The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense (DoD)’s new five-tiered security certification standard for the entire Defense Industrial Base (DIB).
CMMC, which was initially released on January 31st, 2020, sets forth a staggered rollout starting this year in 2021 and establishes that all government contracts will require CMMC compliance no later than 2025. If your company is a DoD contractor, the time to implement CMMC compliance is now. Here’s what you need to know.
CMMC Compliance: The Basics
At its core, CMMC compliance requires that companies establish security and protection protocols for Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, networks and systems within the DIB sector.
It combines and replaces venerable compliance standards like NIST SP 800-171 and DFARS 252.204-7012 (along with several others) and expands visibility and accountability requirements for the 300,000+ contractors and subcontractors that do business with the DoD.
In contrast with the self-reporting model of previous standards, one of the critical differences with CMMC is that companies will need to pass an audit conducted by a certified third-party assessment organization (C3PAO) to be compliant.
The resulting assessment will assign a CMMC Maturity Level (1 – 5) to a company based on how well the organization demonstrates competency in the 17 capability domains outlined by the standard. Companies must be CMMC certified according to the level defined in the contract by the date of contract award, and a plan of action and milestones (POAMs) cannot be used to delay the certification date.
CMMC Maturity Levels
Within each of the 17 domains outlined by CMMC, there are 43 unique capabilities. While organizations don’t need to possess each one to reach all levels of certification, the more you can demonstrate, the higher the maturity level you will be given once the audit is complete.
While some contracts will require assessments at maturity Levels 4 and 5, the vast majority of companies will needto aim for at least a Level 3 certification. The requirements are also cumulative, so any certification level also includes the requirements for the previous tier(s).
Let’s take a closer look at the five maturity levels:
Level 1: Basic Cyber Hygiene
Level 1 CMMC compliance requires specific practices to safeguard that federal contract information meets the basic requirements outlined in 48 CFR 52.204-21.
Level 2: Intermediate Cyber Hygiene
Level 2 begins documenting the practices put in place and meeting a subset of requirements based on NIST 800-171 and NIST 800-53 concerning the control of unclassified information. Level 2 of CMMC compliance is seen largely as a transitional phase.
Level 3: Good Cyber Hygiene
Level 3 focuses on the protection or control of unclassified information and includes all the security requirements outlined in NIST 800-171, with some specific additions regarding incident reporting outlined in DFARS clause 252.204-7012. Level 3 of CMMC compliance provides confirmation that these practices and procedures are adequately designed.
Level 4: Proactive
Level 4 requires an organizational review to measure effectiveness and the ability to take corrective action when necessary. This level also begins to validate against efforts of Advanced Persistent Threats and encompasses a subset of enhanced security requirements from NIST SP 800-171B, as well as other best practices for detection and response capabilities.
Level 5: Advanced/Progressive
Level 5 focuses on increasing the capability, depth and sophistication of response actions against Advanced Persistent Threats.
CMMC Compliance and Your Company’s Maturity Level
The natural question about CMMC compliance that aspiring or existing DoD contractors will likely ask is “What level am I required to achieve for the contracts I would like to bid on?”
Achieving a Level 4 or 5 in the assessment opens up the opportunity for contracts that deal with the most sensitive information and the most rigorous security standards. A good rule of thumb is that if you were previously required to comply with NIST SP 800-171 Rev 1, you need to achieve a maturity Level 3 or higher.
Level 3 is a substantial step up in standards from levels 1 and 2, but it is also a considerably smaller lift than Levels 4 and 5.
How to Get Started with CMMC Compliance
The first step for any government contractor starting the process of CMMC compliance is to determine what maturity level you want to achieve.
Then comes the hard part: you’ll need to identify and implement the standards and best practices across your organization for the maturity level selected. You’ll also need to determine if you need maturity level assessment for your entire organization or whether an enclave approach is more suited to your business.
Given that achieving a maturity level requires an audit from a C3PAO, it’s critical to have a security partner with expert level competency in CMMC practices to perform an initial assessment and guide you through the steps of meeting your maturity level assessment goals.
Warren Averett is continuously monitoring CMMC requirements as they are made available. We can perform a readiness assessment to help determine your current maturity level and prescribe detailed information to meet your goals. For help in navigating this evolving landscape, please contact us today.