Skip to content
All posts

CMMC Overview: What You Need to Know to Become and Remain Compliant

What is CMMC?

In January 2020 the Department of Defense (DoD) announced a new standard for assessing an organization’s cybersecurity posture called “Cybersecurity Maturity Model Certification (CMMC).” According to CMMC, all DoD contractors that process, transmit or store Controlled Unclassified Information (CUI) will be asked to be certified by a third-party assessment organization (C3PAO). The new CMMC program consists of five levels of certification in both cybersecurity practices and processes. 

When will CMMC compliance be required?

The roll out of the CMMC will be phased over five years to minimize impact. After October 1, 2025, all new contracts will be required to meet the CMMC framework. The key difference between the current DFAR 7012 and DFAR 7021 is that DFAR 7012 allows for self-attestation while DFAR 7021 will require a third-party audit. The third-party audit will be conducted by accredited C3PAOs (Certified 3rd Party Assessment Organizations).

For contractors only handling FCI (Federal Contract Information) Level 1 will be required which encompasses 15 practices. For contractors handling CUI (Controlled Unclassified Information, think ITAR and 600 Series) you will need to meet Level 3 which requires meeting 130 practices (NIST 800-171s 110 controls plus 20 CMMC practices).

CMMC FRAMEWORK REQUIREMENTS

The CMMC framework, links the model to a systematic approach to achieve certification level, consists of several assets: domains (14), and practices (110+) corresponding to the certification level.
 

  • Level 1 (Performed: 17 practices). An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."
  • Level 2 (Managed: 110 practices). An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.
  • Level 3 (Optimizing: 110+ practices). An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.

 

Source: Version CMMC 2.0

CMMC Levels and Associated Focus

Each company might possess different types and sensitivities of Controlled Unclassified Information (CUI). The CMMC model provides a way to improve the current cybersecurity processes and practices to align with each level requirement. With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements. These are:

 

Streamlined Model
  • Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
  • Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards
Reliable Assessments
  • Reduced assessment costs: Allows all companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments
  • Higher accountability: Increases oversight of professional and ethical standards of third-party assessors
Flexible Implementation
  •  Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
  • Added flexibility and speed: Allows the Government to waive inclusion of CMMC requirements under certain limited circumstances

Source : Version CMMC 2.0 model 

CMMC Domains & Practices

The CMMC framework consists of 17 domains. 14 of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-171 and three additional domains specific to the CMMC model.

  • Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
  • Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus other practices.

Source : Version 1.02 of the CMMC model 

The CMMC framework consists of 17 domains. 14 of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-171 and three additional domains specific for the CMMC – Asset Management (AM), Recovery (RE) and Situational Awareness (SA).

These domains are listed from A-Z:

  • Access Control (AC)
  • Asset Management (AM)-CMMC
  • Audit and Accountability (AU)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Recovery (RE)-CMMC
  • Risk Management (RM)
  • Security Assessment (CA)
  • Situational Awareness (SA)-CMMC
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Source : Version CMMC 2.0 model 

WHAT ACTIONS SHOULD YOU TAKE NOW TO BE COMPLIANT?

A majority of DoD suppliers should meet Level 3 (ITAR, 600 series, DoD data) by 2025 This can be rolled out over the next few years to grow into full compliance.

Here are our recommendations:

  1. Identify where the CUI data resides in your company and who has both physical and electronic access to it. Limiting the number of people who can process CUI, and reviewing whether you have exported this data with foreign vendors or employees is highly advised.
  2. Create and update as needed the following documents:
    • System Security Plan (SSP) – How you addressed the controls and how you will protect FCI and CUI (ITAR, EAR 600 Series) 
    • Plan of Actions and Milestones (POAM) – how you will remediate gaps found from an assessment
    • Digital certificate to meet DIBNET reporting requirement in 72 hours
    • Post your NIST score into the Supplier Performance Risk System (SPRS)

The SSP and POAM documents are required to meet DFAR 7012, thus allowing you to self-attest to any flow downs or letters sent from a Prime. The POAM must be regularly updated showing your progress to close the gaps identified during the assessment. The NIST assessment score must be reported to the Supplier Performance Risk System (SPRS) to meet the new DoD rules, DFARS 7019 and 7020

 

HOW TO SELECT YOUR CMMC COMPLIANCE PROVIDER?

The Cyber Accreditation Body (Cyber-AB) is a non-profit, independent organization providing accreditation services for the CMMC Third-Party Assessment Organizations (C3PAO) and individual assessors. The CMMC framework itself was created by the Department of Defense (DoD) to assess and strengthen the cybersecurity posture across the Defense Industrial Base (DIB). The CMMC ensures the DoD suppliers have the basic cybersecurity hygiene and protection for controlled unclassified information (CUI).

The CMMC-AB has developed a CMMC Marketplace located at Cyber-AB Marketplace. The marketplace includes a list of approved Registered Provider Organizations (RPOs), Certified-Third-Party Assessment Organizations (C3PAOs), Licensed Partner Publishers (LPPs), and Licensed Training Providers (LTPs), as well as individual providers. After the CMMC Marketplace is fully established, the DoD suppliers will be able to select one of the approved provider organizations for its CMMC assessment.

CyberNINES is a CMMC Registered Provider Organization (RPO) and a Candidate Certified 3rd Party Assessment Organization (C3PAO). Our team of cybersecurity experts brings industry best knowledge in assessing and managing cybersecurity requirements for NIST SP 800-171 and CMMC frameworks. Our cybersecurity services provide high-value and affordable CMMC & NIST SP 800-171 assessments, audits, and compliance management to small and medium-sized businesses within the DOD Supply Chain. Services include Government Cloud solutions for Controlled Unclassified Information (ITAR and 600 Series) to meet DFAR 252.204-7012, 7019, and 7020 regulations and virtual CISO services to limit cybersecurity security risk posture of suppliers and primes.  

Looking for help with your organization’s Cybersecurity assessment or meeting compliance with NIST SP 800-171 or CMMC? Send us an email at inquiry@cybernines.com or fill out the form below to schedule your free consultation with one of our experts.