On January 31, 2020, the U.S. Department of Defense released the Cybersecurity Maturity Model Certification (CMMC) which will drastically shape the future of cybersecurity for over 300,000 businesses across the country.
What is the CMMC?
The CMMC is a newly established set of cybersecurity standards and necessary practices within the Defense Industrial Base (DIB) and consists of five maturity levels, ranging from “Basic Cybersecurity Hygiene” (ML1) up to “Advanced/Progressive” (ML5). Each level requires a certain amount of controls managed, including access control, asset management, configuration management, and more.
The CMMC is being created and implemented in order to ensure the ultimate cybersecurity of the DIB network, as the CMMC will have the ability to examine and approve (or disapprove) an established standard of cybersecurity practices, basic cyber hygiene, and protection of controlled unclassified information. (Information drawn from The Office of the Under Secretary of Defense for Acquisition & Sustainment.)
The impact of this will be extremely widespread—though not yet fully known. Companies required to uphold this new standard of cybersecurity will now have an extremely high bar to achieve in order to meet all of the CMMC requirements.
Regardless of which certification level your company desires to achieve, the requirements to become CMMC certified at any level are extensive.
What companies must comply with the CMMC?
Though it will roll out gradually across the next five years, CMMC certification will eventually be required for all companies that are DoD contractors.
Certain companies will require higher levels of certification than others depending on the scale and how much controlled unclassified information (CUI) goes through a given company. The higher the level, the higher ability to protect CUI and the lower the risk for advanced persistent threats (APTs).
What are the criteria to become CMMC certified?
As listed by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S), the CMMC model consists of 17 domains. Each domain consists of its own set of practices with 171 practices in total. See a summary of the domains and practices below:
- Access Control
- Including, but not limited to: establish system access requirements; control internal system access; control remote system access; limit data access to authorized users and processes.
- Asset Management
- Including, but not limited to: identify and document assets; manage asset inventory.
- Audit and Accountability
- Including, but not limited to: define audit requirements; conduct audits; protect audit information; manage audit logs.
- Awareness and Training
- Including, but not limited to: security awareness activities; conducting training.
- Configuration Management
- Including, but not limited to: establish configuration baselines; perform configuration and change management.
- Identification and Authentication
- Including, but not limited to: grant access to authenticated entities.
- Incident Response
- Including, but not limited to: plan incident response; detect and report events; develop and implement a response to a declared incident; perform post incident reviews; test incident response.
- Including, but not limited to: manage maintenance.
- Media Protection
- Including, but not limited to: identify and mark media; protect and control media; sanitize media; protect media during transport.
- Personnel Security
- Including, but not limited to: screen personnel; protect CUI during personnel actions.
- Physical Protection
- Including, but not limited to: limit physical access.
- Including, but not limited to: manage backups; manage information security continuity.
- Risk Management
- Including, but not limited to: identify and evaluate risk; manage risk; manage supply chain risk.
- Security Assessment
- Including, but not limited to: develop and manage a system security plan; define and manage controls; perform code reviews.
- Situational Awareness
- Including, but not limited to: implement threat monitoring.
- System and Communications Protection
- Including, but not limited to: define security requirements from systems and communications; control communications at system boundaries.
- System and Information Integrity
- Including, but not limited to: identify and manage information system flaws; identify malicious content; perform network and system monitoring; implement advanced email protections.
However, not all of the above practices are required for every maturity level. The criteria vary from Levels 1-5, but all require strictly regulated standards that companies need to identify, plan around and prepare for.
The five levels, though much more robust than written in this summary, are summarized below:
- Level 1: Most basic level of security; requirements include basic cyber hygiene practices including the protection of Federal Contract Information (FCI).
- 17 practices required.
- Level 2: Transition into further cybersecurity maturity progression to eventually protect CUI.
- 72 practices required.
- Level 3: Successfully protecting CUI and mitigating threats.
- 130 practices required.
- Level 4: Protecting CUI and lowering the risk of APTs.
- 156 practices required.
- Level 5: Highest level of security; Protecting CUI and lowering the risk of APTs with a further depth and sophistication of cybersecurity capabilities.
- 171 practices required.
What is the CMMC certification assessment like?
When it’s time for your company to become CMMC certified, an assessor will visit your organization to perform an examination to validate (or reject) that your company adheres to the proper criteria mentioned above.
The assessment process is fairly unforgiving and grades companies on a pass-fail basis. No “in-betweens” or “almost theres” will be acceptable. There is only one shot on the assessment to make it correct; otherwise, you will have to pay for multiple assessments. In addition to cost, scheduling and timelines may be an issue as there is a finite quantity of assessors with limited availability.
For these reasons, proper preparation is critical.
What should DoD contractors do now to prepare?
To do the necessary planning and scoping for a successful CMMC assessment, it is essential that organizations start planning as early as possible to enlist professional services to identify where gaps may exist and assist with remediation activities.
Cential has had the exclusive opportunity to gain added perspective on the CMMC training and assessment process that most companies do not yet have as we’ve had two members of our team attend extensive CMMC training and obtain Certified Provisional Assessor Status that less than 100 professionals currently have.
With this added experience on our team, Cential has been able to get ahead of the curve and prepare for all of the CMMC regulations that every DoD contractor will eventually need to comply with.
We are able to offer the opportunity to assist companies that will require CMMC certification, understand and assist with remediation, and take the appropriate steps to achieve their desired level of maturity on CMMC.
Cential offers the knowledge and time to help companies digest and plan for what needs to be done surrounding their CMMC certification so business owners and managers are able to keep their focus on their day-to-day business operations.