Those who handle sensitive information in relation to execution of government contracts must already maintain a certain level of quality within their information technology systems in order to protect that information. However, in 2020, a new standard was developed to further defend such information from unwanted release: the Cybersecurity Maturity Model Certification (CMMC).
If you have been notified that your organization must make changes to comply with CMMC, or if you are wondering whether CMMC will affect you, it is important that you learn more so you can correctly adjust your practices. Here is an overview of everything you need to know about the CMMC framework so you can make informed decisions and fine-tune your cybersecurity practices and processes as needed.
What Does CMMC Stand For?
CMMC stands for Cybersecurity Maturity Model Certification and was developed as a new standard for cybersecurity across the entirety of the Defense Industrial Base (DIB). Specifically, cybersecurity “maturity” refers to the level of protection that a system offers; sensitive information exists within a more mature system if that system is more robust and implements a wider variety of safety and protection features.
The CMMC was established in 2020 to heighten cybersecurity measures by offering a scalable certification process that adapts based upon the type of information being handled. It also improves and facilitates verification of cybersecurity maturity so that the Department of Defense (DOD) can remain sufficiently informed that a DIB company has adequately secured its information at all points, all the way down to subcontractors.
Previously, companies typically utilized the NIST 800-171 standard when considering their own cybersecurity practices. This required self-reporting their information security and protection capabilities to the DOD; either they proved that all 110 requisite milestones were met or shared a comprehensive plan outlining how they planned to do so. Now, these self-assessments are being replaced with external assessments checking for compliance with cybersecurity measures. These assessments will be conducted by a third party, and unlike past methods, failure to fully comply but providing a plan to address insufficiencies will no longer be acceptable.
Who Is Impacted by the New CMMC Standard?
Now that CMMC implementation has begun, any company that does business with the Department of Defense (except for companies that only handle COTS, or commercial off-the-shelf products that require no changes in order to serve their purpose) will be required to attain at least some level of CMMC compliance.
The new CMMC standard is broken into five levels, with each level becoming progressively more nuanced and comprehensive in its approach to protection and security. Not all companies are required to reach level five, the highest level of certification, and the requirements will be rolled out slowly beginning in Fall 2021.
The company itself is not the only one impacted by the requisite CMMC level. Both prime contractors and any subcontractors, as well as suppliers across the supply chain, must adequately fulfill the CMMC requirement; however, the required CMMC level may not be uniform across all of these parties. The prime contractor may require a level three, for instance, while subcontractors may be sufficient at only level one. The Department of Defense will specify which levels are applicable and to whom.
Which CMMC Level Does My Company Need To Fulfill?
The level of CMMC compliance that a company must achieve is dependent upon the type of information that they are handling. Those with the most sensitive information will likely be required to achieve CMMC level five, while subcontractors and those handling information with very little sensitivity are likely to require level one or no higher than level two. However, any contractor whose contract contains a DFARS clause is automatically required to attain a minimum of CMMC level three.
Level one involves basic cybersecurity hygiene. This includes simple tasks such as securing devices and accounts with strong passwords, encrypting sensitive material, performing consistent backups and using security tools like firewalls. Because these tasks are very simple and do not often require substantial documentation as part of their implementation, level one of the CMMC does not mandate the assessment of process maturity at this stage. In other words, you will not be required to compile a comprehensive documentation file that proves that you are consistently utilizing these programs, since such documentation may not exist for such tasks.
At CMMC level two, organizations must begin to implement practices and policies that are repeatable and testable. Documentation becomes critical at this stage so that an organization’s practices can be analyzed and replicated for testing and compliance purposes. Level two is considered a transition between level one and level three, which means that it contains a subset of requirements meant to bridge this gap. The focus on the protection of controlled unclassified information (CUI) begins at this stage.
The documentation requirements become more complex at CMMC level three. An organization must establish and maintain a plan that adequately demonstrates not only the goals and plans for their cybersecurity practices but also the resources they use, how they acquire them, any training that staff undergoes and any stakeholders involved in the process. More advanced cyber hygiene, such as incident reporting, becomes mandatory at this stage.
Level four CMMC organizations not only implement proactive cyber hygiene but also actively measure their own practices to determine their efficacy and make adjustments accordingly. They are expected to manage the status of their cybersecurity system and take any necessary corrective actions. Level four CMMC also requires some ability to adapt to active threats and the current but changing tactics used to compromise data rather than utilizing a more static approach.
Level five is the highest of the CMMC requirements and is considered the most optimized and advanced stage. Their cybersecurity measures should be sophisticated and geared toward proactive protection against APTs, or advanced persistent threats. Processes must be standardized and regularly reevaluated across the entire organization.
Achieving Level 3 or Greater
Contractors with a DFARS clause, as well as any organization that handles sufficiently sensitive data, will be required to attain a minimum of maturity level three in the CMMC framework. This will encompass most organizations, with primarily end-of-supply subcontractors filling in levels one and two. In general, level three requirements can be achieved through a few highly important steps.
First, all relevant parties must adopt the use of an adequately secure platform in order to exchange controlled unclassified information. Company emails are one of the most commonly targeted areas for protection; using a dedicated encryption service is one way to fulfill some CMMC standards.
Any company that does not already utilize an SSP, or system security plan, will also be required to implement one. This will be the first aspect an auditor will examine to determine whether an organization is fulfilling all of its control requirements. SSPs are not simply general summaries, and such cursory information will not be sufficient to pass an audit. This is why it is important to establish a robust SSP that can streamline compliance.
It is also wise to establish a connection with a partner specifically to navigate the CMMC process. An expert consultant is a valuable investment to ensure that the CMMC requirements are fulfilled, since they are substantially more nuanced than previous requirements, and the criteria for compliance offers less flexibility than the former NIST 800-171 standard.
Getting Started With CMMC
The first step in the journey toward CMMC compliance is to determine what type of information you handle and where that places you among the CMMC levels. Once you know this (a consultant can help you determine your level), you can evaluate where your company currently stands compared to where it needs to be and create an action plan to bridge that gap.
When you begin to implement your proactive approach, be sure to document your new procedures and offer any training required to get staff up to speed. Once your new standards are in process, you may begin monitoring to evaluate their success.
As mandatory CMMC audits begin, you will be expected to provide substantive proof that you are adequately meeting the requirements for your desired CMMC level. This is where your SSP and other in-depth documentation will become relevant. Previously, self-reporting under NIST 800-171 was more lenient in the quality of data provided, but the new rules will not allow for a cursory overview only.
With 130 controls required in the CMMC program, maintaining compliance is nuanced and documentation of your processes will be thoroughly vetted. You should be prepared to make consistent improvements even in areas in which you believe are sufficient, as the new process is more rigorous than before.
Work with the Expert Cybersecurity Professionals to Navigate This New Process
Whether you are examining the CMMC standard for the first time or attempting to bring your company up to speed with the required CMMC level you will pursue , most companies will benefit from the advice of an expert cybersecurity consultant to help navigate the complex regulations of the program.
The professionals at Vaultes are happy to clarify the requirements of the CMMC model and how they affect you so that you can prepare for and pass an audit with as little hassle as possible. Reach out to schedule an appointment to discuss the current state of your cybersecurity and which areas you will need to further develop in order to fulfill your goal of proper CMMC compliance.