The Cybersecurity Maturity Model Certification (CMMC) is a relatively new framework for implementing the information security processes and practices required by the Department of Defense (DoD). Beginning in 2021, contracts offered by the DoD can specify a required level of CMMC validation in order for the recipient to be awarded the contract. The plan is to continue to slowly phase in the CMMC requirements to DoD contracts, and by 2026 all active contracts will require CMMC certification.
The CMMC was developed to protect sensitive controlled unclassified information (CUI) and prevent possible compromise by evaluating and confirming adequate security through a third-party verification process. Organizations’ approach to protecting CUI were previously only measured against the Defense Acquisition Regulation System (DFARS), which was more of a self-assessment process. In addition to more effectively protecting the confidentiality of CUI, the DoD wanted a model that would shift organizational behavior to be more security conscious on an ongoing basis.
The CMMC meets these objectives by adding practices to those included in NIST SP 800-171 in order to confirm an organization is implementing a well-rounded security program and institutionalizing these practices through the implementation of process maturity. Process maturity within an organization ensures that the information security practices are consistent, repeatable, and constantly being improved.
If you have any contracts from the DoD and know you need to prepare for a CMMC assessment, the NIST SP 800-171 is a good place to start. However, CMMC Level 3 adds 20 additional practices and the need for maturity through well-established policies, procedures, plans, and role and responsibility documents to support the technical implementation, and proof that your organization has been following them. Having comprehensive documentation in place also allows your teams to effectively manage configuration changes within your environment and respond more efficiently to possible security incidents.
How do you determine what Level of CMMC you must achieve? While the DoD contract will specify which level of compliance an individual contract needs to meet, going forward almost all companies doing business with the DoD will be required to be CMMC certified at one of the five CMMC levels. If you handle CUI, will need to meet at least CMMC Level 3. Your research areas will need to review and understand the contracts you bid on and the types of information that will be handled. Level 3 and above require two out of three types of acceptable proof (via interview, testing, or observation) to validate each control so having that documentation in place is necessary to show your procedures are an effective and established part of your organization’s compliance environment.
These 20 non-NIST SP 800-171 controls were added at levels 2 and 3 of the CMMC to force organizations to become more proactive in their cybersecurity capabilities and implement sustainable practices. Below is the list of additional controls from the CMMC:
Asset Management
- AM.3.036. Define procedures for the handling of CUI data.
Audit and Accountability
- AU.3.048. Collect audit logs into a central repository.
- AU.2.044. Review audit logs.
Incident Response
- IR.2.093. Detect and report events.
- IR.2.094. Analyze and triage events to support event resolution and incident declaration.
- IR.2.095. Develop and implement responses to declared incidents according to pre-defined procedures.
- IR.2.097. Perform root cause analysis on incidents to determine underlying causes.
Recovery
- RE.2.137. Regularly perform and test data back-ups.
- RE.3.139. Regularly perform complete and comprehensive data back-ups and store them off-site and offline.
Risk Management
- RM.3.144. Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
- RM.3.146. Develop and implement risk mitigation plans.
- RM.3.147. Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
Security Assessment
- CA.3.162. Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements.
Situational Awareness
- SA.3.169. Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
System and Communications Protection
- SC.2.179. Use encrypted sessions for the management of network devices.
- SC.3.192. Implement Domain Name System (DNS) filtering services.
- SC.3.193. Implement a policy restricting the publication of CUI on publicly accessible websites (e.g., Forums, LinkedIn, Facebook, Twitter, etc.).
System and Information Integrity
- SI.3.218. Employ spam protection mechanisms at information system access entry and exit points.
- SI.3.219. Implement DNS or asymmetric cryptography email protections.
- SI.3.220. Utilize email sandboxing to detect or block potentially malicious email attachments.
Although not every contract will require CMMC compliance right away, organizations who know they have DoD contracts should start preparing for a CMMC assessment now as the implementation and certification process can take several months. When fully operational, the CMMC will be mandatory for all organizations doing business with the DoD at any level. Organizations should also reach out to applicable partners and sub-contractors to validate compliance and identify any non-compliant items they may be working to address.
A Registered Provider Organization (RPO) with Registered Practitioners (RPs), can help examine all the security controls currently in place within your organization and delivery advisory services prior to the official CMMC assessment. An RPO understands the requirements as intended because they are required to go through training directly from the CMMC Accreditation Body (CCMC-AB). RPs must also undergo a background check and sign the official CMMC-AB Code of Professional Conduct. Both certifications are valid for one year and the qualified personnel are listed on the CMMC-AB Marketplace.
It can be very valuable to have a RPO perform a gap analysis to review the organization’s network, systems, and controls in terms of the applicable CMMC level an organization must meet. A gap analysis can help you verify you have the appropriate documentation in place, set strategic goals, and help plan and prepare for an upcoming assessment, including outlining needs for management commitment in terms of budget, personnel, and tools to ensure full compliance is met. Moving forward, having a completed, passing CMMC Certification in-hand will ensure that your staff are able to respond promptly to all DoD contract opportunities.
Some additional guidance from the Security Advisor team:
[Hobby]: CMMC certification will soon be required for almost every organization doing business with the DoD. For many organizations, CMMC certification will take some time to achieve. If you haven’t already started, you should begin taking steps immediately to evaluate and document required policies and procedures as you plan for certification. Remember that the DoD’s goal is not simply certification, but maturing its contractors’ internal cybersecurity culture. Over time, the DoD will become less-and-less tolerant of information security risks, and having a culture that promotes cybersecurity, in addition to CMMC certification, will best position any contractor to compete within the Defense Industrial Base.