The two diagrams below are, when combined, the structure of the Cybersecurity Maturity Model Certification, or CMMC. My aim is to bring some clarity to the CMMC and what will be required over a series of blogs. That said, the first thing to cover is what really matters, which are the 17 Capability Domains that lead to the 5 Levels of Cybersecurity Maturity. If you missed our first blog, Cybersecurity Maturity Model Certification: Are you ready for the Parade Deck, give that a read for more of an overview.
In total there are 171 practices and five processes across the five levels of maturity. The CMMC practices and processes are organized into 17 capability domains:
- Access Control
- Asset Management
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
Level 1 represents the requirements needed for DoD contracts that do not involve controlled unclassified information (CUI). Level 2 represents a transitional step to protect CUI. Level 3 governs DoD contracts involving the protection of CUI. Finally, levels 4 and 5 represent the highest levels of maturity for protecting CUI and reducing the risk of advanced persistent threats.
The CMMC takes full advantage of multiple sources of existing cybersecurity requirements. In pulling together the CMMC, the DoD incorporated requirements from a variety of sources.2
Underlying the 5 Levels are two key elements, processes and practices, which entail the 17 Capability Domains and 43 total abilities in those domains. More on this will be discussed in a later post. That said, the 43 total capabilities are incorporated into the practices, which are defined as “activities performed at each level for the domain”. Processes should be thought of in terms of “process maturity or process institutionalization” which “characterizes the extent to which an activity is embedded or ingrained in the operations of an organization.”3
Diving deeper into practices, Level 1 is 17 practices, Level 2 is 72 practices, Level 3 is 130 practices, Level 4 is 156 practices and Level 5 is the 171 total practices. Those numbers seem staggering, but they include the lower levels, so Level 1 to Level 2 is an addition of 55 practices. The biggest jumps are from Level 1 to 2 and then Level 2 to 3. It is also important to note that the practices are not new, but rather reflect practices from Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21 and NIST SP 800-171 r1 and Draft NIST SP 800-171B.
The goal of the practices is to rate an organization on an increasing scale from basic cybersecurity hygiene to advance/progressive cybersecurity. Estimates vary, but many organizations will likely have to fall in Levels 1-3, meaning ‘intermediate’ or ‘good’ cyber hygiene.
When it comes to processes, things are a little less specific. At Level 1, processes simply have to be ‘performed’ and there are 0 requirements. From there it goes up to Documented, Managed, Reviewed and, at the top end, Optimizing processes. In total, there are 5 processes to consider.
Admittedly, this is denser information than other blogs I’ve done, but that is intentional. It is important to get more granular with this information. The Appendices, specifically Appendix A, Appendix B and Appendix E, will need to be consulted by organizations that intend to pursue the CMMC, and now is the time for review as the first Third Party Assessment Organizations (3PAOs) will be live in May and the review can begin.
It is a significant change associated with CMMC that it is a third-party certification system. Currently, DoD contractors self-certify their compliance under the applicable Defense Federal Acquisition Regulations (DFARS) that primarily rely on the NIST requirements. Such self-certifications can lead to potential False Claims Act liability.
Additionally, contractors have struggled with certifying compliance when the NIST requirements are extensive and therefore can lead to more than one interpretation.
The move to a third-party certification is intended to reduce the confusion with determining compliance and may reduce the risk of FCA liability associated with self-certifications of compliance with applicable cybersecurity requirements, but it does nothing to impact performance risks associated with cybersecurity.
It also adds a significant new cost to businesses. As cybersecurity performance and maintaining CMMC certification will be foundational to even obtain DoD contracts, performance risks are heightened. Although it is too early to predict how the DoD would react to a significant cybersecurity event or loss of CMMC certification, contract termination would seem to be a more likely result.
Obtaining CMMC certification will only be the beginning. Contractors will have to be continually improving their cybersecurity capabilities and vigilance in response to new and increasing threats in order to ensure their actual performance is strong and they maintain their CMMC certification at the desired maturity level.
In making the announcement, DoD officials made it clear their intent is to implement CMMC in a “crawl, walk, run” sequence. They intend to: (1) issue a new DFARS clause this spring, (2) include the CMMC requirements in approximately 10 RFIs this summer, and (3) include the CMMC requirements in approximately 10 RFPs this fall.
The DoD does not intend to modify any existing contracts to include the CMMC requirements. It is anticipated that CMMC will be fully implemented in about five to six years as existing contracts end and are replaced by newly completed contracts containing CMMC requirements.4
For those contractors who already have systems that comply with FAR Subpart 52.204-21 and applicable NIST standards, becoming CMMC certified should not be a herculean task. However, for small and medium-sized businesses, certification could prove difficult, if not impossible.
This will provide opportunities for large businesses to mentor, partner with, or even acquire small and medium-sized businesses. Improving the cybersecurity posture of small and medium-sized businesses is critical because our security is only as strong as the weakest link in the acquisition chain.
To address some of the concerns associated with less cybersecurity mature contractors, the DoD has made it clear that not all procurements are equal and there will be flexibility to assign subcontracts a maturity level lower than that of the prime. For example, if a prime contract is at CMMC Level 3, and a particular subcontract does not involve CUI, that subcontract could be issued at CMMC Level 1.5
If you’d like a quick consultation on the CMMC, or want to ask any questions, please feel free to reach out to me. Also, keep check back for further blogs on this topic and others related to compliance.
3 See note 1
4 See note 2