What is CMMC?
In January 2020 the Department of Defense (DoD) announced a new standard for assessing an organization’s cybersecurity posture called “Cybersecurity Maturity Model Certification (CMMC).” According to CMMC, all DoD contractors that process, transmit or store Controlled Unclassified Information (CUI) will be asked to be certified by a third-party assessment organization (C3PAO). The new CMMC program consists of five levels of certification in both cybersecurity practices and processes.
When will CMMC compliance be required?
The roll out of the CMMC will be phased over five years to minimize impact. After October 1, 2025, all new contracts will be required to meet the CMMC framework. The key difference between the current DFAR 7012 and DFAR 7021 is that DFAR 7012 allows for self-attestation while DFAR 7021 will require a third-party audit. The third-party audit will be conducted by accredited C3PAOs (Certified 3rd Party Assessment Organizations).
For contractors only handling FCI (Federal Contract Information) Level 1 will be required which encompasses 15 practices. For contractors handling CUI (Controlled Unclassified Information, think ITAR and 600 Series) you will need to meet Level 3 which requires meeting 130 practices (NIST 800-171s 110 controls plus 20 CMMC practices).
CMMC FRAMEWORK REQUIREMENTS
Each company might possess different types and sensitivities of Controlled Unclassified Information (CUI). The CMMC model provides a way to improve the current cybersecurity processes and practices to align with each level requirement.
The focus of each CMMC level:
- Level 1: Safeguard Federal Contract Information (FCI)
- Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI
- Level 3: Protect Controlled Unclassified Information (CUI)
- Levels 4-5: Protect CUI and reduce the risk of Advanced Persistent Threats (APTs)
Source: Version 1.02 of the CMMC model
CMMC Levels and Associated Focus
Level 1 focuses on the protection of Federal Contract Information (FCI) and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI.
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats.
Level 4 focuses on the protection of CUI from Advanced Persistent Threats (APTs) and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Source : Version 1.02 of the CMMC model
CMMC Domains & Practices
The CMMC framework consists of 17 domains. 14 of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-171 and three additional domains specific to the CMMC model.
- Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
- Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus other practices.
Source : Version 1.02 of the CMMC model
The CMMC framework consists of 17 domains. 14 of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-171 and three additional domains specific for the CMMC – Asset Management (AM), Recovery (RE) and Situational Awareness (SA).
These domains are listed from A-Z:
- Access Control (AC)
- Asset Management (AM)-CMMC
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)-CMMC
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)-CMMC
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Source : Version 1.02 of the CMMC model
WHAT ACTIONS SHOULD YOU TAKE NOW TO BE COMPLIANT?
A majority of DoD suppliers should meet Level 3 (ITAR, 600 series, DoD data) by 2025 This can be rolled out over the next few years to grow into full compliance.
Here are our recommendations:
- Identify where the CUI data resides in your company and who has both physical and electronic access to it. Limiting the number of people who can process CUI, and reviewing whether you have exported this data with foreign vendors or employees is highly advised.
- Create and update as needed the following documents:
- System Security Plan (SSP) – How you addressed the controls and how you will protect FCI and CUI (ITAR, EAR 600 Series)
- Plan of Actions and Milestones (POAM) – how you will remediate gaps found from an assessment
- Digital certificate to meet DIBNET reporting requirement in 72 hours
- Post your NIST score into the Supplier Performance Risk System (SPRS)
The SSP and POAM documents are required to meet DFAR 7012, thus allowing you to self-attest to any flow downs or letters sent from a Prime. The POAM must be regularly updated showing your progress to close the gaps identified during the assessment. The NIST assessment score must be reported to the Supplier Performance Risk System (SPRS) to meet the new DoD rules, DFARS 7019 and 7020
HOW TO SELECT YOUR CMMC COMPLIANCE PROVIDER?
The CMMC Accreditation Body (CMMC-AB) is a non-profit, independent organization providing accreditation services for the CMMC Third-Party Assessment Organizations (C3PAO) and individual assessors. The CMMC framework itself was created by the Department of Defense (DoD) to assess and strengthen the cybersecurity posture across the Defense Industrial Base (DIB). The CMMC ensures the DoD suppliers have the basic cybersecurity hygiene and protection for controlled unclassified information (CUI).
The CMMC-AB has developed a CMMC Marketplace located at cmmcab.org/marketplace. The marketplace includes a list of approved Registered Provider Organizations (RPOs), Certified-Third-Party Assessment Organizations (C3PAOs), Licensed Partner Publishers (LPPs), and Licensed Training Providers (LTPs), as well as individual providers. After the CMMC Marketplace is fully established, the DoD suppliers will be able to select one of the approved provider organizations for its CMMC assessment.
CyberNINES is a CMMC Registered Provider Organization (RPO) and a Candidate Certified 3rd Party Assessment Organization (C3PAO). Our team of cybersecurity experts brings industry best knowledge in assessing and managing cybersecurity requirements for NIST SP 800-171 and CMMC frameworks. Our cybersecurity services provide high-value and affordable CMMC & NIST SP 800-171 assessments, audits, and compliance management to small and medium-sized businesses within the DOD Supply Chain. Services include Government Cloud solutions for Controlled Unclassified Information (ITAR and 600 Series) to meet DFAR 252.204-7012, 7019, and 7020 regulations and virtual CISO services to limit cybersecurity security risk posture of suppliers and primes.
Looking for help with your organization’s cybersecurity assessment or meeting compliance with NIST SP 800-171 or CMMC? Send us an email at email@example.com or fill out the form below to schedule your free consultation with one of our experts.