The United States Department of Defense is implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC) program to safeguard cybersecurity across the government’s Defense Industrial Base (DIB), the sector responsible for military weapons systems, subsystems, and components or parts.
Announced in November 2021, CMMC 2.0 requirements are expected to be included in all new contracts by October 2025.
This blog post will delve into the concept of the maturity model in the context of cybersecurity, key figures of the DIB, the anatomy of CMMC levels, and how Varonis can help your org achieve compliance.
What is a maturity model?
Maturity models are a collection of best practices, which progress along a scale from lower levels of adoption or “maturity” to higher levels of aptitude and certification.
Certifying to a maturity model means that a company or organization has committed itself to improving its processes and practices to a sustained high level of performance.
What is CMMC?
Cybersecurity Maturity Model Certification is a program initiated by the U.S. Department of Defense (DOD) to measure and standardize their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. CMMC 2.0 is a streamlined update to the original 2020 CMMC program.
At a high level, this framework is a collection of processes and inputs from existing cybersecurity standards — such as NIST, FAR, and DFARS,1 — designed to protect DIB security.
At a tactical level, the goal of the program is to improve the security of federal contract information (FCI) and controlled unclassified information (CUI).
To whom does CMMC apply?
The certification is applicable to both “prime” contractors who engage directly with DOD, and to subcontractors who contract with those primes to provide the fulfillment and execution of contracts. Although some level of certification will be a requirement of every contract beginning in 2025, the DOD has indicated that they intend to issue contract opportunities at all levels of the maturity model, meaning there will be some number of requests issued that will require only a low level of certification and some that will require higher levels of certification.
DIB fast facts
- $10.5 trillion Annual cybercrime impact
- $705 billion Annual DOD contract value
- 100,000+ Companies in the DIB
- 23% Budget allocation to small business
Why does CMMC matter?
It’s estimated that cybercrime drains $10.5 trillion annually from the global GDP. Relying on the vast network of contractors to execute the DOD’s mission means that the Department of Defense is entrusting each contractor with critical data that increases the overall risk profile of the DIB. Accordingly, the DOD understands the burden and outsize proportion of risk that cybercrime puts on their base of subcontractors, many of which are small businesses and lack the resources of their larger, prime counterparts.
It's against this backdrop that the DOD has released the CMMC, to oversee the adoption of best practices in cybersecurity with a “defense in depth” strategy across its entire global contractor base.
Key CMMC 2.0 takeaways
The required certification:
- Applies to DOD prime contractors and subcontractors
- Applies to limited new contracts beginning this year and applies to all contracts beginning in 2025
- Covers advancing levels of cybersecurity processes and practices, resulting in a certification “level”
- Ensures contractors start with Level 1 and certify at each level all the way to the top (Level 3)
- Demonstrates the need for a powerful tool (such as Varonis) for facilitating all levels of CMMC compliance
CMMC framework
The goal of the CMMC is to ensure the protection of two types of information from disclosure or unauthorized use:
- CUI, which requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended
- FCI (not intended for public release) provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public
CMMC 2.0 certification levels (summary)
CMMC 2.0 reduced the number of certification levels from five (in CMMC 1.0) to three. The three CMMC 2.0 levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). CMMC assessment requirements vary based on the level of certification needed.
Level 1 requires organizations to perform basic cybersecurity practices; you can certify at this level through an annual self-assessment.
Level 2 requires organizations to document their processes to guide their efforts to achieve CMMC Level 2 maturity. The documentation must also allow users to repeat these processes.
Assessment requirements for Level 2 compliance depend upon whether the CUI data handled is critical or non-critical to national security. Organizations with prioritized acquisitions that handle data critical to national security must pass a third-party assessment (3PAOs) every three years.
Organizations with non-prioritized acquisitions with data not deemed critical to national security must conduct an annual self-assessment.
The Level 3 CMMC model reduces a system’s vulnerability to advanced persistent threats by requiring an organization to establish, maintain, and provide resources for a plan to manage the activities needed to implement its cybersecurity practices.
CMMC 2.0 Level 3 applies to companies that handle CUI for DOD programs with the highest priority. As of publication, the DOD has not released the specific security requirements.
CMMC 2.0 framework components
As a part of the efforts to simplify CMMC and align with NIST-800-171 and 800-172, CMMC 2.0 has only three parts: levels (as explained above), domains, and practices.
Levels
As contractors advance in their assessments in each of these components, an overall certification to a level is achieved.
Level one is achieved by completing 17 practices across the CMMC domains.
Level two is accomplished by completing 110 practices from the 17 domains and having this verified by a third-party assessment organization.
Level three has yet to be formalized but will likely include all practices from each domain and verification by a third-party Assessment Organization.
Domains
There are 17 domains in the CMMC model. Each covers an individual area of essential cybersecurity functions taken from existing standards, including Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171. Each domain appears in one or more of the model’s levels.
Practices
There are 113 practices that span the 17 domains. Think of practices as the individual tasks or efforts required by each category.How to become certified
The DOD has created the CMMC Accreditation Body — a nonprofit, independent organization to accredit third-party assessment organizations (3PAOs) and individual assessors. Details are forthcoming about the mechanics of certification, but the DOD plans to establish a marketplace for 3PAOs to be evaluated and hired by contractors seeking certification.
How Varonis ensures CMMC certification
Getting started with CMMC might seem like a daunting task, and the reality is that certification is simply too large of a program to be handled by one person or even one team within an organization. Nevertheless, certification will be a nonnegotiable requirement of DOD contractors going forward, and Varonis can help federal contractors comply.
The best place to start when beginning to operationalize CMMC is with domains. Remember, these are centers of excellence with tasks and management that must be performed and continuously optimized for organizations to achieve and advance their levels of certification. Recall also that the primary goal of CMMC is the protection of CUI and FCI.
The Varonis Data Security Platform can facilitate, execute, and automate many of the 113 practices required and their related processes within the CMMC model.
| Domain | CMMC 2.0 Practice | Varonis product(s) |
|---|---|---|
| AC — Access Control |
|
Varonis Data Security Platform |
| AT — Awareness and Training |
|
Professional Services |
| AU — Audit and Accountability |
|
Varonis Data Security Platform |
| CM — Configuration Management |
|
Varonis Data Security Platform |
| IA — Identification and Authentication |
|
Varonis Data Security Platform |
| IR — Incident Response |
|
|
| MA — Maintenance |
|
Varonis Data Security Platform |
| MP — Media Protection |
|
Varonis Data Security Platform |
| PS — Personnel Security |
|
Varonis Data Security Platform |
| PE — Physical Protection |
|
Varonis Data Security Platform |
| RA — Risk Assessment |
|
|
| CA — Security Assessment |
|
|
| SC — System and Communications Protection |
|
Varonis Data Security Platform |
| SI — System and Information Integrity |
|
Varonis Data Security Platform |
The CMMC will impact each and every one of the 300,000-plus companies in the United States defense industrial base. Companies that are already familiar with and adhering to NIST, FAR, and DFARS will likely have a first-mover advantage in advancing through CMMC, but Varonis can accelerate any company’s CMMC with a powerful platform for compliance and security.
Contact the Varonis Federal team for a free Data Risk Assessment, and level up your CMMC.
Additional resources:
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
