CMMC Cybersecurity Maturity Model Certification Explained
The Cybersecurity Maturity Model Certification (CMMC) is a set of guidelines for implementing cybersecurity measures across Department of Defense (DoD) contractors. The CMMC was designed to ensure that the 300,000-plus contractors and subcontractors operating in the defense industrial base (DIB) supply chain are safeguarding sensitive government information.
What Is the CMMC Framework?
In January 2020, the DoD announced the first details of the CMMC framework, which included the use of a maturity model. This model categorized contractors into five levels depending on the cybersecurity measures they have to keep controlled unclassified information (CUI) safe.
The CMMC model combines compliance processes from NIST SP 800-171, NIST SP 800-53, ISO 27032, ISO 27001, and AIA NAS9933. Also, the CMMC model uses compliance procedures taken from the Federal Information Security Management Act (FISMA).
The Five Levels of CMMC Cybersecurity
The CMMC framework is based around a tiered system that determines the cybersecurity maturity of contractors using five cyber hygiene levels. Each level builds on the last, and all DoD contractors and subcontractors are required to be at least Level 1 certified if they want to move up to the succeeding levels. Here's a breakdown of the five CMMC levels.
Level 1: Basic Cyber Hygiene
This level is designed to protect federal contract information (FCI) not intended for the public. Level 1 contractors are required to practice "basic cyber hygiene," such as installing antivirus software and training employees on how to properly secure their login credentials.
Level 2: Intermediate Cyber Hygiene
Level 2 introduces CUI, a new data type that requires safeguarding and disseminating controls. At this level, contractors and subcontractors are required to document the cybersecurity policies and practices for protecting CUI that they have in place. Level 2 is mostly based on the NIST SP 800-171 Rev. 2 requirements, which include:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incidence response
- Media protection
- Physical protection
- Personnel Security
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
Level 3: Good Cyber Hygiene
With Level 3 certification, contractors are allowed to handle and generate CUI. All contractors and subcontractors are required to implement 47 additional controls stated in NIST SP 800-171 Rev. 2 in order to get a Level 3 certification.
Level 4: Proactive Cyber Hygiene
At Level 4, contractors and subcontractors must be proactive in identifying and containing threats. Level 4 is designed to deal with the changing capabilities, processes, and tactics of advanced persistent threats (APTs).
Level 5: Advanced/Progressive Cyber Hygiene
Level 5 is the topmost level of the CMMC framework and is reserved for contractors with advanced/progressive and state-of-the-art cybersecurity measures. There are 30 additional controls on top of those in Level 4 that should be implemented before contractors can achieve a Level 5 certification.
Who Needs to Comply with CMMC?
All contractors and subcontractors are required to have a CMMC certification before they can work on DoD contracts. Noncompliant contractors and subcontractors are given a stop-work order until they can implement the cybersecurity measures necessary to protect sensitive government information. Also, the DoD can impose fines and penalties on contractors who make false claims about their certification level and bar them from bidding on future contracts.
Compliance requirements for CMMC have been implemented on request for information (RFI) processes since June 2020 and will be implemented on request for proposals (RFP) processes starting in September 2020. As of the moment, the DoD has not yet stated when full CMMC compliance will be required, but it's recommended that contractors and subcontractors start learning the technical requirements of CMMC to prepare for the upcoming assessment.
How to Prepare for a CMMC Compliance Audit
The NIST SP 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS) allowed contractors to self-certify. However, with the CMMC framework, contractors are now required to undergo an assessment performed by a certified third-party assessor organization (C3PAO). Having a third-party organization do the assessment will prevent any false claims from contractors.
Here are some tips on how to prepare for a CMMC audit:
- Study the CMMC Cybersecurity Technical Requirements
In addition to the five maturity levels of the CMMC model, DoD contractors must study the technical requirements of the CMMC, which are divided into 17 sections. These sections were taken from the control families of NIST SP 800-171 and security-related areas of the Federal Information Processing Standards (FIPS) 200.
- Choose Between In-House or Outsourced Assessment
Before the actual audit, DoD contractors can conduct a self-assessment to identify gaps and weak points in their cybersecurity program. They can do this either in house or outsource the task to a CMMC consultant like Charles IT. Contractors choosing to do an in-house assessment can refer to the Self-Assessment Handbook - NIST Handbook 162. However, the NIST handbook only covers the requirements stated in NIST SP 800-171 Rev. 1, which is only suitable for a Level 3 certification.
Contractors looking for a certification higher than Level 3 should work with a CMMC consultant. CMMC consultants can help contractors meet the requirements found in NIST SP 800-171 Rev. 2. CMMC consultants possess the tools and knowledge about CMMC compliance, which is why many contractors prefer hiring a consultant rather than perform a self-assessment.
- Conduct a Gap and Readiness Assessment
The next step is to conduct a thorough gap and readiness assessment. This assessment should answer the following questions:
- How is sensitive data stored?
- How is access to that data controlled?
- Is there an effective incident response plan in place?
- Are IT personnel and other staff members adequately trained?
- How are cybersecurity measures implemented and monitored?
If your company is applying for a CMMC certification, you'll need a managed IT services provider (MSP) like Charles IT. Our gap assessment will identify weak spots in your company's IT infrastructure. We will then develop a remediation plan that will help your company achieve CMMC compliance. Get a gap assessment today.