If you’re on this blog post, it’s likely you’re looking for resources related to the new Cybersecurity Maturity Model Certification (CMMC) which has been in full effect for all DoD contractors and subcontractors since late 2020. It’s very important to start looking into the CMMC and how to successfully pass an audit, now more than ever, as those who do not adapt quickly to these rules risk suspension of their contracts or an outright ban from the contract bidding process.
The CMMC is a set of regulatory standards against which DoD contractors will be evaluated to determine the maturity of their cybersecurity processes and their capability to handle sensitive information lawfully.
Organizations who deal with the DoD inevitably generate CUI through any contract dealings or details that are stored in their systems -- unless they solely produce commercial off-the-shelf (COTS) products. Both subcontractors and prime contractors are obliged to adhere to the regulations.
The CMMC builds on existing Defense Federal Acquisition Regulation Supplement (DFARS) regulations. It is a set of standards which aims to highlight essential controls and processes that organizations must implement to maintain a minimum level of cybersecurity hygiene. Instead of a self-assessment, however, organizations are now required to go through audits from accredited CMMC third-party assessment organizations (C3PAOs).
The cybersecurity maturity model involves five levels. Each level is comprised of a group of cybersecurity capability requirements, and to achieve a specific certification level, an organization needs to certify in all levels preceding it first. The CMMC levels are described in detail in this article. See below for a brief description of each level:
Level 1: Basic Cyber Hygiene - Processes are performed and practices are basic. This is the minimum certification level required to deal with federal agencies.
Level 2: Intermediate Cyber Hygiene - Processes are documented and practices are at an intermediate level with a selection of 48 controls from the NIST 800-171 regulations.
Level 3: Good Cyber Hygiene - Processes are managed, and there are good cyber hygiene practices, with complete DFARS compliance expected. Level 3 is the minimum level required to handle CUI, and thus, the minimum level required to contract with the DoD.
Level 4: Proactive Cyber Hygiene - Cybersecurity processes are reviewed and cybersecurity controls from the new NIST SP-800 171B are implemented in addition to DFARS controls.
Level 5: Advanced and Progressive Cyber Hygiene - Cybersecurity processes are continually optimized and all documentation is standardized across the organization. In practice, this is where an organization demonstrates to the DoD that they can both protect CUI and defend against rival state advanced persistent threats (APTs) indicating that they have advanced cybersecurity maturity.
The CMMC covers 17 security domains. These range from access control to incident response. Managed security solutions from a refutable DFARS compliance expert like Charles IT typically covers the major domains required by the CMMC.
The process to get the CMMC certification involves passing a third-party audit. However, it’s more nuanced than a simple test.
C3PAOs will be training and certifying CMMC auditors. Once the CMMC auditors are certified by the C3PAOs, they will be able to start doing assessments. Contractors need to schedule an audit of their cybersecurity processes with a certified auditor.
Once the audit is passed, the DoD is informed of the CMMC certification level an organization acquires and takes that into consideration during the contract bidding process.
In order to increase your chances of passing your CMMC audit, you should first identify the certification level you need to acquire. It is important to fully understand the CMMC compliance level you’re aiming for (and all the levels preceding it) so that you can assess where your organization’s cybersecurity maturity stands in comparison to the requirements of the level you desire. It’s generally a good practice to strengthen your DFARS compliance as full compliance to DFARS regulations takes contractors 85% of the way to CMMC Level 3 certification.
A gap assessment is another important step to successfully achieving CMMC compliance. With a gap assessment, you will be able to identify the controls and processes that your organization needs to improve on in order to pass a CMMC certification.
Once you’ve identified the gaps, you need to implement the necessary cybersecurity solutions to fill in those gaps and appoint somebody internally as a lead person on CMMC compliance. If you lack the internal resources or capabilities to appoint such a person, working with a managed services provider to bolster your resources would be beneficial.
Want to pass your CMMC audit the first time? Start with a gap assessment.
NOTE: In 2024, everyone will be required to move from CMMC to CMMC 2.0. Ensure you are prepared with our CMMC 2.0 Guide and let us know if we can help talk you through anything!
Editor's Note: This blog was originally published on August 14th, 2020. It was updated on June 30th, 2023 for accuracy.