Considering the implications for damage due to a breach, CMMC certification is a necessary process that likely should have been implemented decades ago. With more than 300,000 companies and contractors involved in supplying the Department of Defense (DOD) with essential equipment and services, the defense industrial base is a common target for malicious cyberattacks. The CMMC (Cybersecurity Maturity Model Certification) requirements are designed to create a unified security standard that works to eliminate these risks. For many companies, understanding the necessary steps for certification and how to become CMMC certified can be difficult. A good way to get started is by learning the basics about CMMC, the process involved, varying levels, and who can help.
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a program that ensures all companies and subcontractors that supply the DoD establish a specific framework for cybersecurity. Version 1.0 of the CMMC was introduced on January 31, 2020, and two updates have been made since the original version. Simply put, the CMMC defines 5 levels of cybersecurity required for DoD contractors to bid on and complete projects for the DoD. Certification is designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in the possession of contractors and subcontractors.
CMMC is built upon existing frameworks and controls established by The National Institute of Standards and Technology (NIST). The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM). While new controls and procedures are included in the certification requirements, the major difference implemented by CMMC is the requirement for DoD contractors to acquire certification from a third-party organization instead of using the previous methods of self-certification.
September 2020 saw the earliest implementation of CMMC compliance with the incorporation of CMMC requirements in some requests for proposals. The entire program is expected to roll out in phases that will make CMMC certification a requirement for all companies doing business with the DoD by 2026.
Who Needs CMMC?
When the rollout is complete, all DoD contractors will need to become CMMC compliant by implementing cybersecurity standards that pass a CMMC audit appropriate for the level required for their business. This means certification will apply to both contractors who engage directly with the DoD and subcontractors who provide products or services to these contractors to complete the contract for the DoD.
While every contractor and subcontractor will need certification by 2026, the same levels of CMMC are not required for every contract. The DoD has made it clear that each level of certification will be recognized and some requests will be applicable to businesses with lower certification levels.
The CMMC program is designed to work for the 300,000 businesses and subcontractors that supply goods and services essential to the operations of the DoD and ensure these companies meet the security standards of the military. To meet these requirements, the DoD has assigned levels of CMMC that vary based on the parameters of the request. Each level has certain requirements to achieve compliance, and the levels are cumulative. This means each contractor will be required to start at level 1 and certify at each level before moving up to the next. CMMC requirements are based on ascending levels of preparedness against cybersecurity threats, beginning with basic cyber hygiene and leading to advanced security operations. For each level, certain required controls and processes reduce risks against a specific set of cyber threats.
- Level 1– Basic Cyber Hygiene (performed): This is the foundation for all other levels and requires no documentation. Level 1 is designed to safeguard FCI not intended for public release. To pass an audit for this level, the DoD contractor must implement 17 basic cyber hygiene practices outlined by NIST SP 800-171 Rev1.
- Level 2– Intermediate Cyber Hygiene (documented): Beginning the maturity-based progression, Level 2 requires an organization to be compliant with the requirements of Level 1 and establish and document practices and processes to protect CUI. The graduation to CUI practices establishes Level 2 as a transitional step to complete CUI protection in Level 3. To pass an audit for this level, the company must implement an additional 55 cyber hygiene practices from NIST SP 800-171 Rev1 plus 7 new controls.
- Level 3– Good Cyber Hygiene (managed): Level 3 requires compliance with levels one and two and demonstrates a basic ability to protect CUI by adequately maintaining activities and reviewing policies and processes. Beyond the compiled practices from Levels 1 and 2, the DoD contractor will need to implement the final 45 controls of NIST SP 800-171 Rev1 plus 13 additional new controls.
- Level 4– Proactive (reviewed): The enhanced cybersecurity practices of Level 4 provide a company with the ability to utilize security practices that defend CUI from advanced persistent threats (APTs), or malicious long-term attacks to mine for sensitive information. The combined requirements of Level 4 CMMC require the ability to adequately maintain activities and review policies and processes to create a response plan for corrective action and the act of informing management of action or status of a situation. To pass an audit for Level 4, an additional 11 controls of NIST SP 800-171 RevB plus 15 new controls are added to the requirements of the first 3 levels.
- Level 5– Advanced/Progressive (optimizing): The final level centers on the protection of CUI from APTs with the optimization of cybersecurity capabilities. Organizations at this level have the ability to improve and standardize cybersecurity processes to provide the strongest wall against potential attacks. Beyond the first four levels of CMMC, compliance at Level 5 requires the final 4 NIST SP 800-171 RevB controls plus 11 new controls.
The framework for the five levels of CMMC contains a total of 171 cybersecurity best practices to implement high-quality cybersecurity processes among DoD contractors. The standards are combined with a certification program to verify the processes and practices are implemented and carried out effectively.
Why CMMC is a Necessary Change
It’s no surprise that some cybersecurity requirements were previously in place for contractors and subcontractors handling sensitive information related to the DoD. However, the previous regulations allowed companies to assess their own compliance achievements and meant that many contractors put off essential compliance tasks. With a wide range of potential points of vulnerability across thousands of companies, the vague system makes the defense industrial base (DIB) a valuable target for malicious attackers.
Before the introduction of CMMC, DoD contractors were subject to cybersecurity regulations published in 2015. The Defense Acquisition Federal Regulation Supplement (DFARS) mandates that DoD contractors adopt cybersecurity policies and procedures according to the NIST SP 800-171 guidelines. DoD contractors have been required to meet those standards since December 31, 2017. Non-compliance with DFARS has strict penalties including the termination of DoD contracts, suspension from work on behalf of the DoD, and financial penalties for breach of contract.
While the framework of NIST SP 800-171 provided reasonable security standards, the implementation of DFARS was far from perfect. DoD contractors have the choice of meeting compliance standards with an internal team of tech professionals or outsourcing compliance tasks to a qualified DFARS consultant. Without a standardized audit system, the DoD is reliant on the contractor’s in-house documentation to prove compliance. While the DoD used contract awards to incentivize compliance, the policies were slow to be adopted and failed to provide the uniform results needed to maintain adequate governmental security.
CMMC begins by adopting many of the same NIST standards required by DFARS, but additional standards are required as well as the elimination of self-certification. For each level of CMMC, audit and compliance certification must be validated by a qualified third-party provider.
How to get CMMC Certified
Since companies are not allowed to self-certify under the CMMC, they must be audited by a certified third-party assessment organization (C3PAO) or a credited individual assessor to achieve compliance. The process for CMMC compliance will require DoD contractors to consider the level of certification the company will require and implement processes outlined by the CMMC framework before seeking certification. The entire process for certification will likely require companies to adopt a cybersecurity plan, get an initial assessment, outline a plan for reform, and adopt new policies to achieve compliance for the desired level of CMMC.
Getting Started with CMMC Certification
Since CMMC is operating on a phased roll-out plan, you might be thinking the requirements aren’t something your company needs to worry about immediately. However, proper implementation will require a timeline that allows you to evaluate and reform security weaknesses to achieve compliance for your desired level by the deadline. Even a company that has already implemented and effectively uses all the NIST SP 800-171 controls will only have the qualifications to pass a Level 3 audit.
Companies that achieve Level 4 and 5 compliance will be actively utilizing additional controls and have a working plan in place to address issues and reform processes to optimize cybersecurity practices in real-time. Therefore, it’s essential to begin preparations for CMMC compliance as early as possible to avoid the potential loss of DoD contracts within your organization.
The first steps toward CMMC compliance include determining the level you wish to obtain and taking steps to implement the necessary NIST controls for that level. There are two ways companies can work to achieve this goal:
- DIY Preparation and Assessment: Companies with considerable resources and a complete IT team may choose to use the self-assessment handbook provided by NIST to implement plans and processes for the first 3 levels. While there is no handbook to prepare for compliance for the following levels, a draft of Rev B can be used to employ the requirements for the final levels. This in-house method of assessing CMMC compliance preparedness requires an experienced team to plan and assess your company’s ability to reach the desired CMMC level.
- Outsourced Assessment: For the majority of companies, working with Managed Security Service Provider (MSSP) will provide a more effective, cost-effective way to achieve CMMC compliance. An outsourced provider will already have the resources to help companies analyze and implement required security processes for a given level and the required templates and advanced tools to assess compliance readiness and create a plan to address security gaps.
Important Elements of CMMC Compliance
A major part of the changes for DoD contractors preparing for CMMC compliance is the requirement for third-party audits. Instead of simply providing in-house documentation for cybersecurity practices and processes, contractors must find a certified third-party organization to prove compliance on the desired level. The DoD has created certain provisions to help contractors find and utilize the organizations necessary to gain and maintain compliance. Understanding these terms can help you prepare for the steps required for CMMC compliance.
- CMMC Third Party Assessment Organization (C3PAO): C3PAOs are unattached organizations that conduct the CMMC assessments of DIB companies’ unclassified networks and issue appropriate CMMC certificates based on the results of the assessments. Authorized C3PAOs must meet DoD requirements, achieve full compliance with ISO/IEC 17020, and be accredited by the CMMC-AB within 27 months of registration.
- CMMC Accreditation Body (CMMC-AB): The CMMC-AB is an independent organization created to use DoD guidelines to authorize and accredit C3PAOs the CMMC Assessors and Instructors Certification Organization (CAICO). The CMMC-AB creates a training program for C3PAOs and provides these organizations with certifications for approved DoD assessments of contractors.
What This Means for DoD Contractors
Simply put, C3PAOs are the organizations that complete CMMC assessments and provide the appropriate certification based on your company’s cybersecurity processes and procedures. The CMMC-AB is the organization that creates and completes the training required for C3PAOs. When training is completed, C3PAOs are provided with certification.
To achieve CMMC compliance, DoD contractors must seek a certified C3PAO and schedule an assessment. Contractors will be able to find a list of Authorized and Accredited C3PAOs on the CMMC-AB Marketplace website. While C3PAOs are listed on the CMMC-AB website, it’s important to note that only Authorized or Certified CMMC assessors within the organization are allowed to complete the assessment.
Achieving CMMC Compliance
For many companies, CMMC compliance will be crucial for continued success. Often contractors who work with the DoD depend on these contracts for a substantial portion of annual income. The ability to quickly obtain and continually maintain compliance helps you avoid the risk of extended loss of work while attempting to implement security controls and work through a backlog of audits. Take these steps to achieve CMMC compliance at the level your company requires.
CMMC Readiness Assessment
Most contractors approaching CMMC begin without a baseline to measure how close they are to achieving compliance for their chosen level. A third-party readiness assessment (also called a gap assessment) can help determine how much work needs to be done (examine the gap between your current position and CMMC compliance). The readiness assessment will examine current cybersecurity practices and uncover inadequate systems and processes that fail to meet minimum CMMC requirements for a given level. Depending on your company’s needs and target compliance level, your readiness assessment might address any or all of the following points.
- Training procedures and for managers and information system administrators
- How sensitive information is accessed within a system or network and safety controls put in place
- Processes and procedures for storing data
- Procedures for implementing security controls and standards
- Process for developing and implementing response plans Assessing the gap between your current position and your target CMMC level requirements will help to define the terms of a successful remediation program.
A DoD contractor will follow up a gap assessment by either creating a self-implemented remediation plan or have a third-party MSSP provider perform the remediation.
After learning the details of a gap assessment, it’s vital to participate in a successful remediation plan before applying for certification. With a complete gap analysis in hand, DoD contractors or their MSSP provider can identify risks, prioritize activities, and determine costs for any remedial steps required for CMMC certification. Since a remediation plan is a personalized plan of action, it can vary from minor changes to a complete cybersecurity plan, developed from beginning processes and designed to follow today’s standards.
Your remediation plan will begin by addressing security gaps and the plans and resources required to resolve them. It should also include an actionable timeline and an estimation of remediation costs. Successful implementation of the remediation plan leads to the final steps required to reach CMMC compliance.
Ongoing Cybersecurity Monitoring and Reporting
For a successful CMMC audit, you need more than a plan. Ongoing cybersecurity practices require a changing process with the ability to monitor, detect, and report on cybersecurity incidents in an evolving technological atmosphere. These activities require continual updates and specialized tools to maintain cybersecurity best practices. As you monitor cybersecurity processes and address potential vulnerabilities, your security plan will change to address the updated knowledge. The most updated version of your cybersecurity plan and processes will be required during a CMMC assessment.
How an MSSP Can Assist with CMMC Compliance
CMMC is a process that requires strict adherence to a variety of specific standards for every level. Achieving NIST compliance alone can be a cumbersome process that most companies don’t have the professional tools or employees to complete in-house. While contractors who depend on DoD accounts can attempt to learn all the processes and obtain the tools necessary to obtain and maintain government-regulated compliance, this route is often more difficult and expensive than seeking a qualified third-party provider to administer the entire process.
CMMC compliance is an ongoing process that only begins when you employ a practical plan that helps you obtain certification for your organization’s target level. Maintaining compliance with ongoing monitoring and reporting and the ability to actively identify and react to real-time threats will be essential for an ongoing partnership with the DoD. After the completion of the CMMC assessment, the C3PAO will provide an assessment report and if there are no deficiencies, issue the appropriate CMMC certificate. A copy of your certification will also be submitted to the DoD. Generally, certification is valid for three years. However, a cybersecurity incident could trigger the necessity of a reassessment.
A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems like managed firewall, intrusion detection, virtual private network, vulnerability scanning, and antiviral services. These services assist thousands of organizations to achieve compliance with a variety of NIST standards and requirements. A variety of professional processes and tools are used by these cybersecurity experts to help companies and contractors maintain essential levels of compliance.
Managed detection and response (MDR) is an advanced security service that includes advanced tools and active services like threat intelligence, threat hunting, security monitoring, and incident monitoring and response. When combined with MSSP services, MDR acts as an extension to provide ongoing monitoring and reporting processes required by many compliance laws and statutes.
MSSP and MDR work together to combine a variety of services that can help DoD contractors achieve and maintain compliance with CMMC levels. BitLyft Cybersecurity is a full-service cybersecurity company with the advanced tools, services, and experience to provide companies with the protection they need to achieve all levels of compliance and the tools to protect sensitive data against malicious attackers.
With years of experience in the area of NIST standards and government level compliance, our team can assist DoD contractors to achieve and maintain every level of CMMC compliance. To learn more about simplifying your path to CMMC, get in touch with our cybersecurity experts. Your initial assessment is the first step to reaching the level of CMMC you need to continue contracts with the DoD.