What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. Specifically created to help safeguarding Controlled Unclassified Information (“CUI”) in non-federal systems, CMMC is introduced by the U.S. Department of Defense and considered to be continuation of efforts where defense contractors and subcontractors were required to be compliant with the NIST SP 800-171 cybersecurity standard if they were to receive, handle, store, and process the CUI. The CMMC encompasses five maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. Each of these maturity levels consists of practices and processes as well as those specified in lower levels.
In addition to 110 security requirements specified in NIST SP 800-171 rev1, CMMC incorporates several other practices and processes from other standards, references, and sources. Some of the other standards and sources include NIST SP 800-53, National Aerospace Standard (NAS) 9933, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
Who is Required to be CMMC Certified?
The DoD is incorporating CMMC certification requirement into Defense Federal Acquisition Regulation Supplement (DFARS) for contract award. The CMMC framework will eventually be used to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Simply put, through the processes and practices found in the CMMC, the government agencies will be able to verify the maturity of the cybersecurity mechanisms implemented by any company.
Does my company need to be CMMC certified?
CMMC is a requirement which will apply to unclassified networks of all contractors and subcontractors which will handle, process, and/or store Federal Contract Information (FCI) or the Controlled Unclassified Information (CUI). If your business is not only in the developing/manufacturing COTS products and software, and you plan to handle, process and/or store FCI or CUI then your company will need to be CMMC certified.
The plan is to implement the CMMC framework within the DoD Defense Industrial Base at the moment. However, it is expected that the other federal government agencies are going to follow the suite of requiring the CMMC certification to companies/organizations needing to access, store, and process the CUI that are released by those agencies.
It is also important to know that for contracts that require CMMC your company may be disqualified from participating if your organization is not certified.
Are you confused with what level of CMMC certification that you need?
The level of CMMC that you will have to have depends on the sensitivity of the information that you will be accessing and storing. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). Keep in mind, no companies can self-certify themselves. Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC Accreditation Body (AB) may perform CMMC assessments. Also, company that received a CMMC certificate will need to be re-certified in every 3 years.
What are the Components of CMMC?
The CMMC model consists of 17 control domains. The majority of these domains are retrieved from the security requirement families that are introduced in NIST SP 800-171 standard and from various security standards of Federal Information Processing Standards (FIPS) Publication. In addition, the CMMC model includes the three domains of Asses Management, Situation Awareness, and Recovery domains. The CMMC maturity levels are described as follows:
CMMC Level 1
Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Level 1 focuses on the protection of FCI, requires a Basic Cyber Hygiene, and consists 17 practices that correspond to the basic safeguarding requirements specified in DFARS, 48 CFR 52.204-21.
CMMC Level 2
Level 2 requires that an organization establishes and documents practices and policies to guide the implementation of its CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI. Level 2 consists of 72 practices to achieve Intermediate Cyber Hygiene.
CMMC Level 3
Level 3 requires that organization establishes, maintains, and resources a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting. In addition to 72 practices required by achieving Level 2 maturity, Level 3 contains 58 more practices, total 130 practices to achieve Good Cyber Hygiene.
CMMC Level 4
Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
This level of CMMC focuses on the protection of CUI from Advanced Persistent Threats (APTs) and encompasses a subset of the enhanced security requirements from NIST SP 800-171 as well as other cybersecurity best practices. In addition to 130 practices required by achieving Level 3 maturity, Level 4 includes 26 more practices, total 156 practices to achieve proactive cybersecurity environment.
CMMC Level 5
Level 5 requires an organization to standardize and optimize process implementation across the organization. This level of maturity focuses on the protection of CUI from Advanced Persistent Threats (APT). The 15 additional practices on 156 practices, that are necessary for the Level 4 maturity, increases the depth and sophistication of cybersecurity capabilities.
How Can We Help You?
Defense contractors/subcontractors will need to be ready for the CMMC in order to save time and money during the assessment. Don’t try to manage it all alone! Linqs has extensive experience in compliance with cybersecurity laws and standards, including NIST 800-171 standard and CMMC process. We can assist you with education & understanding, training, and help develop your cybersecurity processes in preparation for the CMMC certification. That way, you will go through the official CMMC assessment process much comfortably knowing that you have all the necessary tools, documentation, and procedures are in place to obtain the certificate. Furthermore, the cost of CMMC preparation and certification generally is considered as an allowable and reimbursable cost for the DoD projects.