What is CMMC (Cybersecurity Maturity Model Certification)?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's (DoD) newest verification system designed to ensure that cybersecurity practices are adequately protecting Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIB) systems and networks. As early as end of 2020, some new DoD contracts will be required to get CMM Certified to the level required as stated in the RFP.
The CMMC Framework
The CMMC Framework will include five cumulative certification levels.
As of the 1.0 release, here is a Level by Level breakdown of the requirements going beyond or outside NIST 800-171B.
Level 1 – Basic Cyber Hygiene:
Includes basic cybersecurity appropriate for organizations utilizing a subset of universally accepted standard practices, at least in an ad hoc manner. This level has 17 security practices that must be successfully implemented.
The Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certified organizations. Every domain within CMMC has Level 1 practices. At both this level and Level 2, organizations may be provided with Federal Contract Information (FCI). FCI is information not intended for public release. FCI is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity processes.
Level 2 – Intermediate Cyber Hygiene:
At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of its cybersecurity program. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 55 security practices beyond that of Level 1.
Level 2 serves as a progression from Level 1 to Level 3. This more advanced set of practices gives the organization greater ability to both protect and sustain their assets against cyber threats as compared to Level 1. CMMC Level 2 also introduces the process maturity dimension of the model.
Level 3 – Good Cyber Hygiene:
An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 includes an additional 58 practices and indicates a basic ability to protect and sustain an organization's assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs). Note that organizations subject to DFARS clause 252.204-7012 will have to meet additional requirements such as incident reporting. For process maturity, a CMMC Level 3 organization is expected to adequately resource activities and review adherence to policy and procedures, demonstrating management of practice implementation
Level 4 – Proactive:
At this level, an organization has advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, adequately resourced, and are improved regularly across the enterprise. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. In addition, the defensive responses operate at machine speed, and there is a comprehensive knowledge of all cyber assets. This level has an additional 26 practices beyond the first three Levels.
Level 5 – Advanced / Progressive:
Here, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities in an effort to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization.
These are highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 15 practices.
What is the CMMC Timeline?
Acquisition teams will begin explicitly stating which CMMC level (between 1 – 5) is required in the request for proposal (RFP). Each RFP will contain this requirement in sections L & M, and it will be a "go/no-go decision." There will not be a self-certification, however, defense industrial base (DIB) companies are encouraged to complete a self-assessment before scheduling a CMMC assessment. These certification levels will connote a degree of cybersecurity maturity similar to the audit of processes and compliance with those processes via the Capability Maturity Model Integration (CMMI) certification program.
Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB)
The CMMC AB will oversee the training, quality, and administration of third-party assessment organizations. The CMMC AB consists of 15 individuals from industry, the cybersecurity community, and academia. Strict conflict of interest clauses will be integrated throughout a future memorandum of understanding (MOU) that will dictate the activities and influence these 15 individuals have over certifications and audits. The list of board members is as follows:
- Chairman, Ty Schieber, University of Virginia, Darden School Foundation
- Director, Akin Akinbosoye, Manufacturing x Digital (MxD)
- Director, Mark Berman, FutureFeed
- Director, Wayne Boline, Raytheon
- Director, Jeff Dalton, Broadsword Solutions
- Director, Nichole Dean, Accenture Federal Services
- Director, Regan Edens, DTC Global
- Director, James Goepel, Fathom Cyber, LLC
- Director, Chris Golden, Third-Party Risk Management
- Director, Karlton Johnson, Delaine Strategy Group, LLC
- Director, Richard H. 'Doc' Klodnicki, Aereti, Inc.
- Director, Valecia Maclin, Microsoft
- Director, Tim Rudolph, 3d Millennium Group
- Director, Ben Tchoubineh, Phoenix TS
- Director, John Weiler, IT Acquisition Advisory Council (IT-AAC)
How can you start to prepare?
Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, made it very clear that there will be no trade-offs or fines associated with non-compliance. However, in order to win a contract or successfully rebid on a contract, you will need to pass the audit. It is critical to start with these necessary steps.
- If you haven't already done so, get a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in place. This was and will continue to be the starting place.
- Configure your existing environment or build a new environment to NIST 800-171 r2 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider (MSP).
Don't wait for the new guidelines to become effective, connect with our CMMC subject matter experts for a gap assessment and analysis now!