– Achieve NIST 800-171 Provable Conformance –
– Protect CUI –
– Be Irresistible to Your Prime’s Capture Team –
– Be Ready for Your CMMC Certification Audit –
– Grow Your Business! –
The DOD and the CMMC AB continue to offer more guidance and details on how the CMMC roll out.
Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
It would be presumptuous for us to call ourselves CMMC experts. We are, however, experts at developing and managing information security and privacy management systems that comply with government and industry regulations. We have helped organizations ranging from $500K to $3B comply with DFARS clause 252.204-7012 and NIST SP 800-171 which covers 110 controls required for CMMC Level 2 certification. So, while CMMC is a new certification scheme — the process of preparing for CMMC certification isn’t new to us.
CMMC certification will be an absolute requirement to win DoD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DoD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.
New to the CMMC? Lets get you up to speed quickly
The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity standard for US Department of Defense (DoD) suppliers. The CMMC will impact more than 300,000 companies in the US Defense Industrial Base (DIB).
The CMMC is important because many DoD contractors are currently vulnerable to attack. Breaches of intellectual property across the DIB have and continue to reduce US defense superiority and threaten our national security.
First released in January 2020 after several years in development, the CMMC requires DoD contractors undergo independent, third-party audits. Compliance is measured against one of the three levels in the CMMC’s “maturity model,” which align with the specific maturity level mandated in each new DoD contract.
The CMMC certification process assesses the cybersecurity posture of DoD contractors through third-party audits. The audit process is intended to verify that a company’s security controls, policies and procedures comply with DFARS requirements and the CMMC standard at the contractually mandated level. The CMMC’s goal is to improve the protection of sensitive data in contractor’s systems, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The security assessment program that the CMMC replaces allowed businesses to self-attest their compliance to the NIST SP 800-171 standard per the Defense Federal Acquisition Regulations (DFARS) as specified in their DoD contracts. Unless explicitly requested to do so, DIB companies were not required to provide evidence of compliance. This perpetuated security vulnerabilities and resulted in significant data breaches, operational interruptions and intellectual property theft at a cost of at least $300 billions per year.
The CMMC was developed in collaboration with university research centers, federally funded R&D centers and industry experts. It unifies several existing security standards into one comprehensive framework, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, FISMA and AIA NAS9933.
The DoD’s CMMC: Key Terms and Acronyms
The CMMC is business-critical for DIB suppliers because they will soon need to achieve CMMC certification at one of the five CMMC levels to participate in DoD contract awards.
The CMMC will gradually replace the DoD’s current cybersecurity compliance program, based on the DFARS, which began in 2015. This outdated approach mandates compliance with NIST 800-171 for all contractors, regardless of the type and volume of data they handle.
Many contractors, especially SMBs with limited resources, have been challenged to comprehend the NIST 800-171 requirements, let alone implement them. Others have either outsourced their compliance programs or employed significant expertise to sustain compliance in-house.
Overall, NIST 800-171 compliance has been lax, though the DoD has endeavored to make compliance a competitive advantage in the contract award process. Moreover, the DoD has stepped up DFARS enforcement, fining suppliers that have claimed to be compliant under the False Claims Act over $250 million in 2019.
The core issue that the DoD is looking to address with CMMC certification is companies falsely claiming compliance with its cybersecurity guidelines, whether intentionally or out of ignorance. By achieving CMMC certification, DoD suppliers will verifiably have appropriate cybersecurity processes and controls in place. CMMC also gives companies a way to assess the maturity of their current environment, as well as a roadmap for how to progressively improve their security postures.
Any organization—prime contractor or subcontractor—that participates in DoD contracts will need to achieve some level of CMMC certification in the next 9 to 24 months. Those that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI) will need CMMC Level 1 (Foundational) certification. Even companies that provide nontechnical services like custodial services will need to demonstrate CMMC Level 1 compliance, since by definition they handle FCI.
Businesses that handle CUI will need to be certified to at least CMMC Level 2, which directly corresponds to the “security maturity” already mandated by NIST 800-171 and the DFARS 7012 clause. Companies that “solely produce Commercial-Off-The-Shelf (COTS) products” purchased as part of a DoD contract do not require a CMMC certification, according to the DoD.
Companies like major prime contractors that handle the most sensitive non-classified information will be required to achieve CMMC 2.0 Level 3, formerly Level 5. Requirements for Level 3 are still TBD.
CMMC 2.0 organizes cybersecurity preparedness controls and processes into three maturity levels, which protect against progressively higher levels of risk to FCI and/or CUI. Each level incorporates the preceding levels; for example, attaining CMMC Level 3 certification means compliance with CMMC levels 1 and 2.
Here are brief descriptions of the three CMMC levels:
Foundational (Level 1) focuses on protecting FCI. It includes only 17 practices as specified in 48 CFR 52.24-21, Basic Safeguarding of Covered Contractor Information Systems. These include fundamental controls like using up-to-date antivirus software and providing staff with cybersecurity awareness training. Note that if you are subject to a FAR 52.204.21 clause in one or more contracts today, you are already responsible for implementing these controls.
Advanced (Level 2) focuses on protecting CUI. It includes all the 110 controls specified in NIST 800-171. To gain CMMC Level 2 certification, a business must show that it has documented and is actively managing cybersecurity policies and processes in alignment with an established plan. Organizations that are compliant with NIST 800-171 today should not find CMMC Level 2 certification to be a big hurdle.
Expert (Level 3) focuses on protecting CUI from multi-vector, state-of-the-art Advanced Persistent Threats (APTs) mounted by government-sponsored hackers. It requires the demonstrable ability to audit, optimize and standardize cybersecurity controls and processes. Demanding a robust security posture, CMMC 2.0 Level 3 will incorporate a to-be-determined set of additional controls from NIST 800-172, “Enhanced Security Controls,” which defines 35 controls beyond NIST SP 800-171. This will be a challenging level for many SMBs to meet with in-house staff and expertise.
The CMMC 2.0 model defines 14 control domains. These are derived from NIST 800-171 and the associated security areas in Federal Information Processing Standards (FIPS) Publication 200.
The 14 CMMC control domains are:
- Access Control—who has access to your systems (including remote access) and what are their roles and limitations?
- Audit and Accountability—Can you track the users who have access to your CUI, so they are accountable for their actions?
- Awareness and Training—Do all staff have security awareness training?
- Configuration Management—Do you have configuration baselines for your systems so you can gauge their effectiveness?
- Identification and Authentication—Does your organization have properly defined roles with appropriate data access levels, including processes for reporting and accountability?
- Incident response—Do you have an Incident Response Plan that documents how you will detect, report and respond to incidents, including post incident analysis?
- Maintenance—Do you have procedures in place to maintain and operate your cyber controls?
- Media Protection—Is your media identified and marked for quick access, and do you have media protection, transportation and disposal protocols in place?
- Personnel Security—Have staff been properly screened, and do you have controls in place to protect CUI during staff turnover?
- Physical Protection—Do you have provably adequate physical security protecting your assets?
- Risk Management—Do you have a process to periodically identify and assess risks to your FCI and/or CUI, including vendor-related risks?
- Security Assessment—Do you have a system security plan in place?
- System and Communications Protection—Do you have verifiable control of communications at system boundaries?
- Systems and Information Integrity—Can you effectively monitor your environment to identify and mitigate vulnerabilities and flaws?
As announced recently under CMMC 2.0, the CMMC v1 pilot program is suspended. Those companies that are required to undertake a certification audit under the new CMMC 2.0 program will need to engage a Certified Assessor (CA) working for a Certified 3rd-Party Assessor Organization (C3PAOs). The Cyber Accreditation Body (Cyber-AB) still authorizes C3PAOs to schedule and conduct assessments for Organizations Seeking Certification (OSCs), though the DoD provides oversight via Joint Surveillance assessments with C3PAOs and the DoD’s DIBCAC.
Since CMMC 2.0 certification will be a prerequisite for contract award, DIB companies that need to handle CUI should prepare now by achieving verifiable compliance with NIST 800-171. This will prepare you for a certification audit or self-attestation of compliance with CMMC Level 2.
If you don’t anticipate that your business will receive CUI as part of any contract you are competing for, you should prepare now to self-attest to compliance with the 17 controls defined in 48 CFR 52.24-21, Basic Safeguarding of Covered Contractor Information Systems. These are the controls required for compliance with CMMC Level 1 (Foundational).
While you cannot currently undergo a CMMC 2.0 assessment, you can begin taking steps to choose a C3PAO and plan an assessment for the future. You can also connect with a Registered Provider Organization (RPO) to engage a Registered Practitioner and advance your security program to set you up for successful CMMC certification. The DoD strongly encourages its suppliers to assess their CMMC readiness and enhance their cybersecurity postures while CMMC 2.0 rulemaking is underway.
Once CMMC 2.0 is fully in place, the DoD will have access to information and data related to assessments, including a company’s assessment results and final report. The DoD will store all self-assessment results in its Supplier Performance Risk System (SPRS) database. CMMC certificates and associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database, and a copy of a company’s CMMC certificate will automatically post to SPRS. Details of a company’s CMMC assessment will not be made public.
The CMMC certification process assesses the cybersecurity posture of DoD contractors through third-party audits. The audit process is intended to verify that a company’s security controls, policies and procedures comply with DFARS requirements and the CMMC standard at the contractually mandated level. The CMMC’s goal is to improve the protection of sensitive data in contractor’s systems, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The security assessment program that the CMMC replaces allowed businesses to self-attest their compliance to the NIST SP 800-171 standard per the Defense Federal Acquisition Regulations (DFARS) as specified in their DoD contracts. Unless explicitly requested to do so, DIB companies were not required to provide evidence of compliance. This perpetuated security vulnerabilities and resulted in significant data breaches, operational interruptions and intellectual property theft at a cost of at least $300 billions per year.
The CMMC was developed in collaboration with university research centers, federally funded R&D centers and industry experts. It unifies several existing security standards into one comprehensive framework, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, FISMA and AIA NAS9933.
The DoD’s CMMC: Key Terms and Acronyms
While full enforcement of the CMMC 2.0 framework is still nine or more months away for most DIB companies, you should take steps immediately to become familiar with CMMC technical requirements and assessment programs. Many suppliers will need to invest significant time and effort (six months in many cases) to evaluate their current security postures and prepare for CMMC assessment at Level 2 or above.
Here are some commonsense steps your business can take now to help ensure a smooth CMMC certification process:
- Determine what CMMC 2.0 level you will eventually need to attain.
- Review the technical requirements for that level.
- If you handle CUI, begin aligning your current environment with NIST 800-171, as this is mandated by the DFARS 7012 clause in current contracts and the DoD may ask you to demonstrate compliance at any time. Further, this will position you to quickly achieve CMMC Level 2 certification.
- Connect with a trusted third-party information security consultant to get support for CMMC 2.0 planning, gap assessment and implementation if you plan to outsource some part of the process.
- Check in with relevant vendors (e.g., email and file sharing service providers, cloud service providers) on their CMMC 2.0 and NIST 800-171 compliance status.
- Conduct a CMMC 2.0 “readiness assessment” and/or “gap analysis” so you can prioritize next steps leading to a “remediation plan” or compliance roadmap.
- Begin documenting your cybersecurity practices and policies as you’ll need to do this eventually if you handle CUI.
- Start planning your budget for CMMC certification, including consulting fees, internal resourcing, software purchases, internal/external audit costs, etc.
- Stay current with news and DoD announcements about the CMMC 2.0 requirements, rulemaking and rollout by checking online sources like the CMMC FAQ page and the Cyber AB site.
Because primes are already looking at CMMC 2.0 and NIST 800-171 compliance when choosing capture teams, companies that are slow to respond to CMMC and/or fail to achieve certification based on their first assessment may be unable to participate in contracts or offer products and services to the DoD for some period of time.
Now is the time to get familiar with CMMC requirements, connect with compliance experts and start aligning your cybersecurity controls and policies with the CMMC 2.0 framework if you haven’t already done so. While CMMC Level 2 certification will be nontrivial for many DoD suppliers that are not working towards NIST 800-171 compliance already, the process will support adoption of cybersecurity best practices that all businesses must have in place today to assure customers, management and other stakeholders that they can protect sensitive data.
The CMMC certification process assesses the cybersecurity posture of DoD contractors through third-party audits. The audit process is intended to verify that a company’s security controls, policies and procedures comply with DFARS requirements and the CMMC standard at the contractually mandated level. The CMMC’s goal is to improve the protection of sensitive data in contractor’s systems, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The security assessment program that the CMMC replaces allowed businesses to self-attest their compliance to the NIST SP 800-171 standard per the Defense Federal Acquisition Regulations (DFARS) as specified in their DoD contracts. Unless explicitly requested to do so, DIB companies were not required to provide evidence of compliance. This perpetuated security vulnerabilities and resulted in significant data breaches, operational interruptions and intellectual property theft at a cost of at least $300 billions per year.
The CMMC was developed in collaboration with university research centers, federally funded R&D centers and industry experts. It unifies several existing security standards into one comprehensive framework, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, FISMA and AIA NAS9933.
The CMMC certification process assesses the cybersecurity posture of DoD contractors through third-party audits. The audit process is intended to verify that a company’s security controls, policies and procedures comply with DFARS requirements and the CMMC standard at the contractually mandated level. The CMMC’s goal is to improve the protection of sensitive data in contractor’s systems, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The security assessment program that the CMMC replaces allowed businesses to self-attest their compliance to the NIST SP 800-171 standard per the Defense Federal Acquisition Regulations (DFARS) as specified in their DoD contracts. Unless explicitly requested to do so, DIB companies were not required to provide evidence of compliance. This perpetuated security vulnerabilities and resulted in significant data breaches, operational interruptions and intellectual property theft at a cost of at least $300 billions per year.
The CMMC was developed in collaboration with university research centers, federally funded R&D centers and industry experts. It unifies several existing security standards into one comprehensive framework, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, FISMA and AIA NAS9933.
The DoD’s CMMC: Key Terms and Acronyms