We live in an era of cyber espionage. In the first quarter of this year alone, we experienced a 30% rise in major cyber-attacks. While COVID-19 was certainly a contributing factor, it's just one part of a whole host of tools, techniques, and situations leveraged by threat actors.
As the cyber threat evolves and scales, governments are investing more in national security and cyber defense. They hope to fortify security protocols by establishing strict compliance standards. This includes the Cybersecurity Maturity Model Certification (CMMC) developed by the US Department of Defense (DoD).
What Is CMMC?
The Cybersecurity Maturity Model Certification or CMMC is essentially a standardized list of cybersecurity practices. This applies to the hundreds of thousands of contractors and vendors who work with the DoD.
Although the DoD unveiled the CMMC in 2019, the good news is that you have until 2025 to meet these unified criteria. However, it's best not to wait to implement CMMC standards as you'll achieve greater cybersecurity protection and cement your relationship with the DoD if you do it sooner.
The CMMC program specifies a range of security levels you must meet before getting a DoD contract. In fact, it's a qualification standard for all requests for information (RFIs) and requests for proposals (RFPs). After 2025, DoD providers who fail to meet CMMC requirements in their RFPs and RFIs will find themselves shut out of future business partnerships with the defense industrial base.
At this juncture, it's vital to state that CMMC doesn't actually replace the National Institute of Standards and Technology (NIST) SP 800-171 completely. Instead, it includes and builds on these standards as DoD contractors and vendors could not meet them. This was due to complex cybersecurity requirements and prohibitive costs.
However, these new regulations make this process easier. There are five levels of CMMC and cybersecurity preparedness to consider:
- Basic cyber hygiene
- Intermediate cyber hygiene
- Good cyber hygiene
The CMMC maturity level your business must achieve depends on the sensitivity of the DoD data you'll work with. Most small businesses will stay within the first three levels.
CMMC Level 1: Basic Cyber Hygiene
Level 1 covers the most basic security practices enterprises must perform to work with the DoD. This is the most basic cyber hygiene level where organizations perform these cybersecurity practices in an ad-hoc manner.
They might not even rely on documentation, and you don't have to engage assessors to assess the process maturity at this level. Level 1 concentrates on protecting federal contact information, and these best practices reflect the CMMC requirements specified in 48 CFR 52.204-21.
CMMC Level 2: Intermediate Cyber Hygiene
Level 2 requires established processes to document practices and policies that guide CMMC implementation. The documentation of procedures allows individuals to perform them repeatedly. The aim here is to develop mature cybersecurity capabilities by documenting processes and practicing them.
It's a progression from Level 1 and encompasses a subset of the cybersecurity requirements detailed in NIST SP 800-171. It also has some best practices from other references and standards. Level 2 is a transitional stage with cybersecurity practices that reference the protection of Controlled Unclassified Information (CUI).
CMMC Level 3: Good Cyber Hygiene
Level 3 is a managed process that demands companies to establish, maintain, and resource a plan that demonstrates the management of activities pertaining to the implementation of CMMC practices.
It consists of all the security requirements in NIST SP 800-171 and another 20 best practices to mitigate risk. Level 3 also concentrates on CUI protections. If you're a DoD contractor or subcontractor with a Defense Federal Acquisition Regulation Supplement (DFARS) clause in your contract, you'll need to meet at least Level 3 requirements.
CMMC Level 4: Proactive
Level 4 demands that all organizations measure and review the effectiveness of these practices. This approach provides an opportunity to engage in corrective actions as needed. It also requires you to keep upper management updated on the status or problems regularly.
These cybersecurity practices significantly improve your company's threat detection and response capabilities. As the cyber threat evolves, your organization's cyber defense protocols can grow with it.
CMMC Level 5: Advanced/Progressive
The most mature CMMC level requires enterprises to standardize and optimize process implementations throughout the organization. Level 5 takes Level 4 up a notch with additional best practices to enhance the depth and sophistication of security protocols and their capabilities. Level 5 also concentrates on safeguarding CUI from APTs.
All vendors and contractors must meet all related practices and processes to comply with each CMMC level.
Who Needs CMMC Certification?
Anyone in the defense contract supply chain must comply with CMMC practices and processes. CMMC certification is a method of verifying that cybersecurity best practices and procedures are in place to ensure basic cyber hygiene on DoD's partner networks.
The CMMC compliance checklist consists of 17 domains. These originated in Federal Information Processing Standards (FIPS) and NIST SP 800-171.
The 17 domains are as follows:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
DoD contractors and vendors with the necessary resources can get certified in-house or use an external provider to ensure resiliency and CMMC compliance. You can use the NIST Handbook 162 as a guide for your certification initiative.
Although we don't have a self-assessment guide just yet, a draft of the SP 800-172 specification does exist. Regardless of where you are in the DoD supply chain, depending on the certification level, it'll help you understand what it takes to pass a CMMC audit from a third-party CMMC assessment organization.
You should also consider the stakes, as failing a CMMC audit will lead to a significant loss of time resolving security issues. Such delays come at a high cost; so, if the DoD makes up a substantial portion of your revenue, it's best to tread carefully.
The first step in achieving CMMC compliance is to determine which level applies to your business. Once you know which level applies to your organization, you can take steps to comply with its corresponding standards.
The first two levels provide access to FCI. This data is not available to the public but is necessary for contractors to do their job. These compliance requirements must be "performed" and nothing more. That is, you must establish cybersecurity standards, but no one needs to document them. If documentation is required, then you must move up to Level 2.
Managed Service Providers (MSPs) who work with contractors and vendors must also comply with these standards. Level 3 overlaps with NIST SP 800 strict standards, which enable access to CUI. While safeguarding or dissemination of security controls are necessary, this isn't exactly classified information.
Most businesses won't go beyond Level 3. Only a small number of third-party vendors will be required to comply with Level 4 and Level 5 CMMC standards.
Although the information provided by the DoD is extensive and comprehensive, it only lists what organizations must do to ensure compliance. It doesn't tell contractors or vendors how to do it. Unlike NIST, there isn't an option of self-certification, so you must depend on the CMMC accreditation body.
So, how do you go about establishing CMMC compliance?
Step 1: CMMC Gap Analysis
The first step is to conduct a gap analysis and readiness CMMC assessment. This approach will provide an in-depth understanding of your current security posture and the steps you need to take to get to the required CMMC level.
Your readiness CMMC assessment might help uncover systems and processes that fail to meet the standards. Without an extensive gap analysis, it will be quite challenging to identify potential vulnerabilities, prioritize activities, and figure out the costs to achieve compliance.
Step 2: Develop a Remediation Plan
You need an actionable prioritization plan to address any potential security gaps in the system. In this case, it's best to have a Plan of Action with Milestones (POAM) which includes:
- The necessary steps you must take to resolve vulnerabilities
- The resources needed to mitigate threats and close the security gap
- Insights into how you uncovered risks and vulnerabilities
- Established priorities, estimated remediation expenses, and the quantification of risk levels
Your remediation plan must evolve with CMMC updates. You should also tweak your POAM as needed to ensure CMMC compliance.
Step 3: Continuous Cybersecurity Monitoring and Reporting
Once the remediation is complete, and your CMMC model is compliant, you'll have to continue monitoring and reporting on security events detected in your own systems. You'll need specialized tools and expertise to achieve this. This is one of the primary reasons why most contractors and vendors outsource the entire process.
Step 4: Develop and Update Your System Security Plan (SSP)
An SSP isn't a static document. You must update it with each substantial change to the company’s security profile and processes. SSPs typically include administrative tasks, company policies, employee security protocols and responsibilities, network diagrams, and more.
To meet NIST 800-171 and CUI obligations, you have to have extensive details about each system in your environment that stores CUI. If you store CUI in the cloud, then the cloud will require FedRAMP authorization. You must also show the data flow between information systems and how the authentication and authorization process works.
It’s vital to note that your SSP will be part of the awards contest, and without a valid SSP, you probably won't be awarded the DoD contract. Furthermore, it’s crucial to maintain all your CMMC certification requirements when you update your SSP.
This process is resource-intensive, and contractors must ensure that they have the necessary resources before getting started.
Since it first emerged in 2019, the CMMC certification model and best practices have had several revisions and updates. Over the next few years, you can expect more updates as technologies and processes evolve.
Collaboration with key stakeholders will also influence further updates in the future. As this whole procedure is complex and sometimes confusing, an Accreditation Body will develop auditing and certification standards.
CMMC Accreditation Body
The DoD has a memorandum of understanding between a newly formed Accreditation Body (consisting of 13 members from the industry). The Accreditation body will be responsible for training and certifying assessment organizations to assess DoD vendors and contractors.
Although there are a few years left, it's best to take the first step, which is cost-effective. Make an accurate CMMC assessment and score your plan of action and your SSP. Then make recommendations for remediation and implementation of your strategy.
You can use the rest of 2021 to gain some maturity by running the cybersecurity program for a while before initiating an audit. To gain maturity, it's vital to get the whole program up and running as soon as possible.
As we head toward 2025, you can expect the number of audits to increase. You can also expect a cybersecurity audit before every contract renewal. The longer your cybersecurity plan runs successfully within your environment, the more mature and reliable it'll be.
There's no time to waste as it can take anywhere from six months to a year to establish and become CMMC compliant. The sooner you do it, the better will be your chance of getting the next contract while maintaining CMMC compliance.