The Department of Defense (DoD) announced in mid-2019 the creation of a new cybersecurity certification program and assessment model. The new program, dubbed the Cybersecurity Maturity Model Certification (CMMC), was unveiled on January 31, 2020, and is expected to be implemented by September 2020. That is lightning-fast by DoD standards, and it is one of the most significant changes to how the industry works. All contractors seeking to conduct business with the DoD will have to get on board.
What is the CMMC?
The CMMC is a new verification mechanism designed to ensure security for Controlled Unclassified Information (CUI) stored on Defense Industrial Board (DIB) networks.
The new model is based on the best practices of a variety of cybersecurity standards, including ISO 27032, AIA NAS9933, NIST SP 800-171, and NIST 2P 800-53, among others. It is also based on the input of Federally Funded Research and Development Centers, University Affiliated Research Centers, and the military-industrial-complex as a whole.
In the past, the DoD required contractors to ensure the security of their IT systems used to store and transmit sensitive information. Contractors will still be responsible for implementing and monitoring IT security systems under the new CMMC model, but assessment and certification will be conducted by a certified third-party.
Why does it Matter?
Every contractor seeking to conduct business with the DoD, including bidding on contracts and subcontracting to a prime, will need to meet CMMC requirements. This affects all suppliers at different levels on the supply chain. The DoD estimates that more than 300,000 contractors will be affected.
CMMC Framework & Requirements
The CMMC bases its evaluation of a contractor's cybersecurity system's reliability and maturity on five certification levels. These certification levels are progressively tiered as they build upon their collective technical requirements. This means that each certification level (starting from Level 2 going upwards) should comply with and satisfy the standards of the level below it.
Following is a brief overview of what each level entails:
Level 1 This level entails basic cyber hygiene practices. Requirements include basic cybersecurity practices such as changing passwords regularly and using antivirus software to protect Federal Contract Information (FCI).
Level 2 This level ups the requirements to 'intermediate' cyber hygiene practices. Contractors are required to implement requirements set by the National Institute of Standards and Technology's SP 800-171 Revision 2. These requirements are required for contractors to handle Controlled Unclassified Information (CUI).
Level 3 Level 3 entails 'good' cyber hygiene practices for contractors to handle CUI information. It requires the implementation of NIST SP 800-171 Revision 2 standards, just like Level 2. It also ups the stakes and includes additional unspecified standards.
Level 4 Level 4 requires contractors to be well equipped to repel Advanced Persistent Threats (APTs). An APT is not only persistent, as implied, but also more sophisticated than ordinary attacks. These threats are usually launched by resourceful and powerful entities, such as competing nations. As such, contractors should be just as resourceful to repel such attacks. Contractors are required to implement processes to measure the efficiency of their cybersecurity systems. They should also have a versatile system that reviews their cybersecurity readiness and explores ways to adapt to changing tactics and techniques.
Level 5 Level 5 ups the stakes on protecting against APTs. Contractors are required to set standardized and optimized cybersecurity practices. The contractors should also actively and continually exploit additional enhanced cybersecurity practices. These practices should be implemented properly across the whole organization and cover third-party associates as well.
Preparing for a CMMC Compliance Audit
All DoD contractors should prepare for a CMMC audit, even for a Level 1 certification. A self-assessment is an excellent way of pinpointing issues in a contractor's cybersecurity program that should be addressed before an audit. Contractors should focus on the controls found in NIST SP 800-171 Rev. 1. Once these controls are in place, a contractor can easily obtain a Level 3 certification.
There are two ways a contractor can prepare for a CMMC audit:
If your company has the available resources and IT staff, it can meet the CMMC requirements without the help of a third-party consultant. A Self-Assessment Handbook - NIST Handbook 162 is available to guide your IT team, however, it only covers NIST SP 800-171 Rev. 1. Unfortunately, this only lets you obtain a level three CMMC certification. For the time being, a self-assessment handbook Rev. 2 is not yet available.
2. CMMC consultant
A CMMC consultant will help your company meet the controls stated in NIST SP 800-171 Rev. 2. In addition, many contractors prefer to have a consultant help them meet CMMC requirements. Other benefits of having a CMMC consultant are:
It will save your company time and money when getting and maintaining compliance standards.
A CMMC consultant possesses the tools and documentation needed to conduct a gap analysis and create a system security plan.
A consultant can perform remediation steps required for compliance.
A consultant will have documents to prove that compliance is reached and maintained during a CMMC audit.
Once your company is ready for a CMMC audit, the first step is to get a gap assessment. This assessment will determine how close or far away your company is from meeting CMMC level standards.
Other issues that gap assessments look for are:
How access to sensitive information is controlled and limited
How managers and systems administrators are trained
How data records are stored and protected from breaches
How security controls and policies are implemented
How cybersecurity incident response plans are created and implemented
Without a gap assessment, you wouldn't know what changes to make to your company's existing cybersecurity protocols to achieve CMMC and DFARS compliance. A gap assessment from Cymonix will pinpoint all weak spots in your company's IT systems. Our subject matter experts will then come up with a remediation plan to address any issues, so that your company won't experience any problems getting a CMMC certification.