The Top 10 Things to Know About CMMC
In recent years, the DoD has undergone a series of bold cybersecurity initiatives, from embracing responsible vulnerability disclosure to the trailblazing Hack the Pentagon initiative. Now, the DoD has a new risk in its sights: defense contractors.
Not satisfied with the previous self-assessment model, the DoD has developed the Cybersecurity Maturity Model Certification (CMMC). In this article, we’ll cover the top 10 things your organization needs to know about CMMC.
1) CMMC Is The Most Comprehensive Compliance Framework Yet
After months of development, the CMMC has launched as one of the most stringent cybersecurity standards ever developed. With 171 controls spread across 17 categories, CMMC is undoubtedly more comprehensive than its predecessor NIST 800-171, and arguably more thorough than any similar framework.
2) CMMC Is Heavily Based on Previous Frameworks
Unsurprisingly, the controls set out by NIST 800-171 form the bedrock of CMMC. NIST 800-171 was developed in response to FISMA in 2002 and positioned as a ‘competitive advantage’ (but not a requirement) for most DoD contracts.
However, unlike the NIST framework, which takes a one-size-fits-all approach to cybersecurity readiness, CMMC takes a 5-tiered approach. CMMC levels 1-3 cover roughly the same ground (and map closely) to NIST 800-171, while levels CMMC 4-5 go significantly further.
CMMC also borrows heavily from previous frameworks issued by the International Organization for Standardization (ISO), CERT, and the Center for Internet Security (CIS).
3) CMMC is Essential for ALL DoD Contractors And Subcontractors
Unlike the previous self-assessment model, which was positioned as a competitive advantage (not a requirement) for many DoD contracts, CMMC is essential for all DoD contractors and subcontractors. The level of compliance needed will vary depending on the nature of each contract. However, it’s reasonable to assume that most contractors and subcontractors will need to achieve at least level three certification.
Prime contractors will be responsible for their supply chains, meaning they’ll have to ensure all subcontractors can prove CMMC certification. It may be that the level of certification needed will be lower for some subcontractors than for the prime contractor. However, this may prove logistically difficult in practice, so don’t assume your organization will get off lightly.
4) It Doesn’t Matter Whether You Manage CUI
It seems logical that CMMC should only affect DoD contractors that handle sensitive information — what the DoD refers to as Controlled Unclassified Information (CUI). However, this is not the case.
Regardless of what DoD information your organization will hold, transmit, or process, you’ll need to achieve the CMMC certification level listed in your contract. Once CMMC is fully implemented the rule will be simple, and it applies to every single DoD contractor: No certification, no contract.
5) No Certification, No Bid
Each DoD Request for Proposals (RFP) will list the level of CMMC compliance required, and all bidders will have to achieve that level — and have proof of certification — before submitting a bid.
This adds a considerable hurdle for organizations hoping to become DoD contractors, particularly as obtaining CMMC certification does not guarantee an organization will be successful in winning contracts. Whether it is financially worthwhile to achieve CMMC compliance to bid on DoD contracts is something each organization will need to determine for itself.
6) Certification Is Divided Into Five Tiers
Fortunately for many current and prospective DoD contractors, not all contractors will have to evidence the same CMMC certification level. The framework is divided into five levels:
- Performed. Basic controls for essential cyber hygiene. Applies to contractors that hold or process mildly sensitive content, for example, Federal Contract Information (FCI).
- Documented. Slightly more advanced controls for ‘intermediate’ cyber hygiene. Applies to contractors that hold or process FCI and possibly Controlled Unclassified Information (CUI).
- Managed. A moderate standard of cyber hygiene for an established organization that includes all 110 NIST controls plus an additional 20 controls. Applies to the majority of DoD contractors that hold or process CUI.
- Reviewed. Level 4 certification requires a proactive approach to measuring, identifying, and blocking threats, including Advanced Persistent Threats (APTs).
- Optimizing. To be certified at level 5, contractors must have a fully mature cybersecurity function across all 43 capabilities.
CMMC levels 4 and 5 will apply to DoD contractors that hold or process highly sensitive information.
7) There’s No More Self-Assessment
Previously, DoD contractors were allowed to self assess their cyber readiness in line with NIST 800-171. And while that framework is reasonably comprehensive, a DOD audit of 10 contractors in 2019 concluded the self-assessment model was not sufficient to ensure the protection of Controlled Unclassified Information (CUI).
Instead, the CMMC will accredit ‘CMMC 3rd Party Assessor Organizations’ (C3PAOs) that will assess contractors on behalf of the DoD. Contractors will pay a C3PAO to inspect their systems and operations for compliance.
The exact cost of assessments has not yet been made public, but a spokesperson for the DoD suggested it would “not be prohibitive” and probably fall in the “low thousand dollars” range. Organizations that are successful in gaining a DoD contract can expense part of the certification cost.
8) Assessments Will Include Physical Inspections
Unlike other prominent cybersecurity compliance frameworks such as PCI-DSS, all CMMC assessments will be carried out in-person by a C3PAO. This includes assessments for level 1 and 2 certifications.
Contractors aiming to become certified will need to generate and maintain evidence that their systems and processes are in line with CMMC requirements. Simply being compliant isn’t enough — you must be able to prove it.
9) CMMC Will Be Phased In Gradually
Given the framework’s comprehensive nature, DoD contractors will be happy to know that CMMC is being rolled out gradually over the next five years.
The currently published timeline looks like this:
- Mid-2020: C3PAOs start applying for accreditation
- Late 2020: 20 DoD contracts are selected for early CMMC certification
- Late 2020: Some new DoD contracts require bidders to be assessed for CMMC compliance
- 2021-2025: New RFPs gradually start to require CMMC certification
10) Gap Analysis Doesn’t Have To Be Manual
One of the most challenging aspects of complying with any cybersecurity framework is identifying compliance gaps. Traditionally, organizations have relied on a combination of internal and external audits to ensure they have the controls and evidence necessary to pass an official assessment.
However, even the best assessments are only a point-in-time judgment of compliance. For technical controls, it’s easy for routine changes and updates to cause previously compliant systems to fall out of compliance. If this happens between assessments, it could be weeks or months before the issue is identified and fixed.
Fortunately, your gap analysis process doesn’t have to be a part of the manual grind.
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to identify and resolve CMMC non-compliance issues in IT systems and assets. In a single scan, CimTrak can highlight any configuration or security issues that don’t comply with CMMC.
Taking things to the next level, CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When a change occurs that pulls an asset or system out of CMMC compliance, CimTrak raises an alert and a report, making it easy to resolve the issue quickly.
Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC.
- AC - Access Control
- AM - Asset Management
- AU - Audit and Accountability
- CM - Configuration Management
- IR - Incident Response
- RE - Recovery
- RM - Risk Management
- SA - Security Assessment
- SC - System & Communication Protection
- SI - System & Information Integrity
To find out more about how CimTrak can help your organization align its security strategy and processes with CMMC, download the CMMC Solution Brief today.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".