The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across DoD contractors. It is a new framework for ensuring that the more than 300,000 companies in the defense industrial base (DIB) supply chain are protecting sensitive defense information.
The CMMC has been in development for a number of years, but the first details on the framework were released in January 2020. The framework makes use of a “maturity” model, in which audits will be conducted by third-party assessors, and firms will be assigned a “level” that represents the cybersecurity protections they have in place.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
In this guide, we’ll look in more detail at the CMMC. We’ll explain the way that the framework is designed to work, show you what you need to do now, and explain how Varonis can help you achieve compliance with it.
- Why is CMMC Compliance Important?
- The Five CMMC Levels and Framework
- CMMC Compliance Audit Preparation
- Advanced CMMC Practices
What is the Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification (CMMC) is a certification and compliance process developed by the Department of Defense (DoD). It is designed to certify that contractors have the controls in place to protect sensitive data. These data include Federal Contract Information and Controlled Unclassified Information (CUI).
January 2020 saw the release of the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0. The framework has been developed in a collaborative process with University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.
The CMMC brings together a number of previously discrete compliance processes into one unified framework. These include NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933. In addition, it has taken some best practice guidelines from associated compliance procedures such as those contained in FISMA.
The biggest change brought about by the CMMC for DoD contractors will be the necessity to subject themselves to external security audits. Up until now, defense contractors have been responsible for monitoring and certifying the security of their own information systems, and any DoD data stored or transmitted by them.
Under the new model contained in the CMMC, contractors will remain responsible for implementing cybersecurity requirements, but their systems will be audited by third-party assessments. These assessments will check compliance with certain mandatory practices, procedures, and capabilities.
Why is CMMC Compliance Important? The Defense Acquisition Federal Regulation Supplement (DFARS)
The CMMC is the newest of several cybersecurity compliance processes that DoD contractors have been confronted with in the past few years.
In 2015, the DoD published the Defense Acquisition Federal Regulation Supplement, more commonly known as DFARS. This mandated that contractors ensure compliance with the NIST SP 800-171 cybersecurity framework. Since then, contractors have struggled to understand and implement the requirements of DFARs. Some firms are blessed with the resources required to make themselves compliant, and others sub-contracted their cybersecurity responsibilities to MSPs.
Though the DoD has tried to incentivize the adoption of DFARs by making compliance with the framework a “competitive advantage” in the tender process, many companies are lagging behind with the implementation of this earlier framework. There have even been cases where companies have claimed to be compliant – either through ignorance or deliberate deception – and have later been found to have been non-compliant.
This is the issue that the CMMC seeks to solve. It aims to ensure that the appropriate levels of cybersecurity controls and processes are in place to protect controlled unclassified information (CUI) on DoD contractor systems. It also provides a roadmap for firms looking to increase their security and provides contractors with an assessment of the maturity of their cybersecurity controls.
When Will CMMC Compliance Become a Requirement?
CMMC Compliance requirements will appear on the requests for information (RFI) process in June 2020 and the requests for proposals (RFP) process in September 2020. Though it will be a couple years before the full framework will be enforced. The first full version of the CMMC framework was published in January 2020, following the publication of several draft versions over the previous few years.
DoD contractors should immediately learn the technical requirements of the CMMC because compliance processes should begin now. At the moment, we are still awaiting details on how CMMC assessments will be conducted, and further details on the precise requirements of the framework. The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ where contractors can check back on the latest information.
However, at the moment there are several key dates that DoD contractors should have in mind:
- January 2020: The release of the first full version of the CMMC.
- June 2020: Contractors will start to see CMMC requirements as part of the requests for information (RFI) process.
- September 2020: Contractors will start to see CMMC requirements as part of the requests for proposals (RFP) process.
- October 2020 and beyond: DoD contractors will need to get certified by an accredited Assessor/C3PAO in order to bid on new work.
At the moment, it is not clear when full compliance with the CMMC will be required for all contractors, but it is expected that within a few years the framework will be up and running. This means that contractors need to prepare now: we’ll show you how to do that below.
Who Will Have to Comply with the CMMC?
All DoD contractors will eventually have to achieve some level of CMMC certification in order to work on DoD contracts, either as a prime or subcontractor. This will include suppliers and firms at all levels of the supply chain, from manufacturers of defense equipment to small companies holding small amounts of technical data.
This said the DoD has also indicated that there may be different levels of compliance or maturity required for different types of organizations. Prime-level certification, they have said, might not be required throughout the entire supply chain.
This may mean that some small companies, or those subcontracted to work on a discrete part of DoD projects, will not need to achieve the highest level of compliance. On the other hand, having different certification levels for companies all working on the same project could raise complex integration issues.
As we move toward full implementation of the CMMC, the CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ CMMC levels.
How Do I Get CMMC Certified?
Details on the full compliance process for the CMMC are not yet available, but the basic process has been outlined by the DoD.
The certification process will be conducted by the CMMC Accreditation Body (AB), a non-profit, independent organization. This body will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide further information and updates on its website as these emerge.
The CMMC AB is planning to establish a CMMC Marketplace that will include a list of approved C3PAOs. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
The 5 CMMC Levels and Framework
The CMMC framework relies on a maturity model, in which contractors will be assessed against 5 levels of cybersecurity preparedness. The focus of the requirements of each level is on ensuring that sensitive defense information is protected from theft, corporate espionage, and hackers.
Each of the 5 levels is built upon the last, so that compliance with level one, for instance, is a necessity to achieve level two. It could well be that different contractors need only reach a certain minimum level in order to work on a particular project, but at the moment the way in which this will work is still being developed.
Details on the individual levels are available, however, so let’s run through each in turn.
Level 1: Basic Cyber Hygiene
The first level is for organizations to put in place “basic cyber hygiene” practices. These include using antivirus software and providing staff training to ensure that passwords and other authentication details are secure. This level is generally focused on protecting Federal Contract Information (FCI), defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
In reality, any organization which has already been awarded DoD contracts will likely be compliant with this level. It constitutes a very low bar for contemporary firms, whether they work in the information sector or not, and appears to be a “placeholder” for new firms just beginning to look at their cybersecurity tools and processes.
Level 2: Intermediate Cyber Hygiene
Level two is where the requirements of the CMMC really begin. This level introduces a new type of data called Controlled Unclassified Information (CUI). CUI is defined by the DoD as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information.
Level two requires that organizations document certain “intermediate cyber hygiene” practices in order to protect CUI. It is based on, and is largely a re-statement of, the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. As such, any firm that can prove they have achieved compliance with this earlier framework should be able to meet this requirement.
In practice, compliance with NIST 800-171 r2, and therefore with level two of the CMMC, requires that firms have the following in place:
- Access Control: Who has access and are they supposed to?
- Awareness and Training: Did you train your staff about CUI?
- Audit and Accountability: Do you know who is accessing CUI?
- Configuration Management: Are you following the RMF guidelines to maintain secure configurations and manage change?
- Identification and Authentication: Are you managing and auditing access to CUI?
- Incident Response: What happens when there is a data breach?
- Maintenance: How are processes maintained?
- Media Protection: How are backups, external drives, and retired equipment handled?
- Physical Protection: Who can access the place where your CUI lives?
- Personnel Security: Is your staff trained to identify insider threats?
- Risk Assessment: Have you done a risk assessment? Do you have scheduled pentesting exercises?
- Security Assessment: How do you verify the security procedures are in place?
- System and Communications Protection: Are your communications channels secure?
- System and Information Integrity: Is the process to address new vulnerabilities or system down situations defined?
Level 3: Good Cyber Hygiene
Level three of the CMMC takes the requirements of Level two further, and is based on an extension of the NIST 800-171 r2 standards. To be fully compliant with this level, organizations must have in place 47 security controls.
Again, for most firms already working with CUI, achieving this level need not be difficult. However, it is important to recognize that in order for your organization to be accredited, you will need to document the security procedures you already have in place. As we pointed out above, there is no self-certification in CMMC. Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements.
Level 4: Proactive
Level four of the CMMC introduces the requirement for organizations to be proactive in measuring, detecting, and defeating threats. These audit processes involve looking at historical data on the threats you have been exposed to, and how your organization responded to them.
In reading the CMMC guidelines, it’s clear that level four is intended to be the minimum level for prime contractors working with CUI. It replicates some of the requirements of DFARs, whilst also putting these into a framework in which they can be worked towards.
It’s also clear that level four is designed to allow organizations to deal with the threats presented by government-sponsored hackers. This level requires that organizations are able to respond to the changing tactics, processes, and capabilities of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors and seems to be a fairly direct reference to the types of espionage carried out by China and Iran.
Level 5: Advanced/Progressive
Level five is the final level of the CMMC and defines those organizations that are Advanced/Progressive/State-of-the-Art in cybersecurity. The CMMC defines 30 extra security controls – over level four – that need to be put in place in order to achieve level five. These largely relate to the ability of organizations to respond to changing threat landscapes through auditing and managerial processes, rather than extra technical requirements.
Whether level five will become the standard for DoD contractors is unclear. At the moment, many smaller firms will find it difficult to meet the requirements of this level, if only because they lack the human resources necessary to continually scan for new threats. Nevertheless, this level contains a number of recommendations that are valuable as a vision of what the future of defense cybersecurity could (and perhaps should) look like.
How DoD Contractors Can Prepare for a CMMC Compliance Audit: 5 Tasks To Do Now
Though the detailed requirements of CMMC compliance are still emerging, the details we do have are enough for organizations to begin to prepare. In this section, we’ll show you the steps you can do now to get ready for the full implementation of the CMMC.
These steps will be particularly important for companies where DoD contracts make up a substantial percentage of your revenue because CMMC certification will soon be a requirement for contract awards, If you are not prepared to pass your desired CMMC Level, you run the risk of being unable to offer products and services to the DoD for an extended period. For this reason, it’s crucial that you are able to pass the certification process on your first attempt.
These steps will help you do that:
1. Learn the Technical Requirements
The first step is to understand the technical requirements of the CMMC. In addition to the levels explained above, you should be aware that the CMMC is broken into 17 sections, each of which is important for compliance:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Security
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
These “domains” (as the CMMC refers to them) are inherited from earlier frameworks, the Federal Information Processing Standards (FIPS) 200 security-related areas and the NIST SP 800-171 control families.
2. Decide on In-House vs. Outsourcing
Some organizations will be able to achieve CMMC compliance in-house. Others will need to outsource this process. Many organizations that subcontract some of their IT infrastructure through Microsoft or Amazon, for example, will need to check that their suppliers are also CMMC compliant.
Once you’ve reviewed all of the available information on the CMMC, it’s time to take this decision. If you decide to work toward compliance in-house, the first step is to ensure that you are compliant with the frameworks that the CMMC is based on. In order to help you with that, NIST created this guide, the Self Assessment Handbook – NIST Handbook 162, as an aid for suppliers self-directing their certification initiative.
The handbook details certification requirements for NIST SP 800-171 Rev. 1, which aligns with CMMC Level 3. Unfortunately, at this time, there is no self-assessment guide available for NIST SP 800-171 Rev. B. A draft of the Rev. B specification, however, can be found here.
3. Conduct a Readiness Assessment and Gap Analysis
The next step to take immediately is to conduct a detailed and exhaustive Readiness Assessment and Gap Analysis. This analysis will then form the basis of working toward your desired level of CMMC maturity.
This analysis should be based, in the first instance, on the NIST 800-171 framework, which outlines a number of areas that you should cover:
- How is data stored and access to information controlled?
- Are incident response plans in place, current, and effective?
- Are IT staff and other personnel adequately trained?
- How are security protocols implemented and maintained?
This Gap Analysis will then make it possible for your organization to develop a Remediation Plan, which will provide a roadmap to compliance. This Remediation Plan should include:
- Activities necessary to address and resolve security issues
- Allocation of resources required to mitigate problems and close security gaps
- A timeline for the organization, with projected completion dates and milestones
- Insights into how security vulnerabilities were uncovered
- Quantification of risk levels, established priorities, and estimated remediation costs
4. Implement Cybersecurity Monitoring
The higher levels of CMMC compliance, and those that are likely to be required to work on complex, high-value projects, require your organization to be able to report on cybersecurity incidents. It is therefore critical that you put in place a system that is able to identify threats, isolate them, and collect information on the threat actors and types of attack you are subject to.
For most organizations, completing this step will require you to invest in a high-quality threat detection system that can provide this information.
5. Develop a System Security Plan (SSP)
The CMMC, as well as some of the earlier frameworks it is built on, requires that organizations develop a System Security Plan (SSP) that must be updated when a company makes substantial changes to its security profile or processes. This plan should include a wide range of information, such as company policies, employee security responsibilities, network diagrams, and administration tasks.
For NIST 800-171 and CUI requirements, the SSP must document information about each system in a contractor’s environment that stores or transmits CUI. The SSP also details the flow of information between systems, as well as authentication and authorization processes. The CMMC process contains a review of contractors’ SSPs as part of the awards contest. Without a current, valid SSP in place, contractors may not be awarded DoD business.
Advance Your Cybersecurity Maturity Model Certification Practices
Beyond the specific steps above, organizations should also undertake a number of processes that will make CMMC compliance much easier. Many of these are focused on documenting the cybersecurity controls you already have in place, to ensure that the audit process goes as smoothly as possible.
Document Your Practices
A critical part of proving your cybersecurity maturity is to be able to present the DoD with exhaustive, detailed plans of the cybersecurity tools, processes, and systems you already have in place. Early preparation of this type could result in a more efficient assessment with positive end results. Contractors should, therefore, begin taking immediate steps to clearly document practices and procedures with those requirements that already comply with CMMC practices or processes.
If you work with subcontractors, you should also be working with them throughout the supply chain to assist them in developing compliance programs, or reviewing programs already in place.
Engage With Agencies
Once the requirements of the CMMC start to appear in RFIs and RFPs, organizations should carefully review them to ensure that the subcontractors they are being sent to can meet them. The DoD has made it clear that they expect offerers of RFIs and RFPs to give feedback in the early stages of the CMMC rollout, and it is hoped that this feedback will be responded to positively.
Though the requirements of the CMMC are likely to be a burden – at least initially – for many organizations, it’s also worth recognizing that the DoD knows this. The advantage of the “maturity” model contained in the CMMC is that it allows firms to work toward maturity levels in consultation with the DoD, and starting this relationship early is crucial.
Keep Yourself Informed
At the moment, the appeals process for CMMC audits has not been released, though the DoD says that this will be published shortly. This is a concern because if an organization relies on most of its income from DoD contracts, and then fails an assessment, there is currently no clear way to appeal the decision.
It’s therefore crucial that contractors follow developments in this area. Where possible, contractors should also provide DoD detailed feedback on any proposed due process procedures to ensure it is adequate.
Agility and Sustainability
Though achieving CMMC compliance is likely to dominate the agenda for many cybersecurity professionals for the next few months (at least), it’s also important to recognize that compliance with current standards is not the only game in town.
This is true in at least two ways. The first is that the early drafts of the CMMC make it clear that the framework is still in development, and is therefore likely to change reasonably rapidly over the coming years. The second is that organizations that take this opportunity to build agility into their cybersecurity and compliance processes are likely to be those that are better protected against cyberthreats.
In other words, contractors that foster a culture of cyber resiliency and flexibility within their organizations, whilst also obtaining CMMC certification, will be best positioned to compete in a marketplace that is and will continue to be less tolerant of accepting cyber-related risks.
A Final Word
The CMMC is undoubtedly the most complex cybersecurity framework that organizations are currently required to achieve compliance with. However, rather than regarding compliance as a burden it’s important to recognize that the recommendations made in the framework represent the best practices when it comes to cybersecurity. Compliance will certainly be necessary for many firms to stay solvent, but it will also allow them to protect their sensitive information.
At Varonis, we’ve helped hundreds of organizations work toward compliance with existing frameworks, and our approach to the CMMC is no different. By following the guide above, or by contacting us directly, we can help you ensure that CMMC compliance is as efficient as possible. The best way to get started is with a free data risk assessment, which can serve as a helpful pre-assessment for your CMMC audits.