CMMC is the new minimum standard for cybersecurity compliance for the US Department of Defense (DOD). The CMMC’s five-tier certification framework is a requirement for all DoD contractors and will become the baseline for evolving cybersecurity mandates. Because it will significantly impact your ability to meet minimum contract requirements, let’s unpack the CMMC basics and discover how Consul-vation can help you get ready.
What is CMMC?
CMMC stands for the Cybersecurity Maturity Model Certification, which DOD adopted on January 31, 2020, in response to increased compromises of sensitive DoD Controlled Unclassified Information (CUI) on contractor systems. The CMMC was drafted through collaborative input from university-affiliated and federally funded research and development centers and industry. This unified standard is being implemented throughout all 300,000+ companies in the Defense Industrial Base (DIB) supply chain.
The accumulated leaks of CUI from the DIB sector significantly increases the risk to national security and national economic security. While the DoD continues to enhance its protection of CUI, the Council of Economic Advisors estimates between $57 billion and $109 billion was lost in 2016 due to malicious cyber activity, and the Center for Strategic and International Studies (CSIS) reported that the United States loses about $600 billion to cybercrime, annually.
In essence, the CMMC will become an enhanced verification mechanism to ensure the DIB sector complies with regulated cybersecurity best practices in protecting Federal Contract Information (FCI) and CUI.
What are the five levels of CMMC?
The CMMC is a tiered framework that validates compliance at each maturity level. This process helps the DIB contractor and CMMC Third-Party Assessor Organization (C3PAO) step through the audits. A certificate is awarded by the CMMC Advisory Board (CMMC-AB) for fulfilling each tier’s requirements.
CMMC LEVEL 1: Basic Cyber Hygiene
The goal for CMMC level 1 is to ensure compliance with the 17 practices addressing the protection of FCI as specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”). It includes:
- Access Control (AC)
- Identification and Authentication (IA)
- Media Protection (MP)
- Physical Protection (PE)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
By implementing these level 1 CMMC measures, the DIB organization demonstrates its adoption of basic cyber hygiene.
CMMC LEVEL 2: Intermediate Cyber Hygiene
Once CMMC level 1 is achieved, CMMC level 2 adds 55 security controls to improve the contractor’s cybersecurity safeguards. This cyber hygiene goal requires the DIB contractor to establish and document policies guiding their CMMC efforts as repeatable standards. It includes:
- Access Control (AC)
- Audit & Accountability (AU)
- Awareness & Training (AT)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- System & Communications Protection (SC)
- System & Information Integrity (SI)
The implementation of level 2 protocols is a more refined and in-depth process necessary to lay the foundation for level 3.
CMMC LEVEL 3: Good Cyber Hygiene
In addition to introducing other threat mitigation practices, CMMC level 3 is the final tier of prevention-based NIST SP 800-171 [4] cybersecurity requirements and adds 58 controls to level 2 for a total of 130 specific practices. This critical step demonstrates the DIB contractor’s ability to establish, maintain, resource, and manage its implementation plan, which must include:
- Access Control (AC)
- Asset Management (AM)
- Audit & Accountability (AU)
- Awareness & Training (AT)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System & Communications Protection (SC)
- System & Information Integrity (SI)
The successful implementation of CMMC level 3 procedures demonstrates the DIB organization’s maturity toward protecting both FCI and CUI.
CMMC LEVEL 4: Proactive Cyber
By adding 26 security controls to the 130 in level 3, CMMC level 4 focuses on analytics to measure efficacy. This level aims to highlight the DIB contractor’s performance management procedures and how quickly they take corrective action when necessary through a strict review and analysis process. The specific categories addressed in level 4 are:
- Access Control (AC)
- Asset Management (AM)
- Audit & Accountability (AU)
- Awareness & Training (AT)
- Configuration Management (CM)
- Incident Response (IR)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System & Communications Protection (SC)
- System & Information Integrity (SI)
Whereas hygiene levels 1-3 focus on recurring threat protection, CMMC level 4 amps up its best practices to adequately handle Advanced Persistent Threats (APT).
CMMC LEVEL 5: Advanced Cyber
Full CMMC maturity is obtained by implementing 15 additional controls from NIST SP 800 – 171B and other sources. The focus here is on honing standardization and optimizing procedures to demonstrate consistency, efficacy, and efficiency throughout the DIB organization. It addresses the following security categories:
- Access Control (AC)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Incident Response (IR)
- Recovery (RE)
- Risk Management (RM)
- System & Communications Protection (SC)
- System & Information Integrity (SI)
Level 5 is the highest level of CMMC certification and signifies the DIB contractor’s commitment to excellence in protecting Controlled Unclassified Information (CUI).
How do we become CMMC compliant?
Every DIB organization, including its subcontractors, are required by the US Department of Defense to become CMMC compliant by 2026. Given the massive scope of effort necessary to obtain CMMC certification, early adopters will gain a considerable competitive advantage when bidding on new DoD contracts.
The lengthy process for obtaining Cybersecurity Maturity Model Certification has four key factors to consider:
- Pre-assessment support
- CMMC implementation cost
- Audit (CMMC Assessment) by a CMMC Third-Party Assessor Organization (C3PAO)
- CMMC certificate awarded by the CMMC Advisory Board (CMMC-AB)
Consul-vation is your CMMC preparedness partner. We can help your organization get ready for each of the 5-tier audits and provide continued maintenance and accountability beyond the pre-assessment phase. We’ll start with a CMMC GAP Analysis and readiness assessment to find the holes in your cybersecurity practice and then help you create a best practice blueprint to address them.
Cyber espionage is a serious threat to national security, and the US Department of Defense is taking proactive measures to protect its FCI and CUI through this CMMC program. Let Consul-vation help your organization mitigate this risk and get rewarded with a game-changing competitive advantage.