The Cybersecurity Maturity Model Certification (CMMC) is a new universal standard set by the Department of Defense (DoD). The model was developed due to slow adoption of its predecessor, the Defense Acquisition Federal Regulation Supplement (DFARS). There’s been widespread recognition that the one-size-fits-all prescriptions in DFARS weren’t working and was leading DoD contractors to falsely claim compliance to the prescriptions it contained when in fact they were not compliant. This recognition has led to the formation of a five-level cybersecurity maturity scale, which DoD contractors can use to assess themselves and become certified. This is known as the CMMC standard.
Those in a CMMC audit are being evaluated on the NIST-based maturity rating scale of 1-5, where 1 demonstrates basic cybersecurity hygiene, and 5 demonstrates an advanced and progressive cybersecurity program that partners policies, processes, repeatability, and effectiveness in proactively protecting against cyber threats. The CMMC focuses on your traditional NIST 8700-171 controls while adding in a few “Other” controls to augment this DoD-specific program. Standard areas of control measures include:
- Access Control
- Awareness and Training of Employees
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response Detection and Planning
- System Maintenance and Patching
- Media Protection
- Personnel Security
- Physical Security
- Risk Assessments: Identify, Evaluate, and Manage Risk
- Security Assessments
- Defined Security Requirements for Systems and Communications Protection
- System and Information Integrity
Who Has To Comply With The CMMC?
CMMC Compliance and Certification is required by all DoD contractors, this includes suppliers along the supply chain, small businesses, commercial item contractors, and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ CMMC levels.
If your business must comply with the CMMC, it’s important to understand the five levels of requirements. Each level requires compliance with the lower-level requirements and applying supplementary processes by implementing specific cybersecurity-based methods.
- Level 1: A company must perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees have 14+ character passwords (stored in a Password Manager) for each account to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or specific transactional information.
- Level 2: A company must document certain “intermediate cyber hygiene” practices to begin to protect any Controlled Unclassified Information (CUI) through the implementation of National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information.
- Level 3: A company must have an institutionalized management plan to implement “good cyber hygiene” practices to safeguard CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.
- Level 4: A company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices to detect and respond to changing tactics, techniques, and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
- Level 5: A company must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.Sources: