Introduction to CMMC
The Cybersecurity Maturity Model Certification (CMMC), drafted by the Department of Defense (DoD), is a new standard set to enhance supply chain security and augment the NIST SP 800-171—Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.
A key difference between the NIST SP 800-171 and a CMMC is the removal of a self-attestation component in favor of a third-party assessor model. A CMMC assessment is a mandatory component for prime contractors bidding on an opportunity or subcontract with the Department of Defense, which includes RFPs and RFIs.
The Defense Industrial Base (DIB) is strongly encouraging the adoption of CMMC. Organizations will coordinate with accredited independent third parties to request a CMMC assessment.
CMMC Five Maturity Levels
The CMMC contains five maturity levels, which an assessor will draw from to grant specific certification levels. The five levels are:
CMMC Level 1 – Basic Cyber Hygiene (17 controls): Basic cybersecurity appropriate for small companies.
CMMC Level 2—Intermediate Cyber Hygiene (72 Controls—contains level 1 controls): Contains universally accepted NIST SP and CSF cybersecurity best practices.
CMMC Level 3—Good Cyber Hygiene (130 Controls—contains level 2 controls): Includes coverage of all NIST 800-171 controls and additional CMMC components.
CMMC Level 4—Proactive (156 Controls—contains level 3 controls): Includes advanced and sophisticated cybersecurity practices and cybersecurity controls.
CMMC Level 5—Advanced/Progressive (171 Controls—contains level 4 controls): Includes highly advanced cybersecurity practices and cybersecurity standards.
How to obtain compliance?
DoD contractors seeking CMMC compliance need to first look at the cybersecurity maturity of their organizations. While CMMC isn’t fully baked with all the requirements from the Defense Federal Acquisition Regulation Supplement (DFARS), enough of them are in the draft that adoption is not far behind. CMMC requirements will vary based on the level of certification a contractor is seeking and they need to have a good idea of the level they are seeking.
Take for instance a contract that requires CMMC Level 1, which would mean CMMC certification level 1. This level highlights a very basic cybersecurity competency.
A few examples of controls needed for level 1 compliance are:
- Limit information systems access to authorized users, processes acting on behalf of authorized users, or devices
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute
- Verify and control/limit connections to, and use of external information systems
- Control information posted or processed on publicly accessible information systems
There are no plans to authorize contractors to self-assess for any levels in the CMMC. Organizations need to coordinate with independent third parties to schedule a CMMC assessment.
It is important to note that the organization asking for the assessment must have an idea of the CMMC level they are needing. The assessor will not come in and perform a level 5 assessment when the contractor only needs to comply with level 3.
The organization must demonstrate the proper controls and capabilities to obtain the CMMC certification. The level that an organization is granted will be publicly available but the assessor will not release specific findings.
Why is CMMC important?
Self-assessment as part of SP 800-171 has widely been viewed as a failure. Classified Unclassified Information (CUI) has been leaked repeatedly to foreign powers and nation-states.
The CMMC framework has been designed to prevent the unauthorized transmission of CUI. Keep in mind that certification or compliance is a point in time grant. Just because a defense contractor has been certified does not mean they will stay that way.
Good practices such as vulnerability management, data security, identity management, and risk management need to be the core of a basic cyber hygiene program. The CMMC should not end with certification. Rather, it needs to be the beginning of a resilient security architecture.