CMMC, an abbreviation for Cybersecurity Maturity Model Certification, is a new requirement for defense contractors that the United States Department of Defense (DoD) is in the process of rolling out in October of 2020. All companies that serve DoD contracts, either as the prime contractor or as a subcontractor, will be expected to demonstrate a degree of cybersecurity maturity aligned to controls and best practices as part of the CMMC Program.
What does this mean for the hundreds of thousands of companies that provide services to DoD entities? In short, it means cybersecurity will need to be elevated beyond a technology priority to a business priority.
What Is the Purpose of CMMC?
The Cybersecurity Maturity Model Certification was developed to secure the Defense Industrial Base (DIB) supply chain. The goal is to ensure that all DIB organizations are adequately protecting two types of data, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Any organization that handles FCI or CUI must meet CMMC requirements to serve as a prime or a sub on United States Federal contracts.
How do you know if you handle FCI? Essentially any entity serving in any capacity on a Federal contract has Federal Contract Information in the form of contract documents, RFP responses and other paperwork and data involved in winning and serving the contract.
How do you know if you handle CUI? While Controlled Unclassified Information is not classified or company proprietary information, the aggregated theft of CUI forms a significant threat to national security. Not all organizations serving Federal contracts handle Controlled Unclassified Information, but many do. It depends on the nature of the work that the organization performs on behalf of the Federal government. Examples of CUI include Personally Identifiable Information (PII) such as legal material, identify information, health documents, technical drawings and intellectual property among other types of data.
Is CMMC the same as NIST 800-171?
CMMC is an extension of the NIST 800-171 security recommendations that the Department of Defense unveiled in 2017. While complying with the NIST 800-171 controls and practices was not a certification process like CMMC is, organizations were required to self-attest that they had the controls and practices in place. If an organization experienced a cybersecurity breach or attack, the company could have been audited and found culpable if NIST 800-171 recommendations were not followed.
CMMC builds on NIST 800-171 with additional controls and practices aligned to Maturity Levels designed to protect the type of information an organization stores and handles. All defense contractors will undergo an official audit performed by an independent CMMC Third-Party Assessor Organization (C3PAO) that is accredited as an auditor by the Department of Defenses.
What Are the CMMC Maturity Levels?
The CMMC Maturity Levels define the controls and practices an organization must follow based on the type and sensitivity of the information the organization handles and stores in connection with their DOD contract. For example, Maturity Level 1 stipulates that a company must adhere to basic cyber hygiene practices in order to protect Federal Contract Information. Each level builds on the previous level meaning that Maturity Level 2 will include the controls and practices required to achieve Maturity Level 1. Maturity Level 2 is the transition level from protecting FCI in Level 1 to also having the defenses in place to protect Controlled Unclassified Information once your organization reaches Maturity Level 3.
The Maturity Level your organization will need to achieve will be specified in the DoD Request for Proposal for the specific contract for which your company is competing. In other words, each contract will have a required Maturity Level designation to which contract awardees must be certified. This process will begin in October 2020 for fifteen priority contracts that have already been identified by the DoD. The DoD has begun the process of notifying these companies that they must pass the CMMC audit in order to serve the contracts.
After October 2020, organizations will need to pass a CMMC audit once their contracts are in the renewal and/or recompete period after option years are exercised.
What Are the CMMC Controls and Practices?
The CMMC controls and practices are aligned to 17 NIST Cybersecurity Framework domains, including areas such as Security Awareness and Training (AT), Situational Awareness (SA) and Incident Response (IR) among other key cybersecurity best practice categories. Each area includes multiple practices and controls aligned to each Maturity Level.
Implementing the required controls and practices will involve IT as well as technical and physical security teams. Many of the requirements span secure product and tool configuration, like implementing access controls that limit accessibility to certain software functions to only members of IT or to only members of the staff who need that functionality to perform their job duties. Similarly, physical security is also covered with requirements such as keeping technology that houses sensitive information in locked areas and limiting keys and access codes to certain staff members.
In addition to IT and physical security, the required controls and practices encompass secure network architecture, such as firewall implementation and network segmentations. Another key cybersecurity requirement is threat monitoring and log aggregation to ensure that organizations are alerted to cyberattack attempts and can immediately take the steps to block them.
How Much Will CMMC Cost?
The answer to this common question is one that most of us don’t want to hear. The answer is, “It depends.” The cost of achieving certification depends on multiple factors making it impossible to predict a one-size-fits-all price tag. Considerations such as an organization’s current cybersecurity maturity level, the organization size, infrastructure complexity and staff cybersecurity awareness layer onto the CMMC Maturity Level that the organization must achieve to serve a contract. All of these factors will affect the price.
While it’s tempting to assume that a Level 1 would be the least expensive, that is not necessarily the case. An organization that has previously not implemented any security controls and practices will need to invest in putting the basics in place in order to achieve a Maturity Level of 1. On the opposite end of the spectrum, a company that must adhere to Maturity Level 5 may already have a sophisticated program in place and will only need to cover the small expense of adjusting their current controls and practices to align more precisely with CMMC.
CMMC Builds a Culture of Cybersecurity
To prepare for CMMC, companies will need to approach cybersecurity as a cultural initiative rather than a single project. CMMC controls and best practices span all areas of the business, from staff awareness to data management and technology protections, both physical and digital. Small, inconsistent security fixes in limited capacities will not be enough to satisfy CMMC and achieve certification. Cybersecurity must form the foundation of your business through the implementation of a full security program.
While it can seem daunting, most organizations will find there is a silver lining. Many of the controls and practices are likely things that you already have in place. Additionally, the implementation of one tool or one new process can address multiple requirements meaning companies aren’t faced with making one-for-one changes.
What’s more, there are service providers who specialize in helping organizations implement full cybersecurity programs. An experienced Cybersecurity Advisor and Analyst team can evaluate your current security stance, identify the gaps, and then develop a prioritized roadmap that will help you meet the CMMC requirements in the most efficiently and effective ways. And most importantly, having the right defenses in place helps alleviate some of the stress related to what happens if your company experiences a cyberattack.