Cybersecurity Maturity Model Certification (CMMC)
Achieve & Maintain DFARS/NIST 800-171/CMMC Compliance
Pivot Point Security offers Cybersecurity Maturity Model Certification (CMMC) services to help organizations achieve and maintain compliance with the CMMC framework. CMMC compliance at the designated level will soon be a requirement for all contractors and subcontractors in the US Defense Industrial Base (DIB). With Pivot Point Security’s experience and expertise, you can trust that our team will guide you to a successful CMMC certification. Our team will work together with yours to ensure that your organization meets all requirements for CMMC compliance.
What is the Cybersecurity Maturity Model Certification 2.0 (CMMC)?
In November 2021, the US Department of Defense (DoD) announced Version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) information security framework and audit program. Driven by internal review and public comment, CMMC 2.0 updates the requirements for CMMC Version 1.02, released in January 2020 and now suspended. CMMC 2.0 is designed to improve cybersecurity within the Defense Industrial Base (DIB) by ensuring contractors and subcontractors can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Back in October 2016, the DoD specified requirements for protecting Covered Defense Information (CDI) and reporting cyber incidents in its Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.DFARS 252.204-7019. This regulation—which has been in effect all along—relies on suppliers to self-attest to the status of their security controls and to compliance with NIST SP 800-171.
In contrast to CMMC 1.0, CMMC 2.0 requires organizations whose contracts mandate compliance with CMMC 2.0 Level 2 (Advanced) and which are participating in “prioritized acquisitions” to undergo third-party assessments to achieve CMMC 2.0 certification, and to be reassessed on a triannual basis. Firms participating in “non-prioritized acquisitions” at CMMC 2.0 Level 2 (Advanced) plus all organizations at CMMC Level 1 (Foundational) can demonstrate compliance through an annual self-assessment with an affirmation by company leadership.
The changes from CMMC 1.0 to CMMC 2.0 will be implemented through the US federal government’s rulemaking process to Code of Federal Regulations (CFR) Parts 32 and 48. DIB businesses will be required to comply with the new rules as soon as they go into effect; an estimated timetable is “9 to 24 months.”
Struggling with all the new terminology in the CMMC? Learn all the Key CMMC Terms & Acronyms here.
CMMC Compliance Services
Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.
Cloud Controls Matrix
The CSA Cloud Controls Matrix is a cybersecurity control framework for cloud computing. Aligned with CSA’s Cloud Security Guidance 4.0 and mapped to industry-accepted security standards like ISO 27001, ISO 27017, the CIS Critical Security Controls V8 and more, the CSA Cloud Controls Matrix is a de facto standard for cloud security assurance and compliance.
DFARS Compliance
DFARS is a defense industry specific supplement to the original FAR clause. DFARS explicitly addresses national defense concerns around DoD acquisitions. Consisting of numerous parts and subparts, DFARS compliance has a broad focus that includes materials sourcing, workplace/employee safety and other areas, as well as cybersecurity.
Why is the CMMC Important?
The CMMC is critically important because keeping CUI, CDI and FCI (Federal Contract Information) secure is vital to US national security and to the US economy. The current self-attestation approach has proven ineffective, as shown by multiple high-profile breaches of critical DoD data.
Exfiltration of sensitive defense-related data is estimated to cost the US economy $600 billion per year, and has verifiably narrowed US armed forces technological advantage over its adversaries. The DoD is determined to eliminate this data leakage.
CMMC represents a higher, more exacting level of assurance that emphasizes not only compliance but also data security, and which ensures more consistent implementation and execution of controls. CMMC will make it significantly more difficult for adversaries to breach DIB contractors, including sub-tier suppliers. This also includes assurance to the government and your investors that your organization is equipped to identify and triage cyber incidents.
How is the CMMC Different from Today’s Requirements?
CMMC will significantly impact both the DoD’s acquisition process and suppliers’ cybersecurity postures. Most importantly:
- To achieve certification at Level 2 and 3 of the CMMC, organizations must pass a third-party assessment conducted by an accredited C3PAO (Certified 3rd Party Assessor Organization) (some Level 2 requirements will be possibly recognized with annual self-attestation & company leadership sign-off)
- CMMC certification to at least Level 1 will be mandatory for DoD contract award/participation. If you have Federal Contract Information (FCI), you must achieve level 1.
- The CMMC certification level required for prime contractors and their subcontractors will be specified in DoD RFIs and RFPs.
- Suppliers will need to be recertified every three years. Further, the CMMC will continue to evolve in response to the threat landscape.
For the most up to date and complete information, listen to our podcast episodes on CMMC from The Virtual CISO Podcast
Summary of the Cybersecurity Maturity Model Certification (CMMC) Levels, Domains, Practices & Processes (Maturity Levels)
CMMC Levels:
Level 1 “Foundational”: Meant to ensure a company can safeguard Federal Contract Information (FCI). CMMC Level 1 encompasses the basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. CMMC L1 has 17 requirements and requires an annual self-assessment.
Level 2 “Advanced”: CMMC Level 2 addresses the protection of Controlled Unclassified Information (CUI). CMMC Level 2 provides increased assurance to the DoD that a contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow with its subcontractors in a multi-tier supply chain. CMMC L2 has 110 requirements aligned with NIST SP 800-171 and requires a triennial third party assessment and annual assessment. (Annual self-attestation possibly allowed for information/data not deemed critical to national security).
Level 3 “Expert”: CMMC L3 has 134 requirements based on NIST SP 800-171 and 800-172 and requires a triennial government-led assessment and annual affirmation.
CMMC Domains
The CMMC model consists of 14 domains that align with the families specified in NIST SP 800-171.
Access Control (AC)
- Establish system access requirements
- Control internal system access
- Control Remote system access
- Limit data access to authorized users and processes
Awareness and Training (AT)
- Conduct security awareness activities
Audit and Accountability (AU)
- Define audit requirements
- Perform auditing
- Identify and protect audit information
- Review and manage audit logs
Configuration Management (CM)
- Establish configuration baselines
Identification and Authentication (IA)
- Grant access to authenticated entities
Incident Response (IR)
- Plan incident response
- Detect and report events
- Develop and implement a response to a declared incident
- Perform post incident reviews
- Test incident response
Maintenance (MA)
- Manage maintenance
Media Protection (MP)
- Identify and mark media
- Protect and control media
- Sanitize media
- Protect media during transport
Personnel Security (PS)
- Individuals are screened prior to accessing CUI
Physical Protection (PE)
- Limit physical access
Risk Assessment (RA)
- Manage back-ups
Security Assessment (CA)
- Develop and manage a system security plan
- Define and manage controls
- Perform code reviews
Systems and Communications Protection (SC)
- Define security requirements for systems and communications
- Control communications at system boundaries
System and Information Integrity (SI)
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protections
How Do You Get CMMC Certified?
The DoD in cooperation with the defense industry has “self-formed” a nonprofit accreditation body, called the Cyber Accreditation Body (Cyber-AB). This entity will onboard the Certified 3rd-Party Assessment Organizations (C3PAOs) needed to certify suppliers across the DIB. The C3PAOs, in turn, will train and certify the many auditors who will conduct CMMC audits.
Anyone in the DIB seeking a CMMC assessment should connect with a C3PAO to schedule an audit.
How Does CMMC Compare to NIST 800-171?
Because it defines three compliance levels, CMMC is more flexible than NIST 800-171, and “right-sizes” a supplier’s compliance footprint based on the data it is handling.
Here is a simple way to describe the three CMMC “cyber hygiene” certification levels:
For suppliers that won’t be handling sensitive data, certification to CMMC Level 1 specifies only 17 controls, while Level 2 specifies 110 controls.
Suppliers that will handle CUI will need to be certified to CMMC Level 2 or higher. Level 2 includes 110 requirements based on NIST SP 800-171 and requires a triennial C3PAO-led assessment with annual affirmation (Annual self-attestation possibly allowed for information/data not deemed critical to national security). Level 3 includes 145 requirements based on NIST SP 800-171 and NIST SP 800-172 and requires a triennial government-led assessment with annual affirmation.
What certification level should your organization pursue?
That depends on your company’s role in the DIB, as well as your current cybersecurity maturity level. CMMC Level 2 is equivalent to the current regulations and will be required to handle CUI. For example, suppliers that have a Section 7012 clause in their current contract will need to be CMMC Level 2 certified when those contracts are renewed.
What Should You Do Next?
Download our CMMC Certification Guide!
This eBrief will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.
Frequently Asked Questions
What is CMMC Certification?
The Cybersecurity Maturity Model Certification (CMMC) is a 3-level framework for implementing cybersecurity to protect Controlled Unclassified Information (CUI) across over 300,000 companies in the US Defense Industrial Base (DIB). CMMC is the latest US Department of Defense (DoD) response to significant compromises of sensitive defense information residing on contractors’ information systems.
Who needs CMMC Certification?
Any company engaged in a contract or subcontract with the US Department of Defense (DoD) will need to achieve certification at one of the 3 CMMC levels, possibly from an accredited CMMC third-party assessment organization (C3PAO). (Level 1 is currently an annual self-attestation. Level 2 for information not deemed critical to national security possibly allowed via annual self-attestation.)
What are CMMC Certification levels?
CMMC has 3 certification levels corresponding to different cybersecurity maturity requirements:
- CMMC Level 1 (Basic Cyber Hygiene) is required for any organization that stores, transmits, or processes US Federal Contract Information (FCI).
- CMMC Level 2 (Good Cyber Hygiene) is required for any organization that stores, transmits, or processes US Controlled Unclassified Information (CUI)
- CMMC Level 3 (Advanced/Progressive) is required for any organization that stores, transmits, or processes US Controlled Unclassified Information (CUI).
How to get CMMC Certification?
The CMMC certification process will not officially commence until CMMC federal rulemaking is complete, which should be by March 2023. Sometime shortly thereafter (probably May 2023), CMMC certification requirements will begin appearing in DoD contracts. Each such contract will specify the CMMC level needed.
Organizations that expect to handle controlled unclassified information (CUI) as part of their contracts should prepare now to demonstrate compliance with CMMC Level 2, which is aligned directly with NIST SP 800-171.
When is CMMC Certification required?
The US federal rulemaking process to codify CMMC 2.0 is expected to be complete by March 2023. The US Department of Defense (DoD) has stated that it will begin including CMMC language in contracts 60 days after that, in May 2023.