If your organization is a part of the DIB supply chain, then chances are you’ve heard about the CMMC.
On January 31, 2020, the Department of Defense finalized the first version of the CMMC. But then, COVID-19 hit. And now the timeline is up in the air.
And I bet you, like thousands of others, have a lot of questions about what CMMC means for your business.
Below we answer your questions about CMMC, and how you can prepare for its arrival.
What does CMMC stand for?
Cybersecurity Maturity Model Certification.
What exactly is the CMMC?
The CMMC is the next stage in the Department of Defense’s (DoD) efforts to secure the Defense Industrial Base (DIB).
So, it’s a cybersecurity assessment model and certification program.
How does the CMMC differ from other programs?
In the past, DoD contractors would request a System Security Plan (SS) and Plan of Action and Milestones (POA&M). These requests were in response to the policies under DFARS 252.204-7012.
These types of requests often posted award. That means it was easy for companies to misrepresent their cybersecurity efforts.
The CMMC is here to change that. Under CMMC, contractors and subcontractors must prove security requirements before the award.
Here’s how it’ll work.
Before a contractor even thinks about applying for a government bid, they must have received CMMC certification.
To get CMMC certified, most contractors will need to partner with a CMMC expert. The expert will typically conduct a cybersecurity assessment to see what security controls they have in place. They will then run a gap analysis to show the contractor what needs to be done to gain the desired CMMC certification.
Once the organization has a good handle on its cybersecurity, it will then move forward with a CMMC audit.
The auditor will assess the contractor’s technical controls, documentation, and security policies. Their assessment will also check compliance with certain mandatory practices, procedures, and capabilities.
After the evaluation, the contractor will receive a level of certification of 1 to 5.
This level will determine what types of bids that contractor can go after. The higher level, the more contracts a company is eligible to bid on.
Once the contractor has a CMMC level certification, they can now apply for government bids.
For more on how to get certified, keep reading.
And a quick note, getting a CMMC certification is not a “click of a button” type of deal. It can take months to gain certification, especially if your security controls are poor.
Why did other programs not work?
The DFARs mandate requested that contractors ensure compliance with NIST SP 800-171 frameworks. But there was no process to check whether a contractor actually met the requirements. And so, the NIST SP 800-171 frameworks were more or less guidelines, not rules.
As a result, there were cases of contractors beating the system. They would claim to be compliant when in reality they were not.
The CMMC is a response to the issues that arose with DFARs.
The goal of the CMMC is to provide a clearer cybersecurity roadmap with defined levels.
The main difference between CMMC and DFARs is CMMC’s auditing layer. Under CMMC, a contractor must get a CMMC level certificate to bid on a defense contract.
Who is CMMC for?
Eventually, all DIB contractors will need some level of CMMC certification. This will also include suppliers and firms at all levels of the DIB supply chain.
It’s important to note that there may be different levels of compliance required within a bid. For instance, an entire supply chain may only need level 3 certification. But the prime contractor in this situation needs level 5.
Who Conducts the CMMC Audits/Evaluations?
The CMMC Accreditation Body (CMMC-AB) will provide evaluations and assess companies’ CMMC levels.
Accredited CMMC third-party assessment organizations (C3PAOs) make up the CMMC-AB.
They work to provide informative assessments to those seeking a CMMC certification. During an assessment, C3PAOs will look at a company’s security controls and policies.
How do I get CMMC Certified?
Full details on the CMMC compliance process are not available yet. So far, the DoD has provided only a basic outline of the process.
One thing we do know is that the C3PAOs that makeup CMMC-AB will issue the certifications. To get a level certification, DIB companies must pass a CMMC assessment.
There are plans for the CMMC-AB to establish a marketplace of approved C3PAOs. Using the marketplace, contractors will be able to schedule a CMMC assessment.
The CMMC Levels
The CMMC framework relies on a maturity model. Within the model, there are 5 levels of cybersecurity standards.
Each of the levels builds upon the last. In other words, to achieve compliance level 2, you must be compliant with level 1.
One thing that remains the same amongst each level is the overarching goal. That goal is to safeguard DoD and DIB data and information.
Now, let’s breakdown the levels.
Level 1: Basic Cyber Hygiene
The first level is for organizations with the basic cybersecurity protocols in place. These include using antivirus software and providing basic security training for staff.
This level primarily focuses on protecting Federal Contract Information (FCI).
FCI covers “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
Level 2: Intermediate Cyber Hygiene
This level introduces a new type of data called Controlled Unclassified Information (CUI). DoD defines CUI as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls”. This does not include certain classified information – more on that later.
Intermediate Cyber Hygiene standards are designed to CUI. It is largely a re-statement of NIST 800-171 r2. If you’re new to NIST, please go visit this blog post on it.
Under Level 2, the CMMC requires the following security controls in place:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
Level 3: Good Cyber Hygiene
Level 3 is an extension of the NIST 800-171 r2 standards found in Level 2. This level also serves to protect CUI and does not cover classified information.
To be compliant with this level, you must have all security controls under Level 2. As noted at the top, these levels build on each other. For Level 3, it means there are extra requirements for each Level 2 security control.
For today’s purposes, I will not be going into these extra requirements. If you’re curious about these technical details, head on over to Office of the Under Secretary of Defense for Acquisition & Sustainment.
This level also introduces a new security control:
situational awareness.
This control covers how an organization receives and responds to cyber threat intelligence from information sharing forums and sources. And once they have the information, it looks at how they communicate it to the stakeholders.
Level 4: Proactive
Level 4 is the minimum level for prime contractors working with CUI.
CMMC’s Level 4 is all about being proactive. Contractors at this level must show the ability to measure, detect, and defeat threats. During a Level 4 audit, auditors will look at the contractor’s historical threat data and how responded to the attacks.
Auditors will also look at a contractor’s ability to respond to advanced persistent threats (APTs).
An APT is defined as an adversary that possesses a high level of expertise and significant resources.
APTs are serious threats to the government. And it’s critical that the DIB supply chain can handle these attacks.
Level 5: Advanced Proactive
Level 5 is the final level of the CMMC, and it the most advanced level. Organizations that achieve this level have state-of-the-art cybersecurity.
Under this level, there are extra security controls over Level 4. These security controls related to an organization’s ability to respond to the changing threat landscape through auditing and managerial processes.
Like Level 4, this level also focuses on the protection of CUI from APTs.
At the moment, this level may be difficult for smaller firms to achieve. And that’s simply because smaller firms lack the human resources necessary to continually scan for new threats.
How to Achieve CMMC Compliance Level
Some organizations may be able to achieve CMMC compliance with an in-house team. Others will need to outsource this process. Those who have to outsource will most likely be small businesses and non-profits.
Here at MRW Systems, we are experts in small business IT and cybersecurity. With that in mind, I want to take the time to go over a couple of CMMC recommendations I have for small business owners.
First, it’s important to not presume you are compliant just because your IT managed service provider said so.
To know if you are truly compliant, your organization will need to conduct a risk assessment and gap analysis. These analyses will form the basis of working toward your desired level of CMMC maturity.
To do a proper assessment and to pass a CMMC audit, you need to work with CMMC compliance experts.
And that’s where MRW Systems’ cybersecurity team, NetGarde, comes in.
The NetGarde team will help you meet your CMMC compliance requirements with confidence. With us, it’s not just about passing compliance audits, but also knowing you have optimized defenses against threats.
Not only that, but we are certified CMMC experts, so we know exactly how to get your security from Level 1 up to Level 5.
What’s the timeline for implementing changes?
The DoD plans to roll out several milestones for CMMC over the next serval years. So far, the DoD and CMMC-AB have met their self-imposed deadlines to date.
But due to COVID-19, certain timelines have gone pushed back. Here’s what has happened so far, and what is currently coming down the pipeline:
January 2020: The first full version of the CMMC.
June 2020: Contractors will start seeing CMMC requirements as part of the requests for information (RFI) process.
September 2020: Contractors will start to see CMMC requirements as part of the request for proposals (RFP) process.
October 2020 and beyond: DoD contractors will need to get certified by an accredited Assessor/C3PAO to bid on new work.
With that in mind, DIB organizations should continue to work towards achieving their CMMC compliance requirements.
Final Thoughts
Don’t cross your fingers and hope your business is CMMC compliant.
Compliance work is a full-time job. The CMMC is one of the most complex cybersecurity frameworks, so please don’t try to do this alone.
I recommend if you don’t have an in-house cybersecurity team that you partner with a CMMC security expert. Compliance is tricky but well worth it.
At MRW Systems, we’re helping organizations work toward compliance, and our approach to the CMMC is no different. We’ll help you pass your CMMC audits. But on top of that, we’ll identify any weakness in your IT environment, and help you move forward.