Over 300,000 Department of Defense (DoD) companies and subcontractors in the US are essential to military operations, making the Defense Industrial Base (DIB) not only a frequent but a valuable target to malicious cyberattacks. A potential breach to any company within this sector can weaken the U.S defense and become a matter of national security. In an attempt to increase the security and resilience of the DIB, the U.S Department of Defense launched Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) in January 2020. Taking into consideration recognized industry frameworks, the CMMC represents a unified cybersecurity standard. Compliance with this standard is now a requirement for all contractors hoping to work with the DoD. With the department of defense announcing contracts worth $7 million each working day, it is a good choice to get CMMC certified now.
What is the CMMC Certification?
Through the CMMC, the DoD assesses the cybersecurity environment of its contracted companies. The certification verifies that every prospective contractor has adequate cybersecurity controls and policies that meet the military’s standards. Before the issuance of the CMMC, companies were able to certify their compliance under the applicable Defense Federal Acquisition Regulations (DFARS), which relies on NIST requirements instead of obtaining third-party validation. Companies and contractors working with DIB were explicitly required to provide evidence that they were following best security practices which allowed companies with security gaps to bid for DoD contracts making the latter vulnerable. This inevitably led to breaches, disruptions, and other IP theft in the defense supply chain.
Through the CMMC, the DoD expects to:
- Ensure contractors can defend against current and future cyber risks
- Verify that contractors have strong controls to protect the controlled unclassified information (CUI) that resides in the DIB’s network and systems
- Provide assurance by requiring an independent third-party validation
- Establish levels of compliance that align with the different levels of risk
- Encourage improved security at a manageable cost to the federal government
CMMC Certification Levels
Built upon existing frameworks and standards, the CMMC incorporates selecting security protocols from NIST, ISO, DFARS, and FedRAMP, creating a single cohesive maturity model. The CMMC also pulls from the Federal Acquisition Regulations System, which details basic security controls for protecting CUI that all organizations must follow under the CMMC. These practices and processes are organized into five cumulative maturity levels ranging from basic cyber hygiene to advanced security operations.
Level 1 – Basic Cyber Hygeine
Level 1 practices are foundational and required for all higher CMMC levels. This level is centered around safeguarding Federal Contract Information (FCI), which is government information not intended for public release and corresponds to the requirements specified in 48 CFR 52.24-21 and NIST SP 800-171, which details 17 basic cyber hygiene practices to protect FCI.
Level 2 – Intermediate Cyber Hygeine
Level 2 creates a maturity-based progression for organizations to transition from Level 1 to 3. At Level 2, an organization is expected to establish and document practices and policies for CMMC compliance. This level includes 55 additional cyber hygiene practices from NIST SP 800-171 and others and references the protection of CUI.
Level 3 – Good Cyber Hygeine
Level 3 – Good Cyber Hygeine A Level 3 certification indicates a basic ability to protect CUI and effective implementation of the security requirements of NIST SP 800-171. At this level, organizations are expected to adequately maintain activities and review policies and processes, demonstrating a plan to manage specific activities. This level requires an additional 58 cyber hygiene practices from NIST SP 800-171 and others for a total of 130.
Level 4 – Proactive
Level 4 requires enhanced cybersecurity practices to defend CUI from advanced persistent threats (APTs) or malicious long-term attacks to mine sensitive information. At Level 4, organizations are expected to review and document activities for effectiveness and inform upper management of any issues. This level adds another 26 cyber hygiene practices from Draft NIST SP 800-171B plus others, for a total of 156 hygiene practices.
Level 5 – Advanced or Progressive
Level 5 centers on the protection of CUI from APTs through the sophisticated ability to optimize cybersecurity capabilities. Organizations at this level are expected to improve and standardize process implementation across the enterprise. This level includes 15 more practices beyond the first four levels from Draft NIST SP 800-171B and others, bringing the number of cyber hygiene practices to 171.
The five CMMC levels are designed to reflect the maturity and reliability of an organization’s cybersecurity infrastructure and controls. It demonstrates their ability to safeguard sensitive information. The five levels are cumulative, which means to comply with a higher level will entail meeting all of the previous lower-level requirements. DoD contracts with a higher vulnerability quotient will require contractors to meet higher-level security standards requiring highler certification levels. The specific nature of contracts and their corresponding certification level, however, is not yet known.
How to Get CMMC Certified
Since companies are allowed to self-certify under the CMMC, they must be audited by a certified third-party assessment organization (C3PAO) or a credited individual assessor to achieve compliance.
Companies seeking a CMMC Certificate will first need to identify the desired maturity level to be audited for compliance. Companies will then need to find an available C3PAO to schedule the assessment with the certified independent assessor. When performing the assessment, the independent assessor will evaluate security gaps and weaknesses and determine if the company’s environment meets the CMMC requirements necessary for that specific level. Companies will have up to 90 days to resolve any issues and close any gaps with the C3PAO.
If a company achieves compliance at any level, a CMMC certification notice will be public knowledge. However, specific findings will be kept private, and certification failures will not be made public.
The certification cost is said to be an allowable, reimbursable cost and will be valid for three years. The DoD is aiming to have 1,500 CMMC certified contractors by 2021 and 48,000 by 2025.
The CMMC expects to roll out contracts through 2025 gradually; the timelines are as under:
- January 2020: DoD introduces Version 1.0 of the CMMC
- June 2020:The CMMC-AB released program requirements and opens registration for C3PAOs and third-party assessors
- July 2020: DoD to create and publish a CMMC training
- Summer 2020: DoD to undergo rulemaking to implement the CMMC into the DFARS regulation
- September 2020: DoD to incorporate CMMC requirements in Requests for Proposals (RFPs)
- FY 2021 – 2026: Implementation of the CMMC through a phased rollout
- FY 2026: CMMC certification a requirement for all companies doing business with the DoD
If you wish to work on any DoD contracts, you should begin your journey to becoming CMMC certified now.
Preparing for a CMMC Certification
Even though full implementation of CMMC will take approximately five years, companies should not wait to start on the certification efforts now. Writing policies, deploying solutions, and instituting the necessary changes will take considerable time. Depending on your current environment and level of cyber hygiene, your company should plan for at least six months to achieve compliance. With the DoD planning to roll out proposals requiring CMMC compliance by the end of the year, there is no time to delay certification preparations.
To get started on compliance efforts for the CMMC, your company should:
- Determine which CMMC level your company hopes to obtain, and start reviewing the cyber hygiene requirements that will be necessary for compliance
- Start drafting a budget for CMMC compliance to include costs for enhancing security requirements, updating policies, leveraging applications, contracting a third-party assessor, and any additional measures
- Configure your existing security environment to align to NIST 800-171 requirements; contractors that have implemented all controls should be able to successfully achieve CMMC Level 3
- Build a Plan of Action & Milestones (POA&M) to ensure continual compliance with NIST 800-171 and existing contracts and establish timelines and resource requirements
- While you cannot earn CMMC compliance until C3PAOs and independent assessors are certified, you can begin planning for an initial readiness assessment with a professional cybersecurity consulting firm, like CSG Teschnologies
- Stay up to date on the latest developments of the CMMC by regularly visiting the DoD’s website for updates
By partnering with us, your IT team will receive oversight of an expert security team to help you navigate the cybersecurity landscape providing you with guidance and solutions each step of the way to ensure you are prepared for C3PAOs audit. Call us now.