The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework created by the Office of the Under Secretary of Defense for Acquisition and Sustainment or OUSD(A&S). This new security framework was designed to ensure all contractors and subcontractors working for the United States Department of Defense (DoD) have sufficient cybersecurity measures to safeguard federal contract information (FCI) and controlled unclassified information (CUI).
The CMMC model combines cybersecurity control requirements from NIST 800-171, ISO 27032, ISO 27001, and NIST SP 800-53, to create more coordinated and detailed cybersecurity standards for DoD contractors. And unlike other security standards, a certified third-party CMMC auditor will perform the assessment before compliance can be achieved.
Why You Need to Be CMMC Compliant
All new DoD contract requests for information (RFIs) and requests for proposal (RFPs) require CMMC compliance. If your company is CMMC certified, it will have a competitive advantage over other businesses, and it has a better chance of landing DoD contracts, as well as retaining them.
Besides winning and keeping DoD contracts, your CMMC-certified company can:
- Lower the risk of data breaches
- Reduce the risk of insider threats
- Be compliant with other regulations, including FISMA, SOX, HIPAA, and NIST
If your company is not CMMC certified, it can be prohibited from participating, bidding, and winning a DoD contract.
What Are the CMMC Requirements?
The CMMC framework uses a tiered system to determine your company's maturity based on the complexity of your cybersecurity protocols and policies. The DoD will assign the level of certification your company needs, and it's your responsibility to meet the specific requirement of that level and the ones below it. Here is a list of the different CMMC levels, and their respective CMMC requirements.
Level 1: Basic Cyber Hygiene
For your company to be certified at this level, it must implement 17 NIST SP 800-171 controls. In addition, Level 1 certification requires your company to perform basic cybersecurity practices such as using updated antivirus software and ensuring your employees change their passwords regularly to safeguard FCI.
Level 2: Intermediate Cyber Hygiene
This level requires your company to document the cybersecurity processes used to safeguard sensitive data from cyberthreats. In addition to the 17 NIST SP 800-171 controls implemented for Level 1, you have to implement an additional 46 controls to be certified at this level.
Level 3: Good Cyber Hygiene
At Level 3, your company is required to implement the final 47 NIST SP 800-171 Rev. 1 controls in addition to the controls required for Levels 1 and 2. A Level 3 certification allows your company to generate and handle CUI.
Level 4: Proactive Cyber Hygiene
To achieve aLevel 4 certification, your company must have an effective and proactive cybersecurity policy. You're required to constantly upgrade your tactics, techniques, and procedures (TTP) against advanced persistent threats (APTs).
Level 5: Advanced and Progressive Cyber Hygiene
This is the highest level of the CMMC model, and companies that want to be Level 5 certified are required to have state-of-the-art cybersecurity protocols and processes in place to detect and counter APTs. In addition, 30 additional security controls need to be implemented for contractors to reach this level.
What Does the CMMC Audit Look Like?
The DoD has not yet completed the details of the CMMC audit process, but the following are worth noting:
- All contractors working for the DoD are required to be CMMC certified by passing a CMMC compliance audit. The CMMC Accreditation Body (AB) recommends that contractors should prepare for the audit at least six months in advance.
- The DoD will work with certified third-party assessor organizations (C3PAOs) that will be responsible for performing audits to ensure a contractor has met all the required cybersecurity controls needed for a specific level.
- A contractor will be level certified if the CMMC auditor sees it meets all the requirements specific to that level.
- The Defense Contract Management Agency (DCMA) and the Defense Counterintelligence and Security Agency (DCSA) may perform assessments in addition to C3PAOs.
Tips to Pass Your CMMC Audit
Unlike the Defense Federal Acquisition Regulation Supplement (DFARS) where self-certification is allowed, the CMMC model requires contractors to go through an assessment performed by a C3PAO. Here are some tips you can use to ensure you'll pass your CMMC compliance audit.
Preparing for a CMMC compliance audit is just like preparing for any type of exam — you need to get ready as soon as possible to ensure your systems are ready for the audit. Here's how you can do that:
If your organization has an IT staff and available resources, you can perform a self-assessment using the Self-Assessment Handbook - NIST Handbook 162. Take note that this handbook only covers NIST SP 800-171 Rev. 1 and is only good if you're looking to achieve Level 3 certification.
- Work With a CMMC Consultant
You also have the option to work with a CMMC consultant. A CMMC consultant will help you meet the controls stated in NIST SP 800-171 Rev. 1 and Rev. 2. Working with a consultant who understands the factors involved in becoming CMMC compliant will take most of the pressure off your shoulders.
Get a Gap Assessment
Getting a gap assessment is a good way of identifying weaknesses and gaps in your IT infrastructure. Charles IT's gap assessment will ensure that your business has the minimum security requirements in place to comply with CMMC standards. Want to pass your CMMC audit the first time? Start with a gap assessment: https://www.charlesit.com/gap-assessment/