On 31 January 2020, the Department of Defense (DoD) launched the first finalized version of the Cybersecurity Maturity Model Certification (CMMC). The CMMC version 1.0 is a new set of regulations where organizations contracting with the DoD are required to acquire a certain certification level representing their cybersecurity capabilities. The model uses five levels to identify an organization's cyber hygiene from basic to progressive. Each level has its set of requirements adapted from several established frameworks (like the NIST 800-171), and certification for any level is to be validated by a certified third-party auditor.
Both the Defense Federal Acquisition Supplement (DFARS) 7012 and CMMC version 1.0 use the NIST 800-171 standards and safeguards as a baseline set of rules. In fact, compliance with CMMC level 3, which represents “good cyber hygiene” and is the required level for contractors handling CUI, involves many of the same NIST 800-171 controls as DFARS does.
The main difference between version 1.0 of the CMMC and DFARS 7012 is in the process by which an organization is declared capable of handling CUI. Where self-assessment is sufficient to be regarded as a DFARS-compliant organization, CMMC compliance requires validation from a 3rd Party Assessment Organization (C3PAOs).
CMMC version 1.0 is a supplement to DFARS 7012--the set of regulations currently used by the DoD to regulate Controlled Unclassified Information (CUI). It’s not meant to replace DFARS 7012, but rather augments adherence to it by eliminating self-certification and replacing it with third-party certification. The creation of CMMC model 1.0 is part of the effort to improve the low rate of DFARS compliance.
Conception and purpose
In an effort to ensure that DoD contractors and subcontractors had adequate cybersecurity practices, the DoD first implemented DFARS and mandated its compliance on 31 December 2017.
After a few years of observing low compliance rates, and in response to several contractor data breaches--including a prominent one in early 2018 involving Project Sea Dragon, where 614 GB of sensitive information was stolen--the DoD decided to roll out the CMMC model 1.0.
The first finalized CMMC version 1.0 documentation was released on January 31, 2020 for public review. Third party auditors began applying for accreditation in mid 2020.
C3PAOs, assessors and training providers
CMMC assessments will be conducted by Certified Assessors, who can be individuals or organizations that are trained by a Licensed Training Provider. Licensed training providers can be community colleges, universities or other learning institutions.
The CMMC Accreditation Body (CMMC-AB) is starting the initial rollout with a provisional program, where 72 qualified assessor applicants will be selected to be “Provisional Assessors.” The requirements include either 10+ years of experience conducting evidence-based assessments in cybersecurity including ISO, FedRAMP and more, or proven experience as a consultant or leader in cybersecurity for at least 20 years. Once selected, the assessor applicants will undergo training starting 31 August 2020.
C3PAOs are DoD-authorized organizations that ensure certified CMMC assessors adhere to the CMMC-AB’s professional code. They will also monitor the process by which certified assessors schedule assessments and review and submit completed assessments. A list of official C3PAOs and assessors will be released by the DoD to more easily connect organizations looking to acquire a CMMC certification with assessors.
Official roll out
As of August 2020, the CMMC 1.0 release is projected to fully roll out some time between late 2020 and early 2021, after which it will become a critical part of the Requests for Proposals (RFPs) for DoD contractors. The results of CMMC audits will be tabulated as part of the bidding process and shown to the DoD when they consider different bidders for contracts.
Preparation tips
In order to get a CMMC certification, you need to assess where you are and where you want to be. If you’re a DoD contractor, a minimum of CMMC level 3 is required to prove your capability to handle CUI. Once you know which certification level you have to acquire, you should:
The importance of gap assessment
Non-compliance with the appropriate CMMC level can lead to suspension of DoD contracts or even outright bans from the defense supply chain. This is not something you want to get wrong.
A gap assessment allows you to have a clear understanding of the controls you need to improve so when the time for a CMMC audit comes, you’re as prepared as you can be.
Fill in the gaps in your business’s cybersecurity. Start with a gap assessment, and start now!