What is the CMMC and How DoD Contractors Can Prepare
In 2019, the Department of Defense announced a new cybersecurity compliance framework — the Cybersecurity Maturity Model Certification, or CMMC. The CMMC requires that every DoD contractor maintain a uniform set of cybersecurity standards in order to execute and bid on contracts, and, importantly, access DoD systems. The CMMC is a new framework developed to enforce the cybersecurity policies and controls laid out in NIST SP-800-171.
Here's what you need to know about the CMMC, its levels, and how to prepare as a DoD contractor.
What is the CMMC?
The CMMC is a set of cybersecurity standards for DoD contractors. Similar to an information security plan (ISP) or IT security plan at a company, the CMMC sets security requirements for IT systems, which includes security awareness training and cyber hygiene, as well as detection and response processes.
From the government's perspective, DoD systems are only as secure as the weakest link. The Government Accountability Office may have given the DoD high marks for its internal security processes. However, the DoD also has more than 300,000 contractors and subcontractors that they've been attempting to persuade to tight security measures.
In 2018, the DoD rolled out NIST SP-800-171 standards, which outlined five levels of security controls they should strive to attain. However, the 800-171 enforcement policies were non-existence. In fact, DoD required contractors to self-certify that they were meeting criteria. When issues arose, the DoD required contractors to submit remediation plans, but even those were lax at best. Thus, adoption rates remained low.
Enter CMMC. CMMC essentially enforces the policies outlined in NIST SP-800-171 with mandatory certification through a system of third-party audits. DoD contractors must now certify in order to be eligible to bid on or participate in a contract. We've outlined the full differences between CMMC and 800-171 in another blog post.
With the release of CMMC, DoD contractors are scrambling to certify and prepare for potential audits — and they don't have much time. The DoD is moving fast. The CMMC levels and requirements were published in January 2020, when training materials for the CMMC Accreditation Board were released. The first round of CMMC auditors and assessors were trained between February and May. The initial set of CMMC audits began in June 2020 for contractors wishing to bid on open contracts. By October, CMMC enforcement will likely be in full swing.
For companies that deal primarily or exclusively with the DoD, passing CMMC certification requirements should be a top priority. Additionally, the CMMC also requires that all DoD subcontractors also be CMMC certified, which dramatically expands the pool of companies that need to pass a CMMC audit.
What are the CMMC Levels?
The CMMC framework outlines five levels of preparation from basic cyber hygiene to advanced IDS/IPS procedures. This cert has five classifications ranging from CMMC Level 1 (Basic Cyber Hygiene) to CMMC Level 5 (Advanced / Progressive). These align with the information classification a contractor at that level is allowed to access.
These are the are five CMMC levels:
CMMC Level 1: Basic Cyber Hygiene
CMMC Level 2: Intermediate Cyber Hygiene
CMMC Level 3: Good Cyber Hygiene
CMMC Level 4: Proactive
CMMC Level 5: Advanced / Progressive
Each of these builds on the one above, so if you're certified at a CMMC Level 3, you're also qualified to bid on CMMC Level 1 and CMMC Level 2 jobs. The CMMC guidance is a bit less clear on subcontractors but appears to indicate that companies can silo information. Practically speaking, this means that subcontractors would only need to be CMMC certified at the level of the information they have access to, not necessarily the highest level the overall contract requires.
How to Certify on CMMC Levels
Each of the CMMC levels is based on implementing specific controls listed in a few different federal guidelines, including NIST 800-171 Revision 1, NIST SP 800-172, NIST SP 800-53, and several other documents. Previous guidance referenced NIST 800-171 Revision B, but this was withdrawn as of July 2020, and replaced by SP 800-172, which hasn't been approved and is still in draft form as of this writing.
Your CMMC certification level is based on implementing a specific number of controls per level. Here's how the CMMC levels breakdown:
To certify at CMMC Level 1, you need to implement 17 practices.
To certify at CMMC Level 2, you need to implement 72 practices — or 57 above Level 1.
To certify at CMMC Level 3, you need to implement 130 practices — or 58 above Level 2.
To certify at CMMC Level 4, you need to implement 156 practices — or 26 above Level 3
To certify at CMMC Level 5, you need to implement 171 practices — or 15 above Level 4.
Because each CMMC level builds on the ones below, each practice in every level lower than the one you're aiming for must also be incorporated. Most of these (110 out of 171) can be found in 48 CFR 52.204-21 and DFARS Clause 252.204-7012.
According to the most recent OSD guidance, the other 61 practices stem from "multiple references, as well as inputs from the DIB and DoD stakeholders." Forty-six of these requirements are listed as originating from sources only described as "Other."
To really dig into the CMMC level practices, take a look at our companion article about CMMC compliance.
How DoD Contractors Can Prepare for the CMMC Audit
There are four steps a DoD contractor should do to prepare for the CMMC:
Identify the target CMMC level
Conduct a self-assessment
Bring your system up to code
Compile documentation for the audit
When carrying out these steps, remember that you're performing them as a way to prepare for a third-party auditor. As pointed out by Compliance Force, "the longer it takes an auditor to review and understand your environment, the more billable hours will accumulate." So it's important to not only prepare technology solutions, but also document.
1. Identify a Target CMMC Level
The first thing a DoD contractor should do is identify the CMMC level they need to meet. Once you've done that, conducting a comprehensive self-assessment is crucial to identify any deficiencies. The NIST Handbook 162 outlines this assessment process in extensive detail. Although it won't cover all of the CMMC source guidance, it will give contractors a solid start.
2. Conduct a CMMC Audit Self-Assessment
The DoD hasn't yet released any information on how the auditors will assess compliance with CMMC level practices. However, it's rumored to be based off of NIST SP 800-171A guidelines. 800-171A serves as a suitable roadmap and evaluation tool. For instance, let's take access control as an example.
3.1.1. Security requirement: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
The auditor will be looking to see if six conditions are met by either examination, interview, or test.
The security requirements outlined in 800-171A map closely to the CMMC levels.
3. Prepare Your System for CMMC Audit
Many small- to mid-size companies may not have the resources to implement the necessary controls, or even accurately self-evaluate their current status. If this describes your situation, consider contacting a Managed Security Service Provider (MSSP), a specialist in interpreting, implementing, and monitoring cybersecurity in the DoD contracting space. They should not only be able to tell you where you stand, but also help correct any deficiencies.
4. Prepare Documentation for the CMMC Audit
Again, time is money when dealing with the third-party auditor. For each security control, be prepared for an examination, interview, or test. For each control, NIST SP 800-171A outlines specifically what the auditor will need to examine. The more documentation you prepare ahead of time, the less time the auditor will spend conducting the CMMC audit.
Being as proactive as possible is crucial. Because so many contractors will be trying to pass CMMC certification requirements simultaneously, failing CMMC audit requirements will likely set a company back quite a bit. CMMC auditors will likely prioritize getting everyone a first look before working on reattacks, so you don't want to miss on your first shot.
Why the CMMC is Necessary
The CMMC is complicated, and the guidance isn't as clear as everyone wishes it would be at this point. There's quite a bit of confusion surrounding CMMC level requirements, CMMC audit requirements, and CMMC certification requirements as a whole. All in all, there's plenty to complain about.
However, even without disputing any of this, it's essential to keep in mind that the Cybersecurity Maturity Model Certification is something we need. State-sponsored and corporate espionage are real threats that cost America hundreds of billions of dollars each year and compromise our military capabilities. When CMMC compliance gets painful, focusing on the bigger picture will help.