To ensure that all contractors observe appropriate levels of cybersecurity controls, the Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC). Mandatory for all DoD contractors, the certification comes at a time when threat attempts on DoD systems are at an all-time high, with hundreds of thousands of probes every day.
Although CMMC will not take effect until January 2021, now is the time to start preparing. That’s because all companies that do business with the DoD will need to implement CMMC or risk losing contracts.
This guide provides you with everything you need to know about CMMC and how to prepare.
The Cybersecurity Maturity Model Certification (CMMC) is a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data, including Controlled Unclassified Information (CUI) and Federal Contract Information.
Created by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), CMMC is a consolidated cybersecurity standard that’s mandatory for everyone doing business with the DoD. It brings together existing cybersecurity control requirements, such as ISO 27001, ISO 27032, NIST SP 800-171, and NIST SP 800-53, to create more detailed and coordinated cybersecurity standards.
Unlike previous security standards that only called for self-verification in order to achieve compliance, CMMC requires a third-party assessment from a certified auditor.
In 2015, the Department of Defense (DoD) published the Defense Federal Acquisition Regulation Supplement (DFARS) to push private contractors to maintain cybersecurity standards according to the requirements the National Institute of Standards and Technology (NIST) outlined in NIST SP 800-171.
Created to ensure the protection of Confidential Unclassified Information (CUI), the standards outlined in DFARS and NIST 800-171 gave DoD contractors until December 31, 2017 to meet the requirements necessary to be compliant or risk losing DoD contracts.
To be classified as compliant, contractors merely had to attest to meeting the requirements or being in the process of satisfying them.
Unfortunately, self-verification was inadequate and didn’t provide a level of security that could consistently safeguard sensitive information. While some contractors complied with the requirement, others failed to meet the standards.
As a result, U.S. adversaries have been able to develop military equipment based on stolen data. For instance, the Chinese J-20 and J-31 stealth fighter jets suspiciously resemble the American F-35. According to the Pentagon, China may have accessed the F-35 design after an information breach in 2009.
Compliance without accreditation doesn’t guarantee absolute security. After reviewing the NIST security controls, the DoD decided they don’t sufficiently cover security loopholes, leaving contractors susceptible to threats from nation-state actors.
CMMC was devised to help:
To give the new standards teeth, compliance will not be assessed through self-verification, but instead will be handled by third-party audit.
Required, Not an Option
Furthermore, all new DoD contract RFPs and RFIs will include CMMC compliance as a requirement. Companies that are not CMMC compliant will automatically be disqualified from new contract opportunities.
In addition, certification will not be one and done. It will be ongoing, and CMMC certification will have to be renewed every three years.
Released in January 2020, version 1.0 of the CMMC lays out the framework. It includes 17 domains that are based on cybersecurity best practices. Each domain is broken down into practices and processes that are mapped across five maturity levels. Within each domain, the practices are aligned to a set of capabilities.
The CMMC model consists of 17 domains, 14 of which are derived from the Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171, and three additional domains.
The CMMC acknowledges that not all information shares the same levels of sensitivity, and not all contact participants have the same clearance levels. Because of this, the Cybersecurity Maturity Model Certification measures processes and practices across five maturity levels.
|Level 1||Performed||Basic Cyber Hygiene|
|Level 2||Documented||Intermediate Cyber Hygiene|
|Level 3||Managed||Good Cyber Hygiene|
|Level 5||Optimizing||Advanced / Progressive|
The achievement of higher CMMC levels enhances the ability of an organization to protect CUI. For Levels 4-5, it also reduces the risk of advanced persistent threats (APTs), which are often executed via multiple incursions, including cyber, physical, and deception.
Here is a synopsis of the five CMMC levels and their respective requirements:
Basic Cyber Hygiene: Includes the basic cybersecurity processes performed by all companies. To get this level of certification, you must implement 17 NIST SP 800-171 Rev1 controls.
Intermediate Cyber Hygiene: Entails the universally accepted best cybersecurity practices that are documented. To get this level of certification, you must implement another 46 NIST SP 800-171 Rev1 controls.
Good Cyber Hygiene: Covers all managed NIST SP 800-171 Rev1 controls. You must implement the final 47 NIST SP 800-171 Rev1 controls to pass this audit.
Proactive: Consists of all advanced and sophisticated cybersecurity processes that are reviewed, resourced, and enterprise-wise improved. To pass this level of audit, you must implement 26 NIST SP 800-171 Rev B controls.
Advanced / Progressive: Entails the highly advanced cybersecurity practices that are optimized and still under continuous enterprise improvement. As a DoD contractor, you must implement the final four NIST SP 800-171 Rev B controls to pass this level of audit.
Types of Work:
Types of Work:
Types of Work:
Types of Work:
Types of Work:
Levels 1 and 2 involve basic cyber hygiene that most companies usually implement. Level 3 corresponds to the DoD cybersecurity requirements outlined in DFARS Clause 252.204-7012, which follows NIST SP 800-171 with an additional 21 controls.
According to the government, the requirements for Levels 4 and 5 match the standards of NIST SP 800-171 Rev B. Most of the controls conform with information security measures in ordinary businesses, while some are unique to the Cybersecurity Maturity Model Certification.
NIST vs. CMMC
Because CMMC is built on many of the same controls as NIST, it’s possible to jump to the conclusion that CMMC certification automatically provides NIST 800-171 compliance. However, it’s important to note that the two are different.
While achieving CMMC Level 3-5 certification satisfies all of the NIST 800-171 controls related to CUI, an additional 63 Non-Federal Organization (NFO) controls need to be met to achieve compliance.
Although IT is the focus of a majority of the practices and processes outlined in CMMC, it addresses more than just technology. That’s because employee negligence causes more than 40% of breaches. In fact, a majority of cyber professionals label people as the weakest link in security.
It’s no surprise then that CMMC goes beyond IT to address areas like physical security, personnel security, and awareness and training in its standards. For that reason, you should be wary of any service provider that tries to sell you a 100% software solution. Comprehensive cybersecurity includes both your tech and your team.
Many of the top causes of data breaches can be traced back to your team, not technology:
All contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. The exact level at which you need to be certified to be awarded a contract will be specified in the RFP.
Although you do not have to be CMMC certified at the time of the RFP, you will need to be at the time the contract is awarded. That means you will have a window to start and complete certification, but how long that window is will vary from contract to contract. However, to avoid unforeseen delays and the risk of losing a contract, it’s best to not wait until the last minute.
To become CMMC certified, you’ll need to liaise with an accredited, independent third-party assessment organization through the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB). You’ll specify your company’s level of cybersecurity maturity and schedule an evaluation.
CMMC assessors will be licensed through the CMMC-AB, but will be employed by a Certified Third-Party Assessment Organization (C3PAO).
Upon satisfying the security requirements for the requested tier, the assessing organization will grant you the appropriate certification. Your certification level will be available to the DoD via a database, but the findings of your cybersecurity audit will remain confidential.
Because all new DoD contract RFPs and RFIs will require CMMC compliance, those contractors that are certified will have a competitive advantage. That will be especially true early on, with most contractors likely waiting until they absolutely have to be CMMC compliant before pursuing certification.
What does that mean in real terms? With DoD contracts running five years, putting in the work now to become certified could put you in the lead to land five years of recurring revenue – and positioning yourself to retain it – while the rest of the market plays catch up.
Beyond easily winning and maintaining DoD contracts, CMMC-compliant companies will be better positioned to:
Reduce their risk of data breaches, the cost for which averaged $3.62 million per incidence in 2017
Overcome the threats of nation-state actors, which made up 23% of all data breaches in 2019, up from 12% in 2018
Lower the risk of insider threats
Be deemed compliant with other regulations, such as NIST, ISO, HIPAA, FISMA, and SOX
The Cybersecurity Maturity Model Certification represents a seismic shift for DoD contractors, and will have a significant impact on the industry and its practices. Here are three notable changes that are likely to happen:
CMMC has put cybersecurity at the forefront of contract evaluation, scrutiny, and oversight. Being certified at the appropriate level will be a critical factor for the DoD when obtaining goods and services from the industry supply chain.
The model will govern contractors and subcontractors that previously didn’t need to observe DoD cybersecurity standards, like companies not handling covered defense information (CDI). Going forward, all DoD suppliers will be subject to CMMC level 1-5 certification to do business with the DoD.
While the CMMC policy is strict, it will benefit contractors in three ways:
Contractors will fall under five maturity categories, each with specific security obligations. Based on information sensitivity and the perceived cyber threat, the DoD will decide which maturity levels qualify for particular contracts.
Those companies that do not have the appropriate level of certification will be automatically disqualified from consideration.
This will help streamline the awarding of contracts and provide early adopters of CMMC with a decided advantage.
The DoD will rely heavily on certified third-party auditing agencies to audit and assess contractors’ CMMC qualification. CMMC-AB, a nonprofit accreditation organization, will oversee C3PAOs responsible for offering CMMC credentials to businesses.
Over 300,000 companies are within the DoD supply chain, which will require a ramp-up phase leading up to the January 2021 implementation of CMMC.
As a result, a new breed of information security consultants and advisors is emerging. The very best of these will leverage their compliance expertise to guide DoD contractors to successful certification by providing expert gap analysis, audit preparation, and ongoing support to ensure their IT systems remain secure and compliant.
Each of the five CMMC levels requires the implementation of different NIST SP 800-171 Rev1 and NIST SP 800-171 Rev B controls. It’s the responsibility of each contractor to implement the necessary controls for the desired level of certification.
If you have implemented all of the NIST SP 800-171 Rev1 controls, then you’ll automatically pass the audit up to Level 2. If you’ve only adopted some, or none, of the controls, you can prepare for the Cybersecurity Maturity Model Certification by doing the following:
For those companies that have the internal resources, the Self-Assessment Handbook-NIST Handbook 162 from NIST is a good start. Because NIST 800-171 serves as a foundation for CMMC, meeting its standards will get you most of the way to a Level 3 CMMC certification.
However, because the book only covers NIST SP 800-171 Rev1, it’s only suitable for certification up to Level 2. Achieving Level 3 requires implementation of another 21 controls.
If you don’t have the expertise or the resources to achieve the NIST SP 800-171 Rev1 or REV B requirements, you should outsource to an expert CMMC consultant.
While there are many Managed Security Service Providers (MSSPs), at this point, not many have expertise in CMMC consulting, and fewer still will have experience going through the process.
Outsourcing saves you time and money, and it ensures that your company stays CMMC compliant. The key is finding an MSSP that can guide you through the certification process and help you maintain compliance going forward. Remember: When hiring a consultant, it’s still your responsibility to ensure you meet the necessary security standards.
When you engage with a consultant, they should guide you through several basic steps on the path to compliance.
The first step toward compliance is a gap analysis, which involves determining how far or close you are to meeting the minimum CMMC requirements. During a gap analysis, the MSSP will discover any ineffective system setup that doesn’t meet the criteria. This is achievable by taking a closer look at your network and procedures.
Some issues revealed during a gap analysis include:
Understanding these shortfalls helps you identify what changes your company needs to undertake to meet the appropriate CMMC-level requirements.
Using the findings of the gap analysis, your MSSP will provide a remediation plan. Depending on the results, the method may be inexpensive and straightforward network fixes. Or it could require extensive network development to help you meet standard NIST cybersecurity requirements.
Ongoing Monitoring and Reporting
Once your network systems are CMMC-level compliant, your MSSP should have tools to continuously monitor your system for any security breaches or incidents.
As proof that you have implemented the necessary NIST SP 800-171 Rev 1 or REV B controls, the MSSP should provide you with documentation. You need to present this documentation to the CMMC auditors for them to certify you as a DoD contractor.
For contractors that wish to continue to do business with the Department of Defense, CMMC demands superior cybersecurity measures. The journey will undoubtedly be bumpy for some suppliers, but the DoD is keen to cut ties with noncompliant parties in favor of those that can be trusted to safeguard CUI.
The CMMC framework is still in development, and likely will continue to be refined up until and beyond its launch in January 2021. Still, those contractors that stay ahead of the curve and get certified at the earliest possible date will have a step up on the competition when the first CMMC-mandated contracts go to RFP.
Meanwhile, those contractors that wait on CMMC until the last minute will be forced to take immediate action or risk losing valuable revenue.