CMMC Gears Up For Launch - Are You Ready?
By Sese Bennett
June 3rd, 2020
If you’ve been following our resources page, you’ll know that a few months before the Cybersecurity Maturity Model Certification (CMMC) was officially released by the Department of Defense (DoD) we released a guide to everything you need to know about the CMMC.
The DoD have since published updated guidance with regards to the CMMC program, which will affect every DoD contractor along the supply chain and will include any DoD contractor that is handling Federal Contract Information (FUI) and Controlled Unclassified Information (CUI).
As such, the pressure is on for contractors to fully understand the new CMMC guidelines and be prepared to comply with them. We’re providing insight into the CMMC to help contractors understand the updated regulations and prepare for the new certifications.
A Quick Review of the CMMC
The updated CMMC version 1.02 was released by the DoD on March 18, 2020. The CMMC has replaced the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 assessment model which was in place for contractors of the DoD previously.
This new certification requires third party evaluation in order to determine whether a contractor is secure enough to work with the DoD, whereas previously this was up to the contractor. In the past, contractors were responsible for certifying the security of their information technology systems, however this was deemed unacceptable by the DoD.
To stop vulnerabilities and protect the FUI/CUI that contractors may be handling in their work, the DoD has chosen to involve a third party in the certification of contractors.
To make things clear, the DoD has introduced a unified cybersecurity standard for DOD acquisitions which boosts the cybersecurity posture of the Defense Industrial Base (DIB). The certification focuses on various cybersecurity standards and best practices that range from basic cyber hygiene (Level 1) to the more advanced cybersecurity controls (Levels 4 and 5).
To gain a CMMC certification, a contractor needs to understand the associated practices that when implemented, will reduce risk against a specific set of cyber threats. Certified independent 3rd party organizations will conduct audits and inform risk, depending on the kinds of data a contractor is handling.
The New CMMC Framework
In our previous post, we ran through what the CMMC was expected to cover. In this article, we will give you a run-down of what the CMMC framework includes in reality. For more details, you can find the DoD’s CMMC Overview Briefing Document Here, however below are key points to know.
Key Facts About CMMC
- The CMMC Model v1.2 framework organizes processes and cybersecurity best practices into a set of 17 capability domains. For each domain there are 5 processes across four levels to measure process maturity, 13 capabilities and 171 practices that span the 5 levels. These practices are used to measure technical capabilities.
- Contractors are expected to work to meet basic cyber hygiene in the following 17 capability domains:
- Access Control (AC)
- Asset Management (AM)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Personnel Security (PS)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- CMMC levels and the associated practices and processes are cumulative. In order for an organization to meet the next level they must demonstrate achievement of the preceding lower levels.
This is how each level maps onto previous certifications:
The CMMC Framework
Since the five levels of the CMMC are so important, we thought it worthwhile to review them briefly. The five certification levels are:
Level One - Performance
This level includes the 17 basic cyber hygiene practices that protect Federal Contract Information (FCI). This kind of information is of a private nature and might include data that a contractor is using on a job but is not intended for public release.
The reason that the contractor will have this information will be to complete a project or job, and therefore basic cyber hygiene must be carried out to ensure that it is never released to the public.
The practices and processes associated with this level are basic and include things like having an incident response plan, using antivirus software and teaching employees about the benefits of password security.
Level Two - Document
To reach the next level of cybersecurity hygiene a company needs to have intermediate cyber hygiene in place. These practices begin to protect any Controlled Unclassified Information that might be used by a contractor to complete a project.
This level maps onto a subset of 48 practices from the NIST SP 800-171 which safeguards sensitive CUI, plus 7 additional practices that are added to document and protect the use of sensitive data that is not intended for public use.
Level Three - Manage
The next level of the CMMC framework includes the management of CUI and includes the addition of all practices from the NIST SP 800-171 plus 20 practices to support good cyber hygiene.
The goal of this level is to get businesses to provide an institutionalized management plan to ensure that good cyber hygiene is practiced throughout the company.
Level Four - Review
The next level up requires a company to have a review process in place and have implemented processes for reviewing the cybersecurity practices that their company has committed to.
It is essential that contractors reflect on how effective their security measures have been, in order to flag any issues. Once the security practices are well established, and good cyber hygiene has been achieved, the next step is to detect any changes that need to be made.
This level includes the addition of 11 practices from the NIST SP 800-171B, as well as all of the practices from the NIST SP 800-171, which ensures that an APT (Advanced Persistent Threat) plan is in place to detect and respond to threats.
Level Five - Optimize
Level Five includes 4 more practices from the NIST SP 800-171B, which leans towards optimization of the cybersecurity protocols that a company has in place. To complete Level Five, a contractor must have a standardized and optimized process in place to protect the whole business from threats and vulnerabilities.
Level Five means having an agile and sophisticated cybersecurity strategy in place, with additional practices that allow you to detect and respond to threats and manage change.
As you can see, the CMMC Framework builds on a variety of cybersecurity standards and offers a unified cybersecurity standard for DOD acquisitions. The standard combines various cybersecurity standards and best practices, which are mapped across several maturity levels.
When Will CMMC Compliance Be Necessary?
Minimum certification requirements are likely to be in place by June 2020, with compliance becoming necessary between June and September 2020. The DoD has suggested that people need not panic about CMMC compliance, but that making steps towards compliance is necessary by June 2020. Certification preparation needs to start now for all businesses that are competing for DoD contracts.
Different contracts will require different levels of compliance, however every contractor working with the DoD will need at least Level One. At present there is no set date for when compliance will be necessary – we are still in the transitional period. To learn more about the CMMC changes and their implications for your business, you can visit the official CMMC FAQs page.
Your Trusted Advisors
Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments, security consulting, or CMMC certification, we have the expertise to help. Contact us at (615) 807-2822 or at firstname.lastname@example.org to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!
Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified HUBZone small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.