The Cybersecurity Maturity Model Certification (CMMC)

CMMC Overview: What You Need to Know to Become and Remain Compliant

What is the CMMC?

In January 2020 the Department of Defense (DoD) announced a new standard for assessing an organization’s cybersecurity posture called “Cybersecurity Maturity Model Certification (CMMC).” According to CMMC, all DoD contractors that process, transmit or store Controlled Unclassified Information (CUI) will be asked to be certified by a third-party assessment organization (C3PAO). The new CMMC program consists of five levels of certification in both cybersecurity practices and processes.

When will CMMC commpliance be required?

The roll out of the CMMC will be phased over five years to minimize impact. After October 1, 2025, all new contracts will be required to meet the CMMC framework. The key difference between the current DFAR 7012 and DFAR 7021 is that DFAR 7012 allows for self-attestation while DFAR 7021 will require a third-party audit. The third-party audit will be conducted by accredited C3PAOs (Certified 3rd Party Assessment Organizations).

For contractors only handling FCI (Federal Contract Information) Level 1 will be required which encompasses 15 practices. For contractors handling CUI (Controlled Unclassified Information, think ITAR and 600 Series) you will need to meet Level 3 which requires meeting 130 practices (NIST 800-171s 110 controls plus 20 CMMC practices).

CMMC framework requirements

Each company might possess different types and sensitivities of Controlled Unclassified Information (CUI). The CMMC model provides the way to improve the current cybersecurity processes and practices to align with each llevel requirement.

Focus of each CMMC level:

 

  • Level 1: Safeguard Federal Contract Information (FCI)
  • Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI
  • Level 3: Protect Controlled Unclassified Information (CUI)
  • Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

Source : Version 1.02 of the CMMC model 

CMMC Levels and Associated Focus

Level 1 focuses on the protection of Federal Contract Information (FCI) and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)

Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Bacause this level represents a transitional stage, a subset of the practices reference the protection of CUI.

Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats.

Level 4 focuses on the protection of CUI from Advanced Persistent Threats (APTs) and encompasses a subset of the enhansed security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

Source : Version 1.02 of the CMMC model 

CMMC Domains & Practices

The CMMC framework consists of 17 domains. 14 of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-171 and three additional domains specific for the CMMC model.

  • Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
  • Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus other practices.

Source : Version 1.02 of the CMMC model 

The CMMC framework consists of 17 domains. 14 of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-171 and three additional domains specific for the CMMC – Asset Management (AM), Recovery (RE) and Situational Awareness (SA).

These domains are listed from A-Z:

  1. Access Control (AC)
  2. Asset Management (AM)-CMMC
  3. Audit and Accountability (AU)
  4. Awareness and Training (AT)
  5. Configuration Management (CM)
  6. Identification and Authentication (IA)
  7. Incident Response (IR)
  8. Maintenance (MA)
  9. Media Protection (MP)
  10. Personnel Security (PS)
  11. Physical Protection (PE)
  12. Recovery (RE)-CMMC
  13. Risk Management (RM)
  14. Security Assessment (CA)
  15. Situational Awareness (SA)-CMMC
  16. System and Communications Protection (SC)
  17. System and information Integrity (SI)

Source : Version 1.02 of the CMMC model 

What actions should you Take Now to Be Compliant?

A majority of DoD suppliers should meet Level 3 (ITAR, 600 series, DoD data) by 2025 This can be rolled out over next few years to grow into full compliance.

Here are our recommendations:

  1. Identify where the CUI data resides in your company and who has both physical and electronic access to it. Limiting the number of people who can process CUI, and reviewing whether you have exported this data with foreign vendors or employees is highly advised.

    1. Create and update as needed the following documents:

      • System Security Plan (SSP) – How you addressed the controls and how you will protect FCI and CUI (ITAR, EAR 600 Series) 
      • Plan of Actions and Milestones (POAM) – how you will remediate gaps found from an assessment
      • Digital certificate to meet DIBNET reporting requirement in 72 hours
      • Post your NIST score into the Supplier Performance Risk System (SPRS)

        The SSP and POAM documents are required to meet DFAR 7012, thus allowing you to self-attest to any flow downs or letters sent from a Prime. The POAM must be regularly updated showing your progress to close the gaps identified during the assessment. The NIST assessment score must be reported to the Supplier Performance Risk System (SPRS) to meet the new DoD rules, DFARS 7019 and 7020

        How to Submit a NIST Score?

        The Department of Defense’s (DoD) Interim Final Rule that went into effect on 30 November 2020, requires both primes and sub-contractors to submit their NIST SP 800-171 assessment score to the Supplier Performance Risk System (SPRS). Learn how to submit your NIST assessment score in this step-by-step manual!

        How to Select Your CMMC Compliance Provider?

        The CMMC Accreditation Body (CMMC-AB) is a non-profit, independent organization providing accreditation services for the CMMC Third-Party Assessment Organizations (C3PAO) and individual assessors. The CMMC framework itself was created by the Department of Defense (DoD) to assess and strengthen the cybersecurity posture across the Defense Industrial Base (DIB). The CMMC ensures the DoD suppliers have the basic cybersecurity hygiene and protection for controlled unclassified information (CUI).

        The CMMC-AB has developed a CMMC Marketplace located at cmmcab.org/marketplace. The marketplace includes a list of approved Registered Provider Organizations (RPOs), Certified-Third-Party Assessment Organizations (C3PAOs), Licensed Partner Publishers (LPPs), Licensed Training Providers (LTPs), as well as individual providers. After the CMMC Marketplace is fully established, the DoD suppliers will be able to select one of the approved provider organizations for its CMMC assessment.

        CyberNINES is a CMMC Registered Provider Organization (RPO) and a Candidate Certified 3rd Party Assessment Organization (C3PAO). Our team of cybersecurity experts brings industry best knowledge in assessing and managing cybersecurity requirements for NIST SP 800-171 and CMMC frameworks. Our cybersecurity services provide high value and affordable CMMC & NIST SP 800-171 assessments, audits and compliance management to small and medium size business within the DOD Supply Chain. Services include Government Cloud solutions for Controlled Unclassified Information (ITAR and 600 Series) to meet DFAR 252.204-7012, 7019 and 7020 regulations and virtual CISO services to limit the cybersecurity security risk posture of suppliers and primes.  

        Looking for help with your organization’s cybersecurity assessment or meeting compliance with NIST SP 800-171 or CMMC? Send us an email to inquiry@cybernines.com or fill out the form below to schedule your free consultation with one of our experts. 

        About CyberNINES

        CyberNINES is a Service-Disabled Veteran-Owned Small Business focused on cybersecurity services that provides high value and affordable CMMC & NIST SP 800-171 assessments, audits and compliance management to small and medium-size business within the DOD Supply Chain. Our solutions include Government Cloud solutions for Controlled Unclassified Information (ITAR and 600 Series) to meet DFAR 252.204-7012, 7019 and 7020 regulations and virtual CISO services to limit the cybersecurity risk posture of suppliers and primes.
        CyberNINES Areas of Service as it pertains to DOD Primes
        • CMMC Pre-Assessment Readiness Reviews for Level 1 and Level 3
        • DFARS 252.204-7012, 7019 and 7020 compliance assessments
        • NIST SP 800-171 compliance assessments
        • Managed Compliance Service Pro

        Department of Defense’s CMMC: Where Is It Now?

        What is the current status of the DoD’s CMMC program as of July 2021? What will likely be expected for DoD contractors? Learn these and other important information in this external article from JD Supra