CMMC – Why Me?

Provincia Government Solutions

CMMC: Why Me?

By Heather Bennett

October 10, 2022

If you found this blog, chances are you just found out you are required to be CMMC certified. You don’t know what that means, did a web search, and now you’re here. Let me be the first to welcome you to the world of CMMC. It’s nice here, we have (virtual) cookies.

In this article, we are going to cover the who, what, when, and whys associated with CMMC. This will be a brief overview as most of these topics will be covered in depth in future articles. Now is not the time get educated on CMMC!

man sitting at desk pensive

The Who, What, When, and Why of CMMC

Who

Who is who regarding CMMC?

“The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.” (cisa.gov)

The DoD requires certification from all DIB contractors and subcontractors. The DoD has estimated that over 300,000 companies will be affected.

What

What is CMMC?

CMMC is a certification required by the US Department of Defense (DoD). It is a new certification model to ensure all contractors and subcontractors of the DOD properly protect sensitive information.

When

When will this happen?

The DoD began unveiling contracts with CMMC requirements in 2021. Each subsequent year will add more contractors. It is expected that CMMC will be a requirement on all contracts by October of 2026.

Why

Why am I being required to be CMMC certified?

CMMC was developed to ensure the protection of Federal Contact Information (FCI) and Controlled Unclassified Information (CUI). FCI and CUI can contain sensitive information that could jeopardize the nation’s security if it fell into the wrong hands. An interesting article talking about just that can be viewed here.

Upcoming Blog

The requirements to become CMMC Certified will vary on the extent of FCI and CUI a company handles. We will cover the CMMC Maturity Levels in the next article. Keep up to date with all things CMMC by subscribing to our weekly blog.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.

So, You Need To Be CMMC Certified?

Provincia Government Solutions

So, You Need To Be
CMMC Certified?

By Sese Bennett

November 14th, 2019

So, you need to be CMMC certified?  If you’re like most small to mid-sized companies, you’re asking yourself – “What do I need to do to meet the CMMC requirements?” That is the million-dollar question.

Logically speaking, to pass an assessment, you need to know and understand what you’re being assessed on, and what is considered a “passing” grade.  We hope this blog will assist in that understanding.

If you do not have any idea of what CMMC is, I encourage you to review our previous two blogs on the subject for a basic breakdown of the program. Since the articles were written, the CMMC program has matured a bit, but it should still give you the background you need to get up to speed.  

So, let’s jump right in!

CMMC Levels

The first thing that should be on your radar is to determine what Cybersecurity Maturity Model Certification (“CMMC”) maturity level you are seeking as an organization. If you are storing, processing, or transmitting only Federal Contract Information (“FCI”), then you are likely only seeking CMMC Maturity Level 1 (“ML-1”) certification. If you are storing, processing, or transmitting anything else, then you are most likely seeking Maturity Level 3 (”ML-3”) or above. This is an overly-simplified description of the maturity level designations but hopefully it’s enough to get you going in the right direction.

Now for the good news! If your seeking ML-1, consider that the EZ button of the certification levels. ML-1 certification requires that your organization demonstrate compliance with seventeen (17) CMMC controls and meet a set of basic cyber hygiene requirements. These requirements are focused on validating what you are doing at the time of the assessment. Another way of putting it is that ML-1 is focused on performing the practice versus documenting the practice.  

This means that technically your organization will not fail a ML-1 assessment because of the absence of practice documented. But in reality, you will need to have some sort of documentation available to show that your organization is performing the practice.  Subsequently, it may be acceptable to provide informal or less detailed documentation to the CMMC assessor when reviewing ML-1 controls.  

While we are on the subject of passing or failing, let’s talk about what that means in regards to CMMC.  It should be noted that the CMMC certification is an all-pass or all-fail assessment. This means that you must pass all of the required practices for ML-1 in order to qualify for the certification.  

Now, let’s do a quick breakdown of what those seventeen (17) ML-1 controls are looking for:

Access Control

The first four (4) practices are based on the Access Controls (“AC”) practice family. These practices are designed to ensure that your organization properly limits access to authorized personnel, employs the privilege of least privilege by only giving the level of access that fits the users job role or responsibility, connections to external systems, and control of what is posted to publicly accessible systems such as websites on the internet. (AC.1.001, AC.1.002, AC.1.003, AC.1.004)

Identification and Authentication

The next two (2) practices are based on the Identification and Authentication (“IA”) practice family. These two practices focus on identifying your users and services acting on their behalf to include things like service accounts or other accounts that may be device based. Additionally, this practice area examines how you authenticate (or verify) the identity of users, processes, and devices prior to allowing access to your systems. (IA.1.076, IA.1.077)

Media Protection

The Media Protection (“MP”) practice family contains only one (1) practice to consider  for ML-1. The practice focuses on how you sanitize or destroy media containing Federal Contract Information (“FCI”) before disposal, release or reuse. (MP.1.118)

Physical Protection

The next four (4) practices fall under the Physical Protection (“PE”) practice family. These practices focus on limiting physical access to your systems, equipment and their respective operating environments to authorized individuals. This practice family also includes how visitors are handled when they visit your facilities, how audit logs are maintained, and how physical access devices like badges, access cards, etc. are controlled and managed. (PE.1.131, PE.1.132, PE.1.133, PE.1.134)

System and Communications Protection

The System and Communications Protection (“SC”) practice family contains two (2) practices that you need to consider. The first one focuses on monitoring, controlling, and protecting communications transmitted, or received by your systems at your key internal and external boundaries. The second practice examines how you are physically or logically separating your internal network from publicly accessible systems. (SC.1.175, SC.1.176)

System and Information Integrity

That brings us to the last practice family for those organizations considering ML-1 CMMC certification. System and Information Integrity (“SI”) contains four (4) practices that focus on identifying and correcting system flaws (patching) in a timely manner. Malicious code protection and how malicious code mechanisms are also examined as part of this practice family. Finally, periodic and real-time scanning is examined as part of reviewing files from external sources as they are downloaded, opened, or executed.  (SI.1.210, SI.1.211, SI.1.212, SI.1.213)

Next Steps

Now that you’re a CMMC ML-1 one expert, are you ready to get started on your CMMC journey? We certainly hope so. If you need assistance getting prepared, feel free to reach out and our team. We can help you prepare by conducting a readiness review to make sure you are on the path to success!

Be on the lookout for our next article in this series where we discuss the CMMC Maturity Level 2 (ML-2) designation, how it differs from ML-1, and how it fits into the overall CMMC ecosystem.  

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.

CMMC Gears Up For Launch – Are You Ready?

Provincia Government Solutions

CMMC Gears Up For Launch - Are You Ready?

By Sese Bennett

June 3rd, 2020

If you’ve been following our resources page, you’ll know that a few months before the Cybersecurity Maturity Model Certification (CMMC) was officially released by the Department of Defense (DoD) we released a guide to everything you need to know about the CMMC.

The DoD have since published updated guidance with regards to the CMMC program, which will affect every DoD contractor along the supply chain and will include any DoD contractor that is handling Federal Contract Information (FUI) and Controlled Unclassified Information (CUI).

As such, the pressure is on for contractors to fully understand the new CMMC guidelines and be prepared to comply with them. We’re providing insight into the CMMC to help contractors understand the updated regulations and prepare for the new certifications.

A Quick Review of the CMMC

The updated CMMC version 1.02 was released by the DoD on March 18, 2020. The CMMC has replaced the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 assessment model which was in place for contractors of the DoD previously.

This new certification requires third party evaluation in order to determine whether a contractor is secure enough to work with the DoD, whereas previously this was up to the contractor. In the past, contractors were responsible for certifying the security of their information technology systems, however this was deemed unacceptable by the DoD.

To stop vulnerabilities and protect the FUI/CUI that contractors may be handling in their work, the DoD has chosen to involve a third party in the certification of contractors.

To make things clear, the DoD has introduced a unified cybersecurity standard for DOD acquisitions which boosts the cybersecurity posture of the Defense Industrial Base (DIB). The certification focuses on various cybersecurity standards and best practices that range from basic cyber hygiene (Level 1) to the more advanced cybersecurity controls (Levels 4 and 5).

To gain a CMMC certification, a contractor needs to understand the associated practices that when implemented, will reduce risk against a specific set of cyber threats. Certified independent 3rd party organizations will conduct audits and inform risk, depending on the kinds of data a contractor is handling.

The New CMMC Framework

In our previous post, we ran through what the CMMC was expected to cover. In this article, we will give you a run-down of what the CMMC framework includes in reality. For more details, you can find the DoD’s CMMC Overview Briefing Document Here, however below are key points to know.

Key Facts About CMMC

  • The CMMC Model v1.2 framework organizes processes and cybersecurity best practices into a set of 17 capability domains. For each domain there are 5 processes across four levels to measure process maturity, 13 capabilities and 171 practices that span the 5 levels. These practices are used to measure technical capabilities.
  • Contractors are expected to work to meet basic cyber hygiene in the following 17 capability domains:
    • Access Control (AC)
    • Asset Management (AM)
    • Awareness and Training (AT)
    • Audit and Accountability (AU)
    • Configuration Management (CM)
    • Identification and Authentication (IA)
    • Incident Response (IR)
    • Maintenance (MA)
    • Media Protection (MP)
    • Physical Protection (PE)
    • Recovery (RE)
    • Risk Management (RM)
    • Personnel Security (PS)
    • Security Assessment (CA)
    • Situational Awareness (SA)
    • System and Communications Protection (SC)
    • System and Information Integrity (SI)
  • CMMC levels and the associated practices and processes are cumulative. In order for an organization to meet the next level they must demonstrate achievement of the preceding lower levels.

This is how each level maps onto previous certifications:

The CMMC Framework

Since the five levels of the CMMC are so important, we thought it worthwhile to review them briefly. The five certification levels are:

Level One - Performance

This level includes the 17 basic cyber hygiene practices that protect Federal Contract Information (FCI). This kind of information is of a private nature and might include data that a contractor is using on a job but is not intended for public release.

The reason that the contractor will have this information will be to complete a project or job, and therefore basic cyber hygiene must be carried out to ensure that it is never released to the public.

The practices and processes associated with this level are basic and include things like having an incident response plan, using antivirus software and teaching employees about the benefits of password security.

Level Two - Document

To reach the next level of cybersecurity hygiene a company needs to have intermediate cyber hygiene in place. These practices begin to protect any Controlled Unclassified Information that might be used by a contractor to complete a project.

This level maps onto a subset of 48 practices from the NIST SP 800-171 which safeguards sensitive CUI, plus 7 additional practices that are added to document and protect the use of sensitive data that is not intended for public use.

Level Three - Manage

The next level of the CMMC framework includes the management of CUI and includes the addition of all practices from the NIST SP 800-171 plus 20 practices to support good cyber hygiene.

The goal of this level is to get businesses to provide an institutionalized management plan to ensure that good cyber hygiene is practiced throughout the company.

Level Four - Review

The next level up requires a company to have a review process in place and have implemented processes for reviewing the cybersecurity practices that their company has committed to.

It is essential that contractors reflect on how effective their security measures have been, in order to flag any issues. Once the security practices are well established, and good cyber hygiene has been achieved, the next step is to detect any changes that need to be made.

This level includes the addition of 11 practices from the NIST SP 800-171B, as well as all of the practices from the NIST SP 800-171, which ensures that an APT (Advanced Persistent Threat) plan is in place to detect and respond to threats.

Level Five - Optimize

Level Five includes 4 more practices from the NIST SP 800-171B, which leans towards optimization of the cybersecurity protocols that a company has in place. To complete Level Five, a contractor must have a standardized and optimized process in place to protect the whole business from threats and vulnerabilities.

Level Five means having an agile and sophisticated cybersecurity strategy in place, with additional practices that allow you to detect and respond to threats and manage change.

As you can see, the CMMC Framework builds on a variety of cybersecurity standards and offers a unified cybersecurity standard for DOD acquisitions. The standard combines various cybersecurity standards and best practices, which are mapped across several maturity levels.

When Will CMMC Compliance Be Necessary?

Minimum certification requirements are likely to be in place by June 2020, with compliance becoming necessary between June and September 2020. The DoD has suggested that people need not panic about CMMC compliance, but that making steps towards compliance is necessary by June 2020. Certification preparation needs to start now for all businesses that are competing for DoD contracts.

Different contracts will require different levels of compliance, however every contractor working with the DoD will need at least Level One. At present there is no set date for when compliance will be necessary – we are still in the transitional period. To learn more about the CMMC changes and their implications for your business, you can visit the official CMMC FAQs page.

Your Trusted Advisors

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.

Everything You Need to Know About the CMMC

Provincia Government Solutions

Everything You Need to Know About the CMMC

By Sese Bennett

November 14th, 2019

CMMC is the latest development in the Cybersecurity Maturity Model Certification (CMMC), recently announced by the Department of Defense (DoD). The CMMC will affect every DoD contractor along the supply chain and will include any DoD contractor regardless of the type of information handled. As such, the pressure is on for contractors to fully understand the new CMMC guidelines and be prepared to comply with them.

We’re providing insight into the CMMC to help contractors understand the new regulations and prepare for the new certifications.

What is the CMMC?

The CMMC refers to the Cybersecurity Maturity Model Certification that will replace the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 assessment model currently in place for contractors of the DoD. This new certification will require third party evaluation in order to determine whether a contractor is secure enough to work with the DoD. The CMMC aims to ensure that all contractors dealing with the DoD are able to protect the Controlled Unclassified Information (CUI) that they may be handling in their work.

The CMMC will be a unified cybersecurity standard for DOD acquisitions which will boost the cybersecurity posture of the Defense Industrial Base (DIB). The certification focuses on various cybersecurity standards and best practices that range from basic cyber hygiene to the more advanced cybersecurity controls.

To gain a CMMC certification, a contractor will need to understand the associated practices that when implemented, will reduce risk against a specific set of cyber threats. The CMMC is intended to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. Certified independent 3rd party organizations will conduct audits and inform risk, depending on the kinds of data a contractor is handling.

Most of the information that has been released on the CMMC is provisional and has been released by The Office of the Under Secretary of Defense for Acquisition and Sustainment. They are set to release a final version (Rev 1.0) in January 2020 with another version that includes Requests for Proposals in June 2020.

The levels of the CMMC have been outlined as:

Why CMMC Now?

In recent years the DoD has experienced a high profile set of data breaches that have put public information at risk. As such, the DoD has been forced to take a look at the security controls surrounding every contractor who works with them. At the time of these breaches, the DoD were reliant on the NIST SP 800-171 as their guidelines.

As the compromise of sensitive data has occurred in the contractor supply chain, the DoD have tightened controls on CUI in this area. The DoD understand that the leakage of this Controlled Unclassified Information could have catastrophic results, and therefore they are putting security at the top of their priority list. While traditional procurement models will stay in place, security will be seriously considered alongside cost, delivery timeline and quality of output in order to protect the DoD from further security breaches.

CMMC Building Blocks

The CMMC will be a unified cybersecurity standard for DOD acquisitions. The standard combines various cybersecurity standards and best practices, which are mapped across several maturity levels.

The CMMC builds on a variety of security standards and best practices including but not limited to:

Who Does it Apply to?

Any contractor doing business with the DoD will need to comply with these standards, including subcontractors. The focus of the CMMC is on supply chain integrity, therefore all suppliers involved in work with the DoD will need to complete the required level of certification. This will go beyond the first tier of supply chain subcontractors to completely open up the supply chain and ensure that anyone working with sensitive data will be certified.

The CMMC was created with this in mind, therefore efforts are being made to ensure smaller companies and subcontractors will still be able to comply. The varying degrees of compliance depend on the amount of DoD CUI the company handles and not by size. While this may benefit bigger companies, who deal with the same level of CUI as smaller contractors, the DoD is committed to ensuring that small businesses will have equal opportunity to compliance.

Prepare Now for the CMMC

Since the CMMC is building on many previous cybersecurity requirements and guidelines, it will benefit contractors to brush up on their knowledge on past security guidelines. This is especially true of the NIST SP 800-171, since the DoD is building on this heavily to create the CMMC. Although nothing has been confirmed where the maturity levels are concerned, it is thought that implementing and understanding the NIST SP 800-171 will help contractors prepare for the CMMC. Furthermore, it will benefit contractors to meet the existing requirements around Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 concerning safeguarding information and reporting incidents.

Advanced preparation now is essential for successfully navigating the new CMMC program. Performing targeted risk assessments on programs and systems that handle CUI data will enable you to identify possible problem areas where security can be increased. Remember, the varying degrees of compliance depend on the amount of DoD CUI the company handles and not by size. Proper documentation and implementation of key security programs such as access control, change management, and incident response should detail how you handle CUI and what you would do in the event of a cybersecurity incident involving DoD CUI. These steps will enable a smooth transition to the CMMC.

Prepare Now for the CMMC

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

References

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.