What is the Cybersecurity Maturity Model Certification (CMMC)?
According to the U.S. Department of Defense (DoD), the “CMMC is a unified cybersecurity standard for future DoD acquisitions.” In essence, the CMMC will serve as a tiered certification scheme to help the DoD assess cybersecurity readiness when seeking suppliers and subcontractors.
Why has the CMMC been introduced?
The CMMC was developed to step up measures for protecting the U.S. defense supply chain. Its objective is to standardize cybersecurity controls and to ensure that effective measures are in place to protect controlled unclassified information (CUI) on contractor systems and networks.
Version 1 of the CMMC was released on January 31, 2020.
Why do we need the CMMC if we already have DFARS?
In 2015, the DoD published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which requires private DoD contractors to adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework.
The CMMC scheme was introduced in response to the slow adoption rate of DFARS, false compliance claims, and wide-ranging non-compliance among contractors.
How does the CMMC differ from NIST 800 171?
The CMMC provides a model framework to help organizations establish processes and procedures that comply with national security requirements. There are 171 practices split across five process maturity levels. For more information on the levels of certification, see below.
Level 3 – “Good Cyber Hygiene” – encompasses all practices from NIST SP 800-171 r1.
The international information security standard, ISO 27001 (and control guidance contained in ISO 27002) can bring you at least 90% of the way to satisfying CMMC level 3 certification.
This level corresponds to a “managed” level of process maturity, where adequate resources are available and policy adherence is reviewed regularly. ISO 27001 is already a certifiable standard, and organizations that have achieved ISO 27001 certification will be in good standing to comply with the first three levels of the CMMC.
What levels of certification are there for the CMMC?
- Basic Cyber Hygiene - Requirements specified in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
- Intermediate Cyber Hygiene - Process maturity
- Good Cyber Hygiene - Effective implementation of NIST SP 800-171 (R1) plus 20 other practices
- Proactive Cyber Hygiene - Includes a select subset of 11 practices from Draft NIST SP 800-171B
- Advanced / Optimizing - Includes a select subset of 4 practices from Draft NIST SP 800-171B plus 11 additional practices
What are the CMMC ‘processes’?
“For a given domain there are processes that span a subset of the 5 levels”. It is perhaps best to think of these as levels of process maturity – that is, how well can the organization execute its high, established standards outlined in policy.
- Processes are merely performed
- Establish and document standard procedures
- Adequate resources
- Review adherence to policy
- Review and document activities for effectiveness and inform high-level management of any issues
- Ensure that process implementation has been standardized across the organization
Which contractors and sub-contractors are required to comply with the CMMC?
The CMMC will impact all DoD contractors and their suppliers – a new, formal certification is required for companies contracting with the DoD.
Although DoD contractors have been required to comply with NIST 800-171 since January 1, 2018, new requirements will apply to companies processing ‘federal contract information’ (FCI) and controlled unclassified information (CUI).
- Level 1 applies to basic safeguarding of FCI
- Level 2 is a transition step to protect CUI
- Level 3 is about protecting CUI
- Levels 4 - 5 are about protecting CUI and reducing the risk of advanced persistent threats (APTs)
How do you prepare for a CMMC audit?
The first step is to identify the type of government data that your entity deals with, either directly or through a business partner. Depending whether, and on which, systems are processing FCI and CUI, differing levels of compliance may be needed.
From there, a gap analysis can be conducted against existing cybersecurity standards, like ISO 27001 or NIST 800-171. Remediation planning can then take place to resolve any gaps in practice/level or process maturity.
What is the CMMC accreditation body?
“The CMMC-AB establishes and oversees” the management of CMMC certification and standards. Accreditation applies to certified third-party assessment organizations (C3PAOs) – “a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”
Free Cyber Security webinars on demand
CMMC: Cybersecurity Certification for US Government Contractors
Join IT Governance USA for our exciting on-demand webinar on the Cybersecurity Maturity Model Certification. Gain valuable insights to the new DoD cybersecurity standard.
The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ, which provides updates on the certification process.