The Cybersecurity Maturity Model Certification (CMMC) was created to enhance the cybersecurity posture of companies participating in US government supply chains. As of December 31, 2017, defense and government suppliers had to comply with NIST 800-171. Starting in 2020, the DoD will gradually transition federal contract information to include CMMC instead of NIST 800-171.
There are two significant differences in CMMC:
- Unlike NIST 800-171, with CMMC there is no longer an option for self-attestation.
- CMMC includes five different levels of compliance.
CMMC - A New Cybersecurity Standard
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains. Version 1.0 was released in January 2020, and a minor update to Version 1.02 in March 2020.
The Department of Defense is planning to migrate from NIST 800-171 to the CMMC framework later in 2020.
Starting in September 2020, we will start to see CMMC requirements included in some RFPs, and by 2026, all new DoD contracts will require CMMC.
You can learn more about CMMC at these government sites:
- Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification
- CMMC Accreditation Body (CMMC-AB)
No More Self-Attestation
The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment. With this framework, there is no longer an option for self-attestation.
The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Levels 4 and 5.
These levels will capture both security control and the processes that enhance a company's cybersecurity. DoD contracts will stipulate to which level (1, 2, 3, 4, or 5) a supplier must meet. It is expected that a company will need to meet both the processes and practices to meet a given level.
A subcontractor working for a prime contractor may not necessarily need to meet the same level as the prime. For example, to win a contract, first-tier suppliers may need to be at Level 3 but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.
It is expected that most small businesses seeking basic cybersecurity hygiene will need to meet either Level 1 or Level 2.
LEVEL 1 - Safeguard Federal Contract Information (FCI)
♦ Level 1 Practices
- Firewall with monitoring
- Segment and control public facing connections
- Device inventory
- Software inventory
- User and access management
- Log and escort visitors
- Badges and keys
- Data disposal
- Update systems
♦ Level 1 Supporting Documentation
- Acceptable Use Policy
- Access Control Policy
- Physical Security Policy
- Asset Management Policy
LEVEL 2 - Serve as transition step in cybersecurity maturity progression to protect CUI
♦ Level 2 Practices
- CMMC Level 1 completion
- System event logging/retention
- Awareness and role training
- Hardware/software inventory
- Secure baselines
- Multi-factor authentication (MFA) for remote access
- Conduct, test, and encrypt backups
- Vulnerability scanning and remediation
- Identify unauthorized use
- Incident response procedures
♦ Level 2 Supporting Documentation
- Vulnerability Management Policy
- Data Transfer Policy
- Incident Response Policy
- Password Policy
- Secure Baseline Procedure
- Change Management Procedure
- Teleworker Policy
- Data Classification Policy
- Information Security Policy
LEVEL 3 - Protect CUI
There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
♦ Level 3 Practices
- CMMC Level 2 completion
- 800-171 controls
- No POA&M items
- Offsite backups
- Centralized logging
- Risk assessments
- Continuous monitoring
- DNS filtering
♦ Level 3 Supporting Documentation
- Social Media Policy
- CUI Handling Procedure
- Information Security Plan
LEVEL 4 - Protect CUI and reduce risk of Advanced Persistent Threats (ATP)
♦ Level 4 Processes: Reviewed
Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.
♦ Level 4 Practices: Proactive
Practices protection of CUI from APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.
LEVEL 5 - Protect CUI and reduce risk of ATPs
♦ Level 5 Processes: Optimizing
Requires an organization to take corrective action towards improving process implementation across the organization.
♦ Level 5 Practices: Advanced/Proactive
Increases the depth and sophistication of cybersecurity capabilities.
How to Comply with CMMC
The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments. As of May 14, 2020, the requirements for becoming a C3PAO are not yet established, and there are no approved C3PAO companies yet.
Expected CMMC Compliance Process
Companies operating in federal supply chains need to be certified by a third-party organization (C3PAO) who will assess the company's level of compliance with CMMC. DoD contracts specify to which level a company must comply (levels 1-5). CMMC will be introduced in new RFIs and RFPs starting in 2020. By 2026, all DoD contracts will include CMMC instead of NIST 800-171.
With the adoption of CMMC, there is no longer an option for self-attestation to be eligible to participate in DoD contracts.
The process to achieve certification is expected to be as follows:
- Determine the level of CMMC you want to meet (based on future contracts on which you plan to bid or internal business goals).
- Prepare internally to meet the selected standard. Identify gaps in your processes and systems. Corserva can help you prepare for CMMC.
- Select a C3PAO from the CMMC Accreditation Body Marketplace. There are no approved C3PAO companies yet.
- Engage a C3PAO to provide the assessment.
- The C3PAO submits the assessment for review by the CMMC-AB.
- Certification is issued to the company.
It is expected that the effectiveness of certification will last for 3 years, at which point companies will be able to renew their certification.
The Overlap of NIST 800-171 and CMMC
Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. Starting in September 2020, CMMC requirements will be included in some RFPs, and by 2026, all new DoD contracts will require CMMC.
Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
CMMC Impact to Current Contracts
No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts.
The certification to win a contract will be needed at the time of the award.
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements.
CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.
NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal: to protect information.
Get Ready for CMMC Now
There are steps you can take now to get ready for CMMC. Contact Corserva to learn more about a certification assessment.