoD contractors only maintained adequate security hygiene practices by the end of 2017. The DoD’s hypothesis was that only 1% of contractors had state of the art cybersecurity. An example of their hypothesis can be seen in the graphic below.
When the DoD determined there were unacceptable levels of risk to Controlled Unclassified Information (CUI) in 2019, the DoD introduced CMMC at the beginning of 2020 to ensure the appropriate levels of cybersecurity protections were in place.
The CMMC was in essence created to move away from the self-assessment model, to a model that requires a strict audit process from C3PAOs. It also establishes compliance as a condition for doing business with the DoD.
What are C3PAO?
C3PAO stands for Certified Third-Party Organizations. These organizations are responsible for retaining certified assessors that ensure that your organization adheres to the CMMC-AB‘s code of professional conduct.
What is CMMC-AB?
The CMMC-AB stands for the Cybersecurity Maturity Model Certification Accreditation Body.
According to the CMMC-AB’s website the CMMC-AB,” establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) program.”
The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) also coordinates directly with the DoD to develop procedures to certify C3PAOs that will evaluate companies’ CMMC levels based on the CMMC Model.
CMMC Model
What is a Maturity Model?
A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a specific discipline.
In layman’s terms, a maturity model measures how well your organization can adapt or progress in a specific subject, which in this case is cybersecurity.
How does this relate to the Cybersecurity Maturity Model Certification?
The maturity model for the Cyber Security Maturity Model Certification (CMMC) will be used to provide a benchmark for your organization’s cybersecurity. This benchmark will be used to evaluate the current cybersecurity capabilities of your organization’s processes, practices, and methods to set goals and priorities for improvement.
CMMC Framework
The most recent CMMC model was published in March of 2020 and was version 1.02.
This CMMC framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references.
The model framework (demonstrated below) organizes these processes and practices into a set of domains (or categories) and then maps them across 5 levels.
In order to provide additional structure, the framework also aligns the practices to a set of capabilities within each domain.
CMMC Domains
The CMMC model consists of 17 domains or categories. Most of these domains originate from the security-related areas in the Federal Information Processing Standards Publication 200 and the related security requirement families from NIST 800-171. The CMMC also includes three additional domains, which are Asset Management (AM), Recovery (RE), and Situational Awareness (SA).
Each of the 17 domains along with their abbreviations can be seen below.
CMMC Levels
The CMMC model outlines cybersecurity best practices and processes into five maturity levels. Each set of levels has its own set of practices and processes.
These practices range from Level 1’s basic cyber hygiene to Level 5, which requires advanced/progressive capabilities at your organization. To meet the requirements of CMMC your organization must perform both the practices and processes to meet each specific level of CMMC, which are shown here:
The CMMC levels and the associated sets of processes and practices across domains are cumulative. This means for your organization to achieve a specific CMMC level, it must also demonstrate completion of the proceeding levels.
CMMC Levels and Associated Focus
In addition to the previous CMMC level descriptions, the specification and mapping of processes and practices to a particular level consider multiple considerations.
In layman’s terms, this means the CMMC model provides a means of improving how your organization can adopt or progress your cybersecurity practices based on the sensitivity of information or range of threats. These considerations include:
- Regulations
- Types and sensitivity of information
- Threats
- Costs
- Implementation complexity
- Diversity within the DIB sector
- Assessment implications.
As a result, the CMMC can also be characterized by this alignment or more simply, their focus as follows:
- Level 1: Safeguard Federal Contract Information (FCI)
- Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI
- Level 3: Protect Controlled Unclassified Information (CUI)
- Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
CMMC Level 1
Level 1 practices are the foundation of CMMC and required for all proceeding CMMC levels. This level is based on the safeguarding of FCI and corresponds to NIST 800-171. This level requires your organization to implement 17 different controls or practices to achieve basic cyber hygiene but doesn’t require that organization to document those practices.
CMMC Level 2
Level 2 creates a maturity-based progression for organizations to transition between Level 1 and Level 3. Unlike level 1, organizations are expected to establish and document practices and policies for CMMC compliance. This level includes 72 different controls or cyber hygiene practices to achieve intermediate cyber hygiene.
CMMC Level 3
Level 3 indicates a basic ability to protect CUI and shows that you effectively implemented the security requirements of NIST 800-171. Organizations at level 3 are expected to adequately maintain activities, review policies, and review processes. They are also expected to demonstrate a plan to manage specific activities. This level requires an organization to follow 130 different controls or practices to achieve good cyber hygiene.
CMMC Level 4
Level 4 requires enhanced cybersecurity tactics that can defend CUI from Advanced Persistent Threats (APTs). Organizations at this level are expected to review and document activities for effectiveness and inform upper management of any issues. This level requires an organization to follow 156 different controls or cyber hygiene practices to achieve proactive capabilities.
CMMC Level 5
Level 5 is focused on the protection of CUI from APTs by optimizing cybersecurity capabilities. Organizations are expected to improve and standardize process implementation across the enterprise. This level requires an organization to follow 171 different controls or cyber hygiene practices to achieve advanced/progressive capabilities.
How to Prepare for a CMMC Audit?
As stated above, the various levels of CMMC call for different controls outlined in NIST 800-171 Rev 1. and NIST 800-171 Rev. B. Your organization should determine which CMMC level they wish to obtain and then implement the necessary controls. If your organization has already implemented all NIST SP 800-171 controls, then you should have no issues passing a CMMC audit up to CMMC Level 3.
If your organization has not implemented the NIST 800-171 controls, the following options are available to prepare for a CMMC audit:
Meet the Requirements of the Cybersecurity Maturity Model Certification In-House
This option applies if your organization has the resources and IT staff available to implement the appropriate CMMC level in-house. If your organization doesn’t have the expertise to meet the requirements of CMMC, then your organization will need to outsource this project to a third party CMMC consultant who offers CMMC compliance services.
Work with a Cybersecurity Maturity Model Certification Consultant
For many DoD contractors, the most effective way to meet the requirements of CMMC is to outsource the task to a Managed Service Provider (MSP) that specializes in CMMC consulting. By outsourcing CMMC work to a qualified provider, your organization may save a lot of time and money compared to implementing this project in house.
At Spry Squared, Inc. we are experts at helping organizations navigate the complexities of and financial hurdles of NIST 800-171 and DFARS 7012. We are working to help your organization achieve the CMMC level you need to remain competitive in the industry.
Schedule a quick call to learn more about how Spry Squared, Inc. can help your organization prepare for a CMMC audit.
Remember to watch for our future blog as we will be going more in-depth into the specifics of CMMC Levels 1-5 and important CMMC FAQ’s. Stay tuned!