Contractors working with the Department of Defense are quickly responding to the Cybersecurity Maturity model Certification (CMMC) roll out. This security framework is a way for the DoD to determine, through the help of third-party auditors and well-established regulations and guidelines, the capabilities organizations possess to handle sensitive data like Federal Contract Information (FC) and Controlled Unclassified Information (CUI).
Recently, our Governance, Risk and Compliance Practice Lead Tony Buenger gave a talk at the California Polytechnic Institute regarding the foundations of CMMC and the path towards certification. Based on his feedback, we have also decided to provide a refreshed overview of CMMC and how organizations like yours can approach certification.
Security Based on Maturity
CMMC ranks certification based on levels, from Level 1 to Level 5, with each increasing level demonstrating higher cybersecurity maturity levels. In this context, "maturity" is based on several factors--in this case, primarily on factors of "cyber hygiene" and the capabilities that you can implement based on security controls and practices outlined in documents like NIST 800-171, 48 CFR 52.204-21 and DFARS 252.204-7012.
Broadly mapped out, the security levels rank as follows:
- Maturity Level 1: At this level, your organization demonstrates a "basic" cyber hygiene, which means you've implemented the basic requirements called for by the CMMC and related standards. Additionally, you have shown that you can implement these measures when needed or ad hoc. This is the minimum level required to handle FCI.
- Maturity Level 2: Level 2 calls for an "Intermediate" cyber hygiene as defined in NIST SP 800-171 and the ability to perform specific security tasks and document practices and policies around those tasks. This level is considered a bridge between levels 1 and 3.
- Maturity Level 3: This level is the bare minimum required for contractors in the DoD supply chain to handle CUI. Here, your organization should demonstrate "Good" cyber hygiene with the ability to manage and resource cybersecurity and risk assessment implementation policies, including any training, planning and sourcing.
- Maturity Level 4: Beyond Level 3, CMMC expects a forward-looking organization. Here, the CMMC-AB wants organizations with "Proactive" hygiene and the ability to review and measure security policy and procedures while taking corrective action when necessary.
This level includes additional requirements from NIST 800-171B regarding the detection of Advanced Persistent Threats (APTs).
- Maturity Level 5: THe highest CMMC maturity level, organizations here must demonstrate "Advanced" cyber hygiene that includes the ability to optimize existing and future controls after review. Finally, these organizations must be able to detect and resist advanced APT threats to CUI.
CMMC Compliance and Third-Party Audits
Part of CMMC certification is the auditing process. While many security firms pursue provisional or ongoing authorization to provide consulting and auditing services, the hard and fast rule is that any contractor seeking certification must undergo an audit from an authorized, Certified Third-Party Assessment Organization (C3PAO).
According to Buenger, one of the more important tasks your organization can undertake (outside of self-assessment of existing security infrastructure and posture) is selecting a C3PAO. This partner is a necessary part of the certification process and a partner and support system for proper implementation of CMMC requirements and adapting to emerging threats and changes to the CMMC standard.
This is even more important in our modern cybersecurity landscape. Modern APTs are challenging even the best cybersecurity experts in the country, and they show no sign of slowing down. The President's Executive Order on strengthening cybersecurity across federal and defense agencies adds impetus for contractors to meet or exceed compliance requirements sooner rather than later.
Finally, you must understand that if you want to handle CUI in any capacity, you will have to meet CMMC Level 3. Per CMMC guidelines, over 100 individual security controls cover categories such as Access Control, Incident Response, Security Assessment, Media Protection, and Identity and Authentication. That means implementing or executing policies around technologies like:
- Multi-Factor Authentication
- Configuration, Updating, Upgrading and Patching Systems
- Penetration Testing and Vulnerability Scanning
- Dedicated Network Security
- Operations Security Measures (Firewall, antimalware, etc.)
- Media Storage, Deletion and Destruction Policies
- Risk Assessment and Management Policies
- Data Governance Policies
- Physical Security Systems and Policies
SecureStrux: Managed Security and Engineering Services
On your road to CMMC certification, you'll need a partner that can provide expert and continual support. We provide CMMC consulting and preparation services to help you grasp the steps you need to take to reach that goal. More importantly, we provide critical services like system and security engineering, continuous monitoring, testing and validation and on-site and virtual training for our partners.
Ready to begin your CMMC journey? Contact us using the form below.