It’s estimated that 25 percent of breaches are motivated by espionage—not financial gains. This statistic is especially worrisome for the network of more than 300,000 businesses, organizations, and other entities that make up the Defense Industrial Base (DIB).
The members of the DIB often handle sensitive information that must be protected from cybercriminals and state-sponsored actors, but they rarely have the resources to build capabilities for effective cybersecurity from the ground up.
To improve the cybersecurity posture of the DIB, the federal government developed the Cybersecurity Maturity Model Certification (CMMC) and released its first version on January 31, 2020. In this article, we explain what CMMS is, who it impacts, and what it involves.
What Is CMMC and Who Must Comply with It?
The Cybersecurity Maturity Model Certification, or CMMC for short, is a new requirement for Department of Defense (DoD) contractors and subcontractors. It brings together a number of older cybersecurity requirements, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The biggest difference between the CMMC and earlier older cybersecurity requirements is the introduction of a maturity model that defines 17 domains of technical capability and five levels of certification. Unlike before, DoD contractors will be audited by third-party assessors and assigned a level that best represents their cybersecurity posture.
The first full version of the CMMC has been published on the website of the Office of the Under Secretary of Defense for Acquisition & Sustainment since January 2020, and all DoD contractors should expect to see CMMC requirements as part of the requests for proposals (RFP) process from September 2020. Once October arrives, DoD contractors will be required to get certified by an accredited assessor to bid on contracts.
Only contractors that provide commercial-off-the-shelf products and don’t handle any CUI won’t be required to achieve one of the five levels of certification, as stated on the updated CMMC FAQ page.
What Does It Involve?
To improve the cybersecurity posture of the DIB, the CMMC defines 17 domains of technical capability, most of which originate from Federal Information Processing Standard Publication 200 and NIST SP 800-171:
|Access Control (AC)||Incident Response (IR)||Risk Management (RM)|
|Asset Management (AM)||Maintenance (MA)||Security Assessment (CA)|
|Audit and Accountability (AU)||Media Protection (MP)||Situational Awareness (SA)|
|Awareness and Training (AT)||Personnel Security (PS)||System and Communications Protection (SC)|
|Configuration Management (CM)||Physical Protection (PE)||System and Information Integrity (SI)|
|Identification and Authentication (IA)||Recovery (RE)|
Each of these 17 domains consists of various capabilities, which are further broken down into practices and processes. Across the 17 domains, there are 171 practices and processes, and they fall into five levels of certification:
- Level 1 (17 NIST 800-171 requirements): At the first level, the focus is to put in place basic cybersecurity practices in order to protect Federal Contract Information (FCI), or information that is not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. Such practices include the use of antimalware protection and cybersecurity awareness training. All organizations that have been awarded DoD contracts in the past shouldn’t have any problem achieving compliance with this level.
- Level 2 (72 practices): The second level of the CMMC revolves around the protection of CUI, which is defined as any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls. Any organization that meets the security requirements of NIST SP 800 171 should be able to earn a Level 2 certification.
- Level 3 (130 practices): In addition to all security requirements specified in NIST SP 800 171, this level of the CMMC includes practices from other standards and references to ensure that all organizations who achieve it have good cyber hygiene that allows them to protect and sustain important assets and CUI.
- Level 4 (156 practices): This level shifts focus from passive security measures to proactive activities that address changing tactics, techniques, and procedures (TTPs) used by advanced persistent threats (APT)s.
- Level 5 (171 practices): To achieve the final CMMC level, an organization must have an advanced cybersecurity program and the ability to respond to newly emerging threats through auditing and managerial processes. This level is not intended for smaller organizations because it requires a substantial amount of human resources.
CMMC certifications are awarded by CMMC Third Party Assessment Organizations (C3PAO), which are appointed by the CMMC Accreditation Board. DoD contractors should embark on their certification journey right away by conducting an initial cybersecurity self-assessment to determine what needs to be done to achieve the desired level of CMMC certification.
To get started with getting your organization CMMC compliant contact OSIbeyond.