CMMC: The New Cybersecurity Standard for Defense Contractors

In one of the biggest compliance shake-ups in a decade, the Department of Defense(DoD) has replaced its  self-assessment model with one of the most stringent cybersecurity frameworks ever devised: the Cybersecurity Maturation Model Certification(CMMC). What does this mean for organizations wanting to do business with the DoD? Let’s take a look.

What is CMMC?

CMMC is a new cybersecurity maturity standard for DoD contractors. Specifically, CMMC is designed to ensure all DoD contractors have sufficient security controls in place to protect sensitive information. Announced in mid 2019, version 1.0 of the standard was published in January 2020.

It could be argued that the DoD was forced to release CMMC, as many contractors failed to properly implement the previous self assessment model, paving the way for high profile breaches of prominent DoD contractors. Given that CMMC mandates a significantly higher standard of cybersecurity than its predecessor, it should significantly reduce the risk of adversaries penetrating the systems of defense contractors.

As the old saying goes, CMMC is ‘standing on the shoulders of giants’ by incorporating requirements from multiple pre-existing frameworks, including those published by NIST, ISO, and AIA. The new standard will be managed and updated by a non-profit board of industry and academic partners.

Although currently unsubstantiated, there have already been rumors that — if successful — CMMC could be expanded to cover all government contracts in the future.

Who Needs to Comply with CMMC?

Anyone who wants to do business with the DoD will need to be certified under CMMC.

Subcontractors aren’t exempt — every organization throughout the supply chain will need some level of certification. Currently, it’s assumed that the level of certification needed will vary by organization type and by the type of information held or transmitted. This is not yet certain, though, as it may prove logistically and technologically complex to have multiple organizations involved with different levels of certification.

Once the standard is fully in force, the rule will be simple: No certification, no contract.

Further, aspiring contractors will be expected to get certified before applying for a contract, though organizations will be able to reclaim part of the cost if successful in winning a contract.

There is one (and only one) exception to the need for certification. Companies that only sell commercial-off-the-shelf products (COTS) are exempt, and will not need to achieve any level of CMMC certification.

What’s Included in CMMC?

CMMC is one of the most comprehensive compliance standards ever produced for cybersecurity. Based on industry best practice — and borrowing heavily from existing frameworks — the standard requires DoD contractors to establish and maintain controls across 43 cybersecurity capabilities:

ACCESS CONTROL (AC)
1. Establish system access requirements
2. Control internal system access
3. Control remote system access
4. Limit data access to authorized users and processes
 
ASSET MANAGEMENT(AM)
5. Identify and document assets
6. Manage asset inventory
 
AUDIT & ACCOUNTABILITY (AU)
7. Define audit requirements
8. Perform auditing

9. Identify and protect audit information

10. Review and manage audit logs

 
AWANESS TRAINING (AT)
11. Conduct security awareness activities

12. Conduct Training

 
CONFIGURATION MANAGEMENT (CM)
13. Establish configuration baselines

14. Perform configuration and change management

 
ID & AUTHENTICATION (IA)
15. Grant access to authenticated entities
 
INCIDENT RESPONSE (IR)
16. Plan incident response
17. Detect and report events
18. Develop and implement a response to a declared incident
19. Perform post incident reviews
20. Test incident response
 
MAINTENENCE (MA)
21. Manage Maintenance

 

MEDIA PROTECTION (MP)
22. Identify and mark media
23. Protect and control media
24. Sanitize media
25. Protect media during transport

 

PERSONAL SECURITY (PS)
26. Screen personnel
27. Protect CUI during personnel actions

 

PHYSICAL PROTECTION (PE)
28. Limit physical access

 

RECOVERY (RE)
29. Manage backups
30. Manage information security continuity

 

RISK MANAGEMENT (RM)
31. Identify and evaluate risk
32. Manage risk
33. Manage supply chain risk

 

SECURITY ASSESSMENT (CA)
34. Develop and manage a system security plan
35. Define and manage controls
36. Perform code reviews
 
SITUATIONAL AWARENESS (SA)
37. Implement threat monitoring
 
SYSTEM & COMMUNICATION PROTECTION (SC)
38. Define security requirements for systems and communications
39. Control communications at system boundaries

 

SYSTEM & INFORMATION INTEGRITY (SI)
40. Identify and manage information systems laws
41. Identify malicious content
42. Perform network and system monitoring
43. Implement advances email protections

Similar to existing frameworks like the CIS Benchmarks, CMMC includes five levels of certification:

  • 1. Performed. Requires the basic controls needed for essential cyber hygiene. This level of certification will be needed by contractors that hold or process mildly sensitive content such as Federal Contract Information (FCI).
  • 2. Documented. Covers slightly more advanced controls required for ‘intermediate’ cyber hygiene. This level is largely based on the requirements of NIST 800-171. Contractors with this certification will hold or process FCI and possibly more sensitive content such as Controlled Unclassified Information (CUI).
  • 3. Managed. Managed Level 3 certification represents a moderate standard of cyber hygiene for an established organization and requires all 110 NIST controls with an additional 20 controls from various sources. This level will be a requirement for the majority of DoD contractors that hold or process CUI.
  • 4. Reviewed. Going beyond simple cyber hygiene, level 4 certification required contractors to take a proactive approach to measuring, identifying, and blocking threats, including Advanced Persistent Threats (APTs).
  • 5. Optimizing. To be certified at level 5, contractors will need to have a fully mature cybersecurity function across all 43 capabilities.

Note that the requirements for many capabilities increase as you progress through the five levels of certification. At the lower levels, many capabilities (e.g., threat monitoring) aren’t required at all.

What Level of Certification Will You Need?

Ultimately, all new DoD contracts will require bidders to achieve a specific level of certification. As of June 2020, the CMMC requirement for a contract was made visible through the RFI process. From September 2020 CMMC requirements will appear in the RFP process, and from October 2020, new DoD contractors will need to be certified by an assessor or C3PAO (CMMC 3rd Party Assessment Organization).

Existing DoD contractors have a little more leeway. It’s currently not known when the full framework will be enforced across all DoD contractors, but most guesses place it within 2-3 years. However, if you’re a current DoD contractor wanting to bid on new contracts, you’ll need to be certified.

To cut a long story short, if your organization is an existing or aspiring DoD contractor, you should begin preparing for CMMC certification immediately.

What Does the Certification Process Look Like?

At the current time, it’s not known exactly what the certification process will look like. Here’s a rundown of what we do know:

  1. There will be no self-assessment option. All contractors will need to be certified by an external assessor.
  2. The CMMC will accredit C3PAOs — CMMC 3rd Party Assessor Organizations — and individual assessors and maintain a public list of approved assessors.
  3. Contractors will pay a certified assessor to physically inspect their operations for compliance. This assessment will become part of the cost of doing business with the DoD.
  4. Exact costs have not yet been published. There will depend on factors such as the level required, complexity of the contractor’s network, and “other market forces”. However, the DoD has stated that the cost will not be prohibitive.
  5. Organizations that are successful in gaining a DoD contract can expense part of the certification cost.

Prepare for CMMC with CimTrak

For many current and aspiring DoD contractors, CMMC represents a sudden and significant need to improve cybersecurity maturity.

With version 1.0 of the standard already released, and all new DoD contracts to require certification, many organizations are faced with the challenge of revamping their cybersecurity program in a short space of time.

CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to substantially improve cybersecurity maturity. CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify security issues in hardware and software assets.

Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC

  • AC - Access Control

  • AM - Asset Management

  • AU - Audit and Accountability

  • CM - Configuration Management

  • IR -  Incident Response

  • RE - Recovery

  • RM  - Risk Management

  • SA - Security Assessment

  • SC - System & Communication Protection

  • SI - System & Information Integrity 

To find out more about how CimTrak can help your organization align its security strategy and processes with CMMC, download the CMMC Solution Brief today.

New call-to-action

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".