The US Department of Defense (DoD) works with over 300,000 contractors and subcontractors every day. These companies handle a huge amount of sensitive government information, such as federal contract information (FCI) and controlled unclassified information (CUI), making them prime targets for cybercriminals and hostile countries.
To ensure that contractors have sufficient cybersecurity defenses to protect CUI and FCI, the DoD released the Cybersecurity Maturity Model Certification (CMMC) Ver. 1 in January 2020.
What Is CMMC?
The CMMC is a unified cybersecurity standard that contractors must meet and get certified for before they can work for the DoD. This certificate verifies that a contractor has acceptable cybersecurity controls in place to safeguard important government information from cyberattacks.
Before the CMMC was created, contractors followed the standards set by the Defense Federal Acquisition Regulations (DFARS), which allowed them to self-certify their compliance. The problem with this process is that contractors would often lie about meeting the DFARS cybersecurity requirements. This allowed them to work for the DoD despite having security gaps in their infrastructure.
This led to the creation of the CMMC. Under the CMMC, contractors are no longer allowed to self-certify, and a certified third-party assessor organization (C3PAO) will conduct the assessment instead. This is to ensure that contractors that want to work for the DoD have sufficient cybersecurity policies for protecting CUI and FCI. Having a third-party organization conduct the CMMC audit also prevents contractors from making false claims about compliance. The DoD requires all contractors and subcontractors to be CMMC certified before they can bid for and work on government contracts.
How Do You Get a CMMC Certification?
The CMMC application process is fairly straightforward. If your company is looking to work on government projects, you first need to determine the maturity level of your organization. The DoD will assign you a level based on the five levels of the CMMC framework, which are:
Level 1: Basic Cyber Hygiene
All DoD contractors and subcontractors are required to be at least Level 1 certified. This level is concerned with protecting FCI and requires the implementation of 17 NIST SP 800-171 controls.
Level 2: Intermediate Cyber Hygiene
Companies working for the DoD must document their cybersecurity policies and processes to meet Level 2 requirements. An additional 46 NIST SP 800-171 controls must be implemented to keep CUI safe.
Level 3: Good Cyber Hygiene
At this level, contractors can handle and generate CUI. They are also required to implement cybersecurity protocols centered on protecting CUI. The remaining 47 NIST SP 800-171 controls should be implemented at this level for contractors to be fully certified.
Level 4: Proactive
This level requires DoD contractors to be proactive in detecting and containing advanced persistent threats (APTs) and other cyberattacks designed to steal sensitive information. In addition, it also necessitates the implementation of 25 additional controls found in NIST SP 800-171 Rev. 2.
Level 5: Advanced/Progressive
Contractors at this level should have enhanced and adaptive cybersecurity practices capable of handling APTs and other sophisticated threats.
Preparing for a CMMC Audit
The next step in acquiring a CMMC certification is preparing for a CMMC audit. As mentioned earlier, contractors are now required to pass an assessment conducted by a C3PAO before they can be certified. Here are some tips to help you prepare for a CMMC audit:
- Learn the CMMC Cybersecurity Technical Requirements
The CMMC cybersecurity technical requirements feature 17 sections based on the control families of NIST SP 800-171. These sections are:
- Access control
- Asset management
- Audit and accountability
- Awareness and training
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Personnel security
- Physical security
- Risk management
- Security assessment
- Situational awareness
- Systems and communications protection
- System and information integrity
- Decide Whether to Conduct an In-House or an Outsourced Assessment
DoD contractors and subcontractors can perform a self-assessment prior to the actual audit to spot potential weak spots and gaps in their cybersecurity defenses. There are two ways to do this:
This is ideal for contractors who have their own IT staff. They can use the Self-Assessment Handbook - NIST Handbook 162 for guidance; however, the handbook only covers NIST SP 800-171 Rev. 1 requirements, which is only good for a Level 3 certification.
Contractors can also conduct a self-assessment with the help of a CMMC consultant. A CMMC consultant possesses the knowledge and tools to help contractors comply with NIST SP 800-171 Rev 2. requirements, which allows them to obtain a CMMC certificate beyond Level 3. This is why many contractors prefer to work with a CMMC consultant rather than do an in-house assessment.
The next step is to partner with a trusted managed IT services provider like Charles IT for a gap assessment. Our gap assessment will give you a better understanding of the security controls you need to improve on. Start your gap assessment now to ensure your company is ready for the CMMC audit.