In one of the biggest compliance shake-ups in a decade, the Department of Defense(DoD) has replaced its self-assessment model with one of the most stringent cybersecurity frameworks ever devised: the Cybersecurity Maturation Model Certification(CMMC). What does this mean for organizations wanting to do business with the DoD? Let’s take a look.
What is CMMC?
CMMC is a new cybersecurity maturity standard for DoD contractors. Specifically, CMMC is designed to ensure all DoD contractors have sufficient security controls in place to protect sensitive information. Announced in mid-2019, version 1.0 of the standard was published in January 2020.
It could be argued that the DoD was forced to release CMMC, as many contractors failed to properly implement the previous self-assessment model, paving the way for high-profile breaches of prominent DoD contractors. Given that CMMC mandates a significantly higher standard of cybersecurity than its predecessor, it should significantly reduce the risk of adversaries penetrating the systems of defense contractors.
As the old saying goes, CMMC is ‘standing on the shoulders of giants’ by incorporating requirements from multiple pre-existing frameworks, including those published by NIST, ISO, and AIA. The new standard will be managed and updated by a non-profit board of industry and academic partners.
Although currently unsubstantiated, there have already been rumors that — if successful — CMMC could be expanded to cover all government contracts in the future.
Who Needs to Comply with CMMC?
Anyone who wants to do business with the DoD will need to be certified under CMMC.
Subcontractors aren’t exempt — every organization throughout the supply chain will need some level of certification. Currently, it’s assumed that the level of certification needed will vary by organization type and by the type of information held or transmitted. This is not yet certain, though, as it may prove logistically and technologically complex to have multiple organizations involved with different levels of certification.
Once the standard is fully in force, the rule will be simple: No certification, no contract.
Further, aspiring contractors will be expected to get certified before applying for a contract, though organizations will be able to reclaim part of the cost if successful in winning a contract.
There is one (and only one) exception to the need for certification. Companies that only sell commercial-off-the-shelf products (COTS) are exempt, and will not need to achieve any level of CMMC certification.
What’s Included in CMMC?
CMMC is one of the most comprehensive compliance standards ever produced for cybersecurity. Based on industry best practice — and borrowing heavily from existing frameworks — the standard requires DoD contractors to establish and maintain controls across 43 cybersecurity capabilities:
ACCESS CONTROL (AC)
|1. Establish system access requirements|
|2. Control internal system access|
|3. Control remote system access|
|4. Limit data access to authorized users and processes|
|5. Identify and document assets|
|6. Manage asset inventory|
AUDIT & ACCOUNTABILITY (AU)
|7. Define audit requirements|
|8. Perform auditing|
9. Identify and protect audit information
10. Review and manage audit logs
AWARENESS TRAINING (AT)
|11. Conduct security awareness activities|
12. Conduct Training
CONFIGURATION MANAGEMENT (CM)
|13. Establish configuration baselines|
14. Perform configuration and change management
ID & AUTHENTICATION (IA)
|15. Grant access to authenticated entities|
INCIDENT RESPONSE (IR)
|16. Plan incident response|
|17. Detect and report events|
|18. Develop and implement a response to a declared incident|
|19. Perform post-incident reviews|
|20. Test incident response|
|21. Manage Maintenance|
MEDIA PROTECTION (MP)
|22. Identify and mark media|
|23. Protect and control media|
|24. Sanitize media|
|25. Protect media during transport|
PERSONAL SECURITY (PS)
|26. Screen personnel|
|27. Protect CUI during personnel actions|
PHYSICAL PROTECTION (PE)
|28. Limit physical access|
|29. Manage backups|
|30. Manage information security continuity|
RISK MANAGEMENT (RM)
|31. Identify and evaluate risk|
|32. Manage risk|
|33. Manage supply chain risk|
SECURITY ASSESSMENT (CA)
|34. Develop and manage a system security plan|
|35. Define and manage controls|
|36. Perform code reviews|
SITUATIONAL AWARENESS (SA)
|37. Implement threat monitoring|
SYSTEM & COMMUNICATION PROTECTION (SC)
|38. Define security requirements for systems and communications|
|39. Control communications at system boundaries|
SYSTEM & INFORMATION INTEGRITY (SI)
|40. Identify and manage information systems laws|
|41. Identify malicious content|
|42. Perform network and system monitoring|
|43. Implement advanced email protections|
Similar to existing frameworks like the CIS Benchmarks, CMMC includes five levels of certification:
- 1. Performed. Requires the basic controls needed for essential cyber hygiene. This level of certification will be needed by contractors that hold or process mildly sensitive content such as Federal Contract Information (FCI).
- 2. Documented. Covers slightly more advanced controls required for ‘intermediate’ cyber hygiene. This level is largely based on the requirements of NIST 800-171. Contractors with this certification will hold or process FCI and possibly more sensitive content such as Controlled Unclassified Information (CUI).
- 3. Managed. Managed Level 3 certification represents a moderate standard of cyber hygiene for an established organization and requires all 110 NIST controls with an additional 20 controls from various sources. This level will be a requirement for the majority of DoD contractors that hold or process CUI.
- 4. Reviewed. Going beyond simple cyber hygiene, level 4 certification required contractors to take a proactive approach to measuring, identifying, and blocking threats, including Advanced Persistent Threats (APTs).
- 5. Optimizing. To be certified at level 5, contractors will need to have a fully mature cybersecurity function across all 43 capabilities.
Note that the requirements for many capabilities increase as you progress through the five levels of certification. At the lower levels, many capabilities (e.g., threat monitoring) aren’t required at all.
What Level of Certification Will You Need?
Ultimately, all new DoD contracts will require bidders to achieve a specific level of certification. As of June 2020, the CMMC requirement for a contract was made visible through the RFI process. From September 2020 CMMC requirements will appear in the RFP process, and from October 2020, new DoD contractors will need to be certified by an assessor or C3PAO (CMMC 3rd Party Assessment Organization).
Existing DoD contractors have a little more leeway. It’s currently not known when the full framework will be enforced across all DoD contractors, but most guesses place it within 2-3 years. However, if you’re a current DoD contractor wanting to bid on new contracts, you’ll need to be certified.
To cut a long story short, if your organization is an existing or aspiring DoD contractor, you should begin preparing for CMMC certification immediately.
What Does the Certification Process Look Like?
At the current time, it’s not known exactly what the certification process will look like. Here’s a rundown of what we do know:
- There will be no self-assessment option. All contractors will need to be certified by an external assessor.
- The CMMC will accredit C3PAOs — CMMC 3rd Party Assessor Organizations — and individual assessors and maintain a public list of approved assessors.
- Contractors will pay a certified assessor to physically inspect their operations for compliance. This assessment will become part of the cost of doing business with the DoD.
- The exact costs have not yet been published. There will depend on factors such as the level required, the complexity of the contractor’s network, and “other market forces”. However, the DoD has stated that the cost will not be prohibitive.
- Organizations that are successful in gaining a DoD contract can expense part of the certification cost.
Prepare for CMMC with CimTrak
For many current and aspiring DoD contractors, CMMC represents a sudden and significant need to improve cybersecurity maturity.
With version 1.0 of the standard already released, and all new DoD contracts requiring certification, many organizations are faced with the challenge of revamping their cybersecurity program in a short space of time.
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to substantially improve cybersecurity maturity. CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify security issues in hardware and software assets.
Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC.
AC - Access Control
AM - Asset Management
AU - Audit and Accountability
CM - Configuration Management
IR - Incident Response
RE - Recovery
RM - Risk Management
SA - Security Assessment
SC - System & Communication Protection
SI - System & Information Integrity
To find out more about how CimTrak can help your organization align its security strategy and processes with CMMC, download the CMMC Solution Brief today.
October 8, 2020