Organizations that work with the Department of Defense (DoD) must now comply with the Cybersecurity Maturity Model Certification (CMMC) framework. This newly developed framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD) stakeholders. In this article, we'll explain CMMC and how you can efficiently comply with the new rules.
The Department of Defense (DoD) works with companies in the private sector supporting DoD operations via a complex supply chain. DoD figures show that 300,000 companies supply services within this Defense Industrial Base (DIB). These companies contribute towards the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services.
Theft of intellectual property and sensitive information from industrial sectors within the United States has long been recognized as a serious national security issue. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. This figure has likely increased in the intervening years. The DIB sector has been a prime target for malicious cyber actors. Intellectual property and sensitive data thefts from DoD contractors and suppliers likely make up a large part of the overall loss to the U.S. economy.
To counter this, the DoD is implementing multiple security and resilience policies within the DIB sector. In partnership with the DIB supply chain, the goal is to enhance the protection of two types of unclassified information:
- Federal Contract Information (FCI) - information provided by, or generated for, the Government under contract and not intended for public release.
- Controlled Unclassified Information (CUI) - information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under some Executive orders or any other information classified under other rules.
To drive adoption of the best practices required to protect these two categories of unclassified information in the DIB supply chain, a framework and certification called Cybersecurity Maturity Model Certification (CMMC) has been created. All companies wishing to supply services to the DoD will need to implement and pass an external CMMC assessment. Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level.
There are five levels of maturity within CMMC:
- Level 1 – Safeguard Federal Contract Information (FCI)
- Level 2 – Serve as transition step in cybersecurity maturity progression to protect CUI
- Level 3 – Protect Controlled Unclassified Information (CUI)
- Levels 4-5 – Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
The DoD will specify the required level of certification in Requests for Information (RFIs) and Requests for Proposals (RFPs) supplied to contractors. Most organizations will be seeking to certify at either Level 1 or Level 3 to satisfy those requirements. Over the next few years, as the framework matures and is adopted, every business that wants to bid for and supply services within the DIB ecosystem will need to be CMMC certified at the appropriate level for the services they offer. These certifications are expected to remain valid for three (3) years prior to requiring reassessment.
Critical Insight CMMC Assessment Services
If you want to retain your DoD supply chain contracts, or if you're going to enter the DIB sector, then CMMC certification will be a prerequisite. The tasks required under the framework (see overview below) are the sort of cybersecurity, infosec, and information governance best practices that should already be implemented by all organizations. But the impending imposition of CMMC certification is a perfect opportunity to review procedures, and the framework provides a robust checklist that businesses can use to drive rapid maturity in this area.
Critical Insight's team of cybersecurity experts can help any organization assess their current state of readiness, advising on any gaps that need addressing, and confirm when you are ready to schedule your CMMC assessment as well as at the what level your organization should seek to become certified. Once certification is achieved, Critical Insight can assist with development and implementation of a plan to ensure continuous improvement and adherence to the framework to retain certification.
To become certified, organizations will select one of the Authorized or Accredited C3PAOs from the CMMC-AB Marketplace. If you choose to conduct a readiness assessment prior to pursuing certification, the organization performing the readiness assessment cannot be the same as the C3PAO that performs the certification assessment. While the steps required to obtain a CMMC certificate will also bolster general cybersecurity awareness and protections, performing a readiness assessment can be a more cost-effective way to ensure success and determine when and if your organization is ready to schedule your formal certification assessment with an Authorized or Accredited C3PAO.
Contact us today to discuss your CMMC readiness assessment goals. Read on for a high-level overview of the CMMC model.
How CMMC Will Work
CMMC is managed, and certifications conferred by an independent Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB). Their website is here, and it describes their role as:
The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.
As that indicates, CMMC assessors, known as Authorized or Accredited C3PAO, will be independent third parties who are authorized by CMMC-AB. Full details of the process are available on their website.
CMMC Levels & Practices
The five levels within CMMC and what controls need to be satisfied to achieve certification at each level are fully outlined on the CMMC website, and in these two PDF downloads:
- Cybersecurity Maturity Model Certification (CMMC) - V1.02 - March 18, 2020
- CMMC Appendices - V1.02 - March 18, 2020
The levels have various measurements of cybersecurity maturity. Within each level, there are a set of processes and practices. The diagram below (taken from the CMMC PDFs linked above) outlines the model levels schematically.
The levels, and what is required to achieve certification, are cumulative. For example, to achieve level 3 certification, the items needed for Levels 1 & 2 must be in place and verified by an Authorized or Accredited C3PAO. Both sides shown in the diagram must be in place and verified to achieve certification: Processes and Practices.
The type and sensitivity of the information that is protected increases as the levels increase. This has two benefits. First, it allows businesses to get certified at the level that suits them, based on the DIB contracts they have and the information they handle. Secondly, it provides a framework for companies to drive their cybersecurity maturity over time by implementing what is needed to step up through the levels.
There are 171 practices that are defined by the CMMC model. The number of practices that need to be implemented increases up through the levels. With all 171 required at the highest level. Each practice is detailed in the CMMC documentation, and the majority of the practices (110 of 171, or roughly 64%) originate from the safeguarding requirements and security requirements specified in the FAR Clause 52.204-21  and the DFARS Clause 252.204-7012 , respectively.
- Level 1 – equivalent to all the safeguarding requirements form the FAR Clause 52.204-21
- Level 3 – building on Levels 1 and 2, includes all the security requirements in NIST SP 800-171 plus other practices
CMMC Domains & Capabilities
The CMMC model uses 17 domains to group the 171 practices across the different levels. These domains are taken from various existing cybersecurity standards and best practices. The diagram below shows each of the domains under which controls, and practices are grouped.
 U.S. Executive Office of the President, Council of Economic Advisers (CEA). The Cost of Malicious Cyber Activity to the U.S. Economy - https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf