The Cybersecurity Maturity Model Certification (CMMC) is a cyber program and security framework used by the US Department of Defense (DoD) to measure firms’ cybersecurity maturity. All DoD contractors working with the federal government must comply with this program by 2025.
CMMC compliance demands that DOD contractors pass an external CMMC assessment carried out by an approved CMMC Third Party Assessment Organization (C3PAO) for all but the lowest level of CMMC certification.
The DoD works with many organizations to achieve its objectives and requires strict adherence to standardized security measures to ensure it can do so while safeguarding sensitive information.
The Defense Industrial Base (DIB) is a target for cyber attacks from homegrown and foreign cybercriminals due to:
- The complexity of the DoD network
- The amount of sensitive data and valuable intellectual property
- The inherent criticality of the defense sector
Compromises of the DoD can severely impact the economy and national security. This post aims to help organizations with or hoping to win DoD contracts to meet CMMC’s security requirements more efficiently and to achieve CMMC certification by an authorized accreditation body (CMMC-AB).
Learn how UpGuard helps businesses with compliance management >
Advantages of CMMC Certification
Maintaining information security throughout such a large supply chain is challenging. Getting through the certification process may also present challenges, but an understanding of cybersecurity best practices and common information security requirements will help a business attain or retain a strong security posture.
Businesses that demonstrate their cyber resilience and ability to maintain strong cybersecurity practices can gain a competitive advantage over businesses that find attaining and maintaining CMMC certification too challenging, some of which will be existing DOD partners that lose their contracts when the new rules are enforced.
As with other cybersecurity regulations, it’s likely that CMMC requirements will evolve. So it’s an excellent idea for businesses to consider CMMC an evolving framework they can use on an ongoing basis alongside their existing cybersecurity framework or frameworks and security measures to achieve more effective data protection.
CMMC Compliance Standards
The latest CMMC 2.0 standards draw on the security controls required for Federal Acquisition Regulation (FAR) clause 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, and https://www.upguard.com/blog/nist-800-171-compliance-checklist.
The purpose of CMMC requirements is to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- FCI refers to information that — whether generated by the government or for the government — is intended to remain confidential.
- CUI is information that has not been classified by an Executive Order or any other rule but nonetheless requires protection.
Organizations that only deal with public information while working for the DoD do not require CMMC certification.
For all defense contractors working with FCI or CUI, the DoD must ensure the protection of that data. Hence the necessary imposition of minimum cybersecurity standards on DoD subcontractors to maintain security across all service providers’ information systems.
The CMMC Certification Levels
Achieving CMMC compliance is not a binary matter of passing or failing. CMMC recognizes five maturity levels.
Businesses can start at the CMMC certification level. They need to attain or retain contracts with the DoD and then use the CMMC framework to build on their cybersecurity, moving up through the certification levels if desired or required. However, in most cases, contractors will not need to achieve level 4-5 CMMC compliance.
The DoD specifies what level of CMMC certification is required when sending potential contractors Requests for Information (RFIs) or Proposals (RFPs). The DoD will demand the first three levels of CMMC maturity most frequently.
The CMMC levels of certification are as follows:
- Not required — Organizations that only handle information that is approved for public release do not require CMMC certification.
- CMMC Level 1 — The Foundational Cyber Hygiene Practice level is the minimum level required for firms handling FCI.
- CMMC Level 2 — Advanced Cyber Hygiene Practice
- CMMC Level 3 — The Expert Practice level is the minimum level for organizations handling CUI.
- CMMC Level 4-5 — The Protection of CUI and Mitigation of Advanced Persistent Threat (APT) risks level is a requirement for firms that need to access highly sensitive CUI or large volumes of sensitive data.
All DIB organizations must be certified to at least CMMC Level 1 by 2026. In order to become certified, organizations will need to hire an independent third-party C3PAO to assess compliance.
Security Control Implementation
CMMC defines 171 security practices. To achieve CMMC Level 5, a business must implement and maintain all 171.
To achieve CMMC level 1, firms must fulfill all FAR clause 52.204-21 requirements. This clause largely concerns access control and authentication. There are 17 NIST-recommended cybersecurity practices to fulfill, and yearly self-assessment is acceptable for compliance at this level.
Moving from CMMC level 1 to CMMC level 3 will require implementing all of NIST 800-171’s 110 cybersecurity requirements, plus a subset of NIST 800-172 controls, followed by external assessment by an approved CMMC Accreditation Body.
Implementing cybersecurity practices on the following key categories will help firms meet CMMC cybersecurity standards.
Access Control
Access control ensures that only authorized users can access sensitive data. With Privileged Access Management, the accessibility of data varies according to the need of the user. Proper access control ensures access privileges are audited regularly.
Authentication
Defense contractors’ information systems must use a system of identification and authentication, such as usernames and passwords or biometrics, to manage users and reduce the risk of unauthorized access and data breaches.
Risk Assessment
Assessing risk will demonstrate to the DoD that a business understands the specific cyber threats that affect it most. It will identify the risks that are most likely and are likely to have the most impact, so the business can prioritize addressing these vulnerabilities.
Security Assessment
It’s wise for firms to perform assessments to identify how much CUI they currently handle or expect to handle and which level of CMMC maturity will be necessary.
To maintain a strong security system, stakeholders need to understand the business’s current security posture — how it performs within the current cyber threat landscape. Using security ratings can help firms prioritize vulnerability remediation and maintain standards once they’ve achieved them.
Awareness and Training
Providing employees with the cybersecurity awareness, understanding, and resources to combat cyber threats is among the most effective ways to improve a business’s security posture. In particular, it reduces the risk of social engineering and data leaks, in which human error often plays a part.
Configuration Management
Misconfiguration can lead to sensitive information becoming unprotected and freely accessible on the internet, or it can produce a vulnerability that a hacker could exploit to steal confidential data, including intellectual property. Remediating these vulnerabilities is key to achieving CMMC accreditation.
Media Protection
Media protection concerns print and digital assets, the storage of files on devices such as portable hard drives, and how they are accessed and transmitted.
A clear policy and strong cybersecurity practices regarding access, sharing, storage, and secure media destruction are necessary for any defense contractor working with CUI.
Incident Response
Modern businesses need to be prepared for cyber incidents and aim to prevent them. A documented incident response plan shows the DoD that a business has a plan of action to respond promptly and effectively in the event of a cyber incident.
Encryption
Encrypting data while in transit and at rest makes it almost impossible for hackers and cybercriminals to read it without the correct decryption key. Thus, it makes information systems more secure, which is essential when dealing with confidential DoD files.
Continuous Monitoring
Maintenance is a key cybersecurity control family in NIST 800-171. Continuous monitoring ensures that security controls are in place and working. As a DoD subcontractor, it’s essential that required cybersecurity practices be maintained 24/7.
Cyber risks are constantly evolving. As part of an attack surface management program, continuous monitoring can help identify and remediate vulnerabilities as the business and/or the cyber threat landscape changes.
CMMC Assessments
An external CMMC certification, as required for CMMC Levels 2 and above, is intended to be valid for three years from the date of accreditation. Following this period, the contractor must undergo reassessment.
A firm can undergo a readiness assessment before going for CMMC certification. In this case, the assessor must be an authorized or accredited CMMC Third-Party Assessment Organization (C3PA0).
The chosen C3PA0 cannot be the same organization that later performs the subsequent CMMC certification assessment. The defense contractor must choose another C3PA0 from the CMMC-AB Marketplace.
One of the outcomes of using the CMMC framework, particularly at higher levels, is meeting the minimum requirements for CMMC accreditation and creating more cyber-resilient businesses able to adapt and respond to emerging threats.
Addressing CMMC Compliance Gaps
A cyber risk management plan, which encompasses security performance management and attack surface management, can help a business identify its cybersecurity gaps and then prioritize and address those needs according to CMMC requirements and its current security posture.
With information on security posture following a cyber risk assessment, the Chief Information Security Officer (CISO) and other stakeholders can make informed decisions about vulnerability management to meet CMMC compliance requirements.
Cyber risk management includes creating and maintaining strong cybersecurity and information security policies to go with the new practices. This helps businesses maintain the standards they achieve, enhance those practices, and be proactive as the business and the cyber threat landscape develop.
Organizations are encouraged to use a Plan of Action and Milestones (POAM) in their CMMC compliance strategy. Doing so has the benefits of clarifying what the business must do to become compliant and demonstrating to the DoD that a plan of action exists, which may enable the firm to bid for contracts before it has achieved full CMMC compliance.