CMMC is an important requirement looming on the horizon that will impact all federal contracting organizations and the way they do business. It is important to note that the exact requirements companies adhere to have NOT been set. Be wary of anyone telling you that can get you 100 percent ready.
Did you know:
- Self-certification is no longer an option. Under previous NIST SP 800-171 regulations, DoD contractors had the option to self-certify. Any security gaps that were identified were noted in a Plan of Actions and Milestones (POA&Ms).
- Once CMMC auditors are certified, they will be responsible for conducting third-party assessments of DoD contractors beginning in mid-2020.
- The current timeline for CMMC indicates that contractors will need to be certified by late 2020 in order to bid on contracts.
Why is this happening?
According to the Council of Economic Advisors, malicious cyber activity cost the US economy between 57 and 109 Billion dollars in 2016. Malicious cyber actors have targeted and continue to target the Defense Industrial Base sector and the DoD supply chain. The DIB sector consists of over 300,000 companies that support the DoD, and a standardized approach to secure data needs to be implemented to both secure sensitive data and put everyone on a level playing field.
What is CMMC?
- The acronym stands for Cyber Security Maturity Model Framework. It is:
- A framework which measures cybersecurity maturity
- It uses five levels to rank maturity for each process/practice, with level 1 equating to basic cyber hygiene, and to level 5 equating to advanced/progressive practices.
- It organizes processes and practices into domains including:
- access control, asset management, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, recovery, risk management, security assessment, situation awareness, systems and communication protection, and system and information integrity.
What information do contracting organizations need to protect?
The CMMC enhances the protection of the following types of unclassified info across multiple domains.
1. Federal Contract Information. (FCI) “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.”
2. Controlled Unclassified Information. (CUI) is a category of unclassified information defined in a directive on May 9, 2008, by President George W. Bush. CUI replaces categories such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU) and Law Enforcement Sensitive (LES) categories
Do organizations have to Implement CMMC to all of their information/data?
No. Organizations can achieve a CMMC level for their entire network or just for a particular network segment or enclave. Obviously, there are specific requirements for segmentation. Organizations must be careful not to introduce FCI or CUI to network segments intended to not transmit, store, or process that type of data, or those segments will come into scope for CMMC and will need to meet all CMMC requirements.
What does the CMMC model consist of?
Five levels of maturity processes and cyber-security best practices from multiple cyber security-standards, frameworks and other references as well as inputs from the broader community.
The Model encompasses the basic safeguarding requirements for Federal contract information specified in the FAR clause 52.204-21 and the security requirements for CUI specified in NIST special Publication per DFAR clause 252.204-7012
What are the CMMC levels?
Processes: Performed – Organizations perform specified practices outlined in the aforementioned authoritative sources.
Practices: Basic Cyber Hygiene – Consists of following only practices that Correspond to to requirements in 48 CFR 53.204-21 (Basic Safeguarding of covered contractor info systems.)
Processes: Documented – Requires documentation of practices and policies for implementation of CMMC efforts.
Practices: Intermediate Cyber Hygiene – Serves as progression level and consists of a SUBSET of security requirements specified in NIST SP 800-171 as well as other standards and references.
Processes: Managed – Requires an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation.
Practices: Good Cyber Hygiene – Focuses on protection of CUI and encompasses ALL security requirements specified in NIST SP 800-171 as well as other standards and references.(DFARS clause 252.204-7012 specifies additional requirements beyond NIST SP 800-171).
Processes: Reviewed – Requires organizations review and measure practices for effectiveness. Organizations at this level are able to take corrective actions and inform higher level management of status or issues recurring.
Practices: Proactive focuses on the protection of CUI from Advanced Persistent Threats (APTs) and encompasses a subset of the enhanced security requirements from NIST SP 800-171 as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to enhance detection and response capabilities of TTPs used by APTs.
Processes: Optimizing – Requires standardization and optimization of process implementation across the organization.
Practices: Advanced/Proactive. – Focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
While the exact requirements for CMMC compliance have not been set, it will be critical to prepare. There are proactive measures that can be taken to improve security posture and minimize the impact of the roll out. Additionally, staying up to date on requirements and communications directly from the source DoD’s site will be important.
Please contact us to answer any questions you may have, and to see how we can help.