What is CMMC?
Security standards and frameworks such as The Defense Federal Acquisition Regulation Supplement (DFARS) and The National Institute of Standards and Technology (NIST) provide frameworks for how Department of Defense (DoD) contractors need to protect sensitive data and information. Enforcement of compliance with these standards has been a challenge for the DoD, creating uncertainty about the safety of sensitive information shared with or managed by contractors. Given the ever-growing complexity and volume of cyber threats in recent years, a new approach had to be developed.
In January 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC). The CMMC combines maturity processes and cybersecurity best practices from other standards and frameworks with input from relevant stakeholders to create comprehensive security framework that all contractors must be certified with in order to bid for DoD contracts. Also, unlike other frameworks that only require self-certification, DoD contractors must be certified by authorized CMMC 3rd party assessors.
When does CMMC take effect?
In early 2020, the DoD released the first version of the Cybersecurity Maturity Model Certification. By 2026, all DoD contractors and subcontractors will be required to be in compliance of the framework. Between now and 2026, the DoD is implementing a phased rollout with specific milestones and dates currently in development.
As a DoD contractor, what should I do now to prepare for CMMC?
Get ahead of the deadlines. For many DoD contractors, CMMC will require significant resources that may not currently exist in budgets, plans, and staffing. To begin, you’ll need to determine what level of compliance (CMMC levels 1 – 5) you need to reach to support your contracts with the DoD (both present and future contracts). After determining the level you need to meet, begin working through the requirements of this level, identifying gaps and needs to meet compliance. Once this exercise is complete you can begin the process of addressing the identified areas and preparing for the 3rd party CMMC assessment. The overall process can be a large undertaking and will most likely require a lot of time to complete.
What are the five levels of CMMC certification?
CMMC has five levels of maturity of a contractor’s cybersecurity infrastructure, processes, and controls. The level of certification required for contractors is dependent upon the amount and sensitivity of Confidential Unclassified Information (CUI) to safeguarded for a given contract.
The five levels of CMMC certification:
- Cyber Hygiene
- Intermediate Cyber Hygiene
- Good Cyber Hygiene
Each of the levels above are cumulative, requiring compliance with all of the lower levels before higher level certifications can be obtained. For example, in order to obtain a level 3 certification, a contractor must meet all of the requirements for level 3 and the requirements for levels 1 & 2.
What are the CMMC domains?
The CMMC maturity levels focus on 17 security domains below:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
How does CMMC address insider risk?
How users are trained, what files they can access, and how these files are managed and tracked are critical pieces to insider risk management. To address potential insider threats to DoD contractors, insider risk management is covered by the majority of the 17 CMMC domains and serves as core requirements for the CMMC certification levels.
In upcoming blog posts, we’ll take a deep dive into insider risk management and how it impacts the contractor CMMC certification process.