What is CMMC? Cybersecurity Maturity Model Certification Explained
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework for US defense contractors. It combines different standards and requirements to measure the cybersecurity maturity of the defense supply chain.
The Defense Industrial Base (DIB) has long been required to implement adequate measures to protect any sensitive government information it handles on its networks. These requirements area always evolving to defend against changing security threats and, in the past 10 years, have grown from general requirements to obligatory compliance with entire frameworks, such the NIST 800-171 specifications when contractors handle controlled unclassified information (CUI) on their networks.
In January 2020, the US Department of Defense (DoD) released the first version of CMMC framework. Over the next five years, those defense contractors in the DoD supply chain who process CUI or federal contracting information (FCI) will be required to obtain CMMC certification to demonstrate their level of cybersecurity maturity for their respective DoD contracts.
The CMMC is a framework of standards for cybersecurity implementation designed to increase resilience against cyber-attacks throughout the DIB. This guide explores the CMMC and the process for certification.
What is a maturity model?
A maturity model is a way of measuring an organization’s capability to progress and improve in a specific area. Maturity models act as a benchmark for organizations to measure their progression. As a maturity model, the CMMC includes best practice cybersecurity processes from a range of frameworks and standards. It also outlines the cybersecurity capabilities held by organizations of different maturity levels. This helps defense contractors benchmark their cybersecurity capabilities.
A maturity model ensures that the CMMC scales alongside the different organizations and the cybersecurity requirements of the respective contracts. The level of CMMC certification needed will differ depending on the type of information processed and the organization’s place in the supply chain.
The five maturity levels of CMMC 1.0
The CMMC sets out 171 practices across five levels, designed to assess an organization’s implementation of cybersecurity and the maturity of its processes. Each level reflects the maturity of the contractor’s cybersecurity processes, practices, and infrastructure. The levels are cumulative, so each one builds on the previous level. For example, to achieve level 3, compliance must be held for the previous levels of CMMC too.
The five maturity levels of CMMC are:
• Level 1 | Basic Cyber Hygiene (17 security controls)
• Level 2 | Intermediate Cyber Hygiene (46 security controls)
• Level 3 | Good Cyber Hygiene (47 security controls)
• Level 4 | Proactive (26 security controls)
• Level 5 | Advanced / Progressive (4 security controls)
In practice, the five maturity levels are aligned with relative cybersecurity risks, cost of implementation and the type of sensitive information processed. Level 1 focuses on safeguarding Federal Contract Information (FCI). Levels 2 and 4 are ‘bridge levels’ from which contractors can set out a roadmap to achieve a higher level. Level 2 is a transition level for organizations to progress to protect Controlled Unclassified Information (CUI). Level 3 deals with protecting CUI and includes all 110 of the NIST 800-171 controls. Levels 4 and 5 establish additional requirements beyond NIST 800-171 to reduce the risk of Advanced Persistent Threats (APTs).
“Familiarize yourself first with what constitutes FCI or CUI and identify where it is processed and stored on your network.”
CMMC practices and processes
Each CMMC maturity level is a benchmark for an organization’s cybersecurity capabilities. The higher the maturity level, the higher the protection of sensitive information. This is reflected in the practices and processes outlined in each maturity level.
Why is CMMC important?
Before the introduction of the CMMC, all contractors handling sensitive government data and information (i.e. CUI) were expected to adhere to the criteria set out in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The criteria required adherence with the cybersecurity controls of NIST 800-171, which the DIB could self-attest to be in compliance with.
However, the previous model of self-attestation was deemed insufficient to protect the defense supply chain against potential IP theft and cyber breaches. The economic cost of malicious cyber activity is estimated at $57b per annum, and cyber breaches can undermine US economic and national security.
There has been a rapid increase in sophistication and operational security capabilities demonstrated by attackers in recent years. Defense contractors are experiencing significant and persistent attacks on their networks and systems. The CMMC was launched to improve the cybersecurity capabilities of the entire Defense Industrial Base (DIB). It ensures contractors have best practice processes in place to protect sensitive information on behalf of the government.
Who will need CMMC certification?
CMMC will apply to approximately 300,000 contractors in the DoD supply chain who handle Federal Contracting Information (FCI) or Controlled Unclassified Information (CUI). It will affect suppliers at all tiers of the DIB, from prime contractors to SME contractors as well as foreign suppliers. Both prime and subcontractors that process CUI on behalf of the government will need certification. The Department of Defense will state the required CMMC level in Request for Proposals (RFP).
“If you’re a subcontractor, seek advice and guidance from the prime. The Defense Industrial Base Sector Coordinating Council (DIB SCC) runs the CyberAssist website, containing lots of valuable resources to help the DIB enhance its cyber posture.”
When will CMMC be required?
Over the coming years, CMMC requirements will start to show up in new DoD Requests for Proposals (RFPs) and Requests for Information (RFIs). Contractors will need to be certified at the required CMMC level by the time of contract award.
The Office of the Under Secretary of Defense for Acquisition and Sustainment has set out a roadmap for full implementation of CMMC within the next 5 years. An initial pilot phase began in 2021 with 15 pathfinder contracts that included CMMC requirements.
Defense contractors will need to evidence the level of maturity that is required in their contract through certification, and any flow-down CMMC requirements will apply to subcontractors.
While the DoD is leading the effort and acting as the first adopter, the CMMC will likely be embraced by other US government departments in future. We understand that even private sector industries are also considering the adoption of CMMC as best practice.
How will contractors become CMMC certified?
The non-profit CMMC Accreditation Body (CMMC-AB) is responsible for managing, operating and sustaining the CMMC program. Their remit includes training, evaluating and accrediting the Certified Third Party Assessor Organizations (C3PAOs) and their respective teams of Certified Assessors (CAs).
CAs will perform the independent assessments of DIB contractors’ CMMC implementation and provide reports to their C3PAOs. In turn, C3PAOs then make a recommendation to the CMMC-AB on the issuance of CMMC certification that is valid for 3 years. To avoid any conflicts of interest, C3PAOs can only perform assessments; they cannot advise an organization seeking certification (OSC) as to whether the organization is ready to attain the level they seek before the assessment.
A DIB contractor seeking CMMC certification can enlist the help of a Registered Provider Organization (RPO) to evaluate their readiness and help them prepare to meet the standards required, before undergoing a CMMC assessment. There is no self-certification.
“Don’t wait until an RFI or RFP comes out to start the process of understanding your CMMC compliance. Start today by establishing your compliance baseline to identify gaps and define your compliance priorities and efforts from there.”
“If you’re aspiring to be CMMC Level 5 certified, use the recently published NIST 800-172 to start identifying and implementing the enhanced controls required at the higher levels of CMMC.”
The benefits of CMMC certification
Certification independently verifies that an organization complies with best practice cybersecurity processes and practices. Government agencies or prime contractors can be assured that a prospective contractor will safely store and process sensitive information. CMMC certification will become ever more important as it’s rolled out over the next five years. It will soon become an integral part of winning government contracts.
CMMC is designed in a way to scale with the organization’s maturity level, so can be used to benchmark and improve an organization’s cybersecurity capabilities. These improvements make information more secure, enhancing network and system best practices. The consequences of a cybersecurity breach can be severe, so organizations benefit from improving their processes and practices.
Does CMMC place an additional cost burden on contractors?
Besides the cost of engaging a C3PAO, costs involved in meeting the standards required and preparing for a CMMC assessment will depend on a number of factors. The maturity of an organization’s existing cybersecurity infrastructure, the size and complexity of the organization, the volume and scope of CUI and FCI handled, and any consultancy or outsourcing of services involved in preparation for the assessment can all represent additional costs.
However, the DoD has made clear that “the cost of [CMMC] certification will be considered an allowable, reimbursable cost and will not be prohibitive.” Allowable costs for CMMC certification will be set out in supplier contracts.
The future of CMMC
CMMC is being rolled out over the next five years. The rollout will be phased, so the requirement of CMMC will be gradually introduced each year. Initially, the process will be piloted, with a small selection of programs in 2021 requiring CMMC compliance. At this early stage, CMMC compliance will focus on the storage or process of CUI up to CMMC Level 3. CMMC Levels 4 and 5 will be rolled out as a requirement in the latter stages of this five year period. After this point, CMMC will become an integral part of government contract procurement. The standards will be regularly updated to keep ahead of emerging cybersecurity threats.
How can you prepare for CMMC Compliance?
You may be asking, ‘what CMMC level do I need?’. This will be made clear in the RFI or RFP for the contract you are bidding on. You will then need to set out a roadmap to achieve the required CMMC level by the time of contract award, and the first step is to assess your baseline compliance.
With Nipper, you can accurately assess your cybersecurity compliance against CMMC security practices. Nipper’s impact reports help you prioritize non-compliance issues and address risks efficiently. Reports provide detailed remediation advice and exact technical fixes for every risk found.
Nipper reports can be integrated into SIEMs and GRC systems, helping you track your compliance throughout the network. Find out more about how Nipper can help you achieve CMMC compliance.
Assess CMMC compliance with Titania Nipper
Titania Nipper is a firewall and network auditing tool that can streamline compliance with CMMC. Nipper can accurately assess your cybersecurity compliance against CMMC security practices. Create impact reports to prioritize non-compliance issues and address emerging risks efficiently. Reports provide detailed remediation advice and exact technical fixes for every risk found.