The Department of Defense (DoD) built the Cybersecurity Maturity Model Certification (CMMC) framework to better assess and improve the cybersecurity posture of the Defense Industrial Base (DIB). CMMC’s purpose is to ensure that appropriate levels of cybersecurity practices and processes are in place to protect federal contact information (FCI) and controlled unclassified information (CUI) that resides on the DIB’s networks.
CMMC maps cybersecurity best practices and processes to five maturity levels, summarized in the figure below. Process levels range from simply performed at Level 1 to optimized at Level 5. In parallel, practices range from basic cyber hygiene at Level 1 to advanced and progressive cyber hygiene at Level 5.
Source: Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Version 1.0
How CMMC works: Domains, capabilities, practices and processes
CMMC incorporates pre-existing legislation such as NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others, into one unified set of cybersecurity best practices.
It categorizes these best practices into 17 broad domains, such as “Access Control” and “Systems and Communications Protection.” Forty-three distinct capabilities, such as “control remote system access” and “control communications at system boundaries,” are distributed across the 17 domains. Not all companies need to demonstrate all 43 capabilities; they apply depending on the CMMC maturity level sought.
“173 practices are mapped across the five CMMC maturity levels. Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures“
Companies will demonstrate compliance with the required capabilities by showing adherence to a range of practices and processes. Practices are the technical activities required within any given capability requirement; 173 practices are mapped across the five CMMC maturity levels. Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures; nine processes are mapped across the five CMMC maturity levels.
CMMC vs NIST 800-171: The essential differences
CMMC is built on the on the foundation of NIST 800-171., which until now, dictated the cybersecurity standards that all DIB companies had to follow. Specifically, DFARS clause 252.204-7012 stipulated that any company that accesses or stores CUI must self-assess its cybersecurity capabilities and self-attest that it meets all 110 security controls of NIST SP 800-171 or have a Plan of Actions and Milestones (POAM) to do so.
POAM stands for Plan of Action and Milestones. A POAM is a plan that indicates the specific measures that a DIB company will take to correct deficiences found during a security control assessment. The POAM should identify which tasks should be done as well as the resources required to make the plan work.
One of the most significant changes from NIST 800-171 to CMMC is the shift from self-assessment to external assessments of cybersecurity compliance, which will be conducted by Third Party Assessment Organizations (C3PAOs). Further, whereas in the past noncompliance with DoD cybersecurity regulations was acceptable as long as companies prepared POAMS outlining plans to address deficiencies, that will no longer be the case under CMMC. Companies will still need to complete SSPs (System Security Plans), although those too will not satisfy CMMC requirements.
CMMC also expands upon NIST 800-171 by supplementing that standard’s 110 security requirements. Specifically, Level 3 adds 20 new requirements that must be met in order to be CMMC certified. These additional practices are designed to support good cyber hygiene.
Until CMMC is fully implemented per the timeline noted below, CMMC and NIST SP 800-171 mandates will coexist. That is, over the next several years the number of defense contracts subject to CMMC requirements will ramp up and those subject to NIST SP 800-171 will decline to zero.
Timeline for CMMC implementation
The DoD is aiming to add CMMC Level Requirements to DoD contract Requests for Information (RFIs) beginning in June 2020. CMMC Level requirements will be added to RFPs beginning October 2020, starting with an estimated 15 procurements for critical DoD programs and technologies, such as those associated with nuclear and missile defense. At that point, for those contracts, CMMC certification will be used as the basis for “go/no go” decisions.
It is expected that approximately 1,500 primes and subcontractors will be affected in the first round of implementation and, likewise, will need to be CMMC certified by Fall 2021. The roll-out will continue over a five-year period, with the expectation that all new DoD contracts will include CMMC requirements by Fall 2026.
What CMMC level does my company need to achieve?
The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with, and the range of cyber threats associated with that information. The following summary of the process and practice standards for each of CMMC’s five levels will help you identify the appropriate CMMC level for your business.
“The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with“
CMMC Level 1
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
CMMC Level 2
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.
Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.
CMMC Level 3
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices to mitigate threats. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.
CMMC Level 4
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.
CMMC Level 5
Level 5 requires an organization to standardize and optimize process implementation across the organization.
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Three key points to keep in mind about CMMC levels
CMMC levels and their associated processes and practices are cumulative. For example, for an organization to achieve CMMC Level 3, it also must demonstrate achievement of Levels 1 and 2.
Organizations must meet requirements for the level they seek in both the practice and the process realms. For example, a contractor that achieves Level 3 on practice implementation and Level 2 on process institutionalization will be certified at the lower CMMC Level 2.
DoD Prime contractors must flow down the appropriate CMMC level requirement to their sub-contractors, which will vary depending on the nature of the subcontractors’ work. For example, a prime contractor with CMMC Level 5 certification could have a subcontractor with which it shares just FCI; the DoD would require that subcontractor to achieve Level 1 certification.
Getting ready for CMMC
To get started on the path to compliance, DIB companies need to determine if they are handling CUI. Once they determine where they are and what type of information they are handling, they should determine the gaps between where they are and where they want to be and create a POAM for how to get to where you are supposed to be.
For companies handling very basic information, they only need to get to a level 1. For others who are handling CUI, the process is more involved. They need to determine if their whole organization needs to be level 3 compliant or if an enclave approach is more appropriate, whereby only part of their company needs to embrace a compliance solution.
However, until there is final guidance from the CMMC-AB around the certification process, no MSP can guarantee you will meet CMMC criteria. While it’s clear that there are known controls for each level, it is not known how in-depth those controls will need to be to pass the audit and obtain the certification. But, by starting to prepare now, early adopter will most likely only need to make minor changes to their processes, ensuring they can be first in line for their certification audit.
How The Compliancy Guys can help
The new CMMC framework will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. advantages in the military, technological and commercial realms. CMMC’s implementation is on the fast track, and whether your company can continue to work with the DoD will be determined by whether it can achieve the appropriate CMMC maturity level for the contract you seek.