The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework for US defense contractors. It combines different standards and requirements to measure the cybersecurity maturity of the defense supply chain.
The Defense Industrial Base (DIB) has long been required to implement adequate measures to protect any sensitive government information it handles on its networks. These requirements are always evolving to defend against changing security threats and, in the past 10 years, have grown from general requirements to obligatory compliance with entire frameworks, such the NIST 800-171 specifications when contractors handle controlled unclassified information (CUI) on their networks.
In January 2020, the US Department of Defense (DoD) released the first version of CMMC framework. Over the next five years, those defense contractors in the DoD supply chain who process CUI or federal contracting information (FCI) will be required to obtain CMMC certification to demonstrate their level of cybersecurity maturity for their respective DoD contracts.
The CMMC is a framework of standards for cybersecurity implementation designed to increase resilience against cyber-attacks throughout the DIB. This guide explores the CMMC and the process for certification.
What is a maturity model?
A maturity model is a way of measuring an organization’s capability to progress and improve in a specific area. Maturity models act as a benchmark for organizations to measure their progression. As a maturity model, the CMMC includes best practice cybersecurity processes from a range of frameworks and standards. It also outlines the cybersecurity capabilities held by organizations of different maturity levels. This helps defense contractors benchmark their cybersecurity capabilities.
A maturity model ensures that the CMMC scales alongside the different organizations and the cybersecurity requirements of the respective contracts. The level of CMMC certification needed will differ depending on the type of information processed and the organization’s place in the supply chain.
The five maturity levels of CMMC
The CMMC sets out 171 practices across five levels, designed to assess an organization’s implementation of cybersecurity and the maturity of its processes. Each level reflects the maturity of the contractor’s cybersecurity processes, practices, and infrastructure. The levels are cumulative, so each one builds on the previous level. For example, to achieve level 3, compliance must be held for the previous levels of CMMC too.
The five maturity levels of CMMC are:
• Level 1 | Basic Cyber Hygiene (17 security controls)
• Level 2 | Intermediate Cyber Hygiene (46 security controls)
• Level 3 | Good Cyber Hygiene (47 security controls)
• Level 4 | Proactive (26 security controls)
• Level 5 | Advanced / Progressive (4 security controls)
In practice, the five maturity levels are aligned with relative cybersecurity risks, cost of implementation and the type of sensitive information processed. Level 1 focuses on safeguarding Federal Contract Information (FCI). Levels 2 and 4 are ‘bridge levels’ from which contractors can set out a roadmap to achieve a higher level. Level 2 is a transition level for organizations to progress to protect Controlled Unclassified Information (CUI). Level 3 deals with protecting CUI and includes all 110 of the NIST 800-171 controls. Levels 4 and 5 establish additional requirements beyond NIST 800-171 to reduce the risk of Advanced Persistent Threats (APTs).
“Familiarize yourself first with what constitutes FCI or CUI and identify where it is processed and stored on your network.”
CMMC practices and processes
Each CMMC maturity level is a benchmark for an organization’s cybersecurity capabilities. The higher the maturity level, the higher the protection of sensitive information. This is reflected in the practices and processes outlined in each maturity level.
The maturity of an organization’s cybersecurity processes is outlined in the CMMC. This includes the policies and procedures in place to protect sensitive information. Lower levels just require documentation of policies, whereas the higher levels require in-depth management and optimization of processes.
- CMMC Level 1 does not assess processes, as organizations can follow Level 1 practices without relying on documentation.
- CMMC Level 2 requires documented policies and practices to ensure cybersecurity practices are repeatable.
- CMMC Level 3 requires a higher management of cybersecurity processes, including a project plan, ring-fenced resources and training.
- CMMC Level 4 requires processes and practices to be reviewed for effectiveness to ensure continuous improvement.
- CMMC Level 5 Cybersecurity Maturity Model Certification requires organizations to achieve continuous optimization of process and practice.
Each maturity level of the CMMC highlights core cybersecurity practices. There are 171 practices in total across the five maturity levels.
- CMMC Level 1 requires ‘basic cyber hygiene’, including steps taken to safeguard Federal Contract Information (FCI). There are 17 Level 1 practices.
- CMMC Level 2 represents a transition towards the protection of Controlled Unclassified Information (CUI). Practices include a subset of controls found in cybersecurity frameworks like NIST 800-171. There are 55 Level 2 practices, bringing the total to 72.
- CMMC Level 3 requires the implementation of all NIST 800-171 requirements and other cybersecurity practices. There are 58 Level 3 practices, bringing the total to 130.
- CMMC Level 4 includes enhanced cybersecurity practices to protect CUI from Advanced Persistent Threats (APTs). There are 26 Level 4 practices, bringing the total to 156.
- CMMC Level 5 includes practices to further enhance cybersecurity protection against APTs. There are 15 Level 5 practices, bringing the total to 171.
Why is CMMC important?
Before the introduction of the CMMC, all contractors handling sensitive government data and information (i.e. CUI) were expected to adhere to the criteria set out in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The criteria required adherence with the cybersecurity controls of NIST 800-171, which the DIB could self-attest to be in compliance with.
However, the previous model of self-attestation was deemed insufficient to protect the defense supply chain against potential IP theft and cyber breaches. The economic cost of malicious cyber activity is estimated at $57b per annum, and cyber breaches can undermine US economic and national security.
There has been a rapid increase in sophistication and operational security capabilities demonstrated by attackers in recent years. Defense contractors are experiencing significant and persistent attacks on their networks and systems. The CMMC was launched to improve the cybersecurity capabilities of the entire Defense Industrial Base (DIB). It ensures contractors have best practice processes in place to protect sensitive information on behalf of the government.
Who will need CMMC certification?
CMMC will apply to approximately 300,000 contractors in the DoD supply chain who handle Federal Contracting Information (FCI) or Controlled Unclassified Information (CUI). It will affect suppliers at all tiers of the DIB, from prime contractors to SME contractors as well as foreign suppliers. Both prime and subcontractors that process CUI on behalf of the government will need certification. The Department of Defense will state the required CMMC level in Request for Proposals (RFP).
“If you’re a subcontractor, seek advice and guidance from the prime. The Defense Industrial Base Sector Coordinating Council (DIB SCC) runs the CyberAssist website, containing lots of valuable resources to help the DIB enhance its cyber posture.”
When will CMMC be required?
Over the coming years, CMMC requirements will start to show up in new DoD Requests for Proposals (RFPs) and Requests for Information (RFIs). Contractors will need to be certified at the required CMMC level by the time of contract award.
The Office of the Under Secretary of Defense for Acquisition and Sustainment has set out a roadmap for full implementation of CMMC within the next 5 years. An initial pilot phase began in 2021 with 15 pathfinder contracts that included CMMC requirements.
Defense contractors will need to evidence the level of maturity that is required in their contract through certification, and any flow-down CMMC requirements will apply to subcontractors.
While the DoD is leading the effort and acting as the first adopter, the CMMC will likely be embraced by other US government departments in future. We understand that even private sector industries are also considering the adoption of CMMC as best practice.
How will contractors become CMMC certified?
The non-profit CMMC Accreditation Body (CMMC-AB) is responsible for managing, operating and sustaining the CMMC program. Their remit includes training, evaluating and accrediting the Certified Third Party Assessor Organizations (C3PAOs) and their respective teams of Certified Assessors (CAs).
CAs will perform the independent assessments of DIB contractors’ CMMC implementation and provide reports to their C3PAOs. In turn, C3PAOs then make a recommendation to the CMMC-AB on the issuance of CMMC certification that is valid for 3 years. To avoid any conflicts of interest, C3PAOs can only perform assessments; they cannot advise an organization seeking certification (OSC) as to whether the organization is ready to attain the level they seek before the assessment.
A DIB contractor seeking CMMC certification can enlist the help of a Registered Provider Organization (RPO) to evaluate their readiness and help them prepare to meet the standards required, before undergoing a CMMC assessment. There is no self-certification.
“Don’t wait until an RFI or RFP comes out to start the process of understanding your CMMC compliance. Start today by establishing your compliance baseline to identify gaps and define your compliance priorities and efforts from there.”
CMMC Level 1 certification process
To gain CMMC Level 1 certification, an independent assessor must confirm an organization meets all practices outlined by CMMC Level 1. The assessment process is a mixture of audits, interviews, and demonstrations. Each practice or process is recorded as met, not met, or not applicable within an assessment report. There are 17 Level 1 practices to be met, focusing on the safeguarding of Federal Contract Information (FCI).
CMMC Level 3 certification process
To achieve CMMC Level 3 certification, an organization must meet the requirements outlined in Levels 1, 2, and 3. The requirements are taken from NIST 800-171 in addition to a selection of other security standards. Levels 2 and 3 focus on safeguarding Controlled Unclassified Information (CUI) in contractor systems and networks.
An independent assessor gathers evidence against the requirements, processes and practices outlined in each CMMC level. Assessment is of either the whole network or a specified system segment. Assessment methods include the reviewing of documents and evidence, interviewing key stakeholders, and testing key capabilities.
CMMC Level 5 certification process
CMMC Level 5 certification requires compliance with 171 practices outlined across all five levels. These requirements are pooled from standards like NIST 800-171 and CIS Controls. Level 5 is the most advanced level so requires evidence of a mature cybersecurity model which proactively negates Advanced Persistent Threats (APTs). Contractors that handle highly classified data or manage critical services or programs may require Level 5 certification.
“If you’re aspiring to be CMMC Level 5 certified, use the recently published NIST 800-172 to start identifying and implementing the enhanced controls required at the higher levels of CMMC.”
The benefits of CMMC certification
Certification independently verifies that an organization complies with best practice cybersecurity processes and practices. Government agencies or prime contractors can be assured that a prospective contractor will safely store and process sensitive information. CMMC certification will become ever more important as it’s rolled out over the next five years. It will soon become an integral part of winning government contracts.
CMMC is designed in a way to scale with the organization’s maturity level, so can be used to benchmark and improve an organization’s cybersecurity capabilities. These improvements make information more secure, enhancing network and system best practices. The consequences of a cybersecurity breach can be severe, so organizations benefit from improving their processes and practices.
Does CMMC place an additional cost burden on contractors?
Besides the cost of engaging a C3PAO, costs involved in meeting the standards required and preparing for a CMMC assessment will depend on a number of factors. The maturity of an organization’s existing cybersecurity infrastructure, the size and complexity of the organization, the volume and scope of CUI and FCI handled, and any consultancy or outsourcing of services involved in preparation for the assessment can all represent additional costs.
However, the DoD has made clear that “the cost of [CMMC] certification will be considered an allowable, reimbursable cost and will not be prohibitive.” Allowable costs for CMMC certification will be set out in supplier contracts.
The future of CMMC
CMMC is being rolled out over the next five years. The rollout will be phased, so the requirement of CMMC will be gradually introduced each year. Initially, the process will be piloted, with a small selection of programs in 2021 requiring CMMC compliance. At this early stage, CMMC compliance will focus on the storage or process of CUI up to CMMC Level 3. CMMC Levels 4 and 5 will be rolled out as a requirement in the latter stages of this five year period. After this point, CMMC will become an integral part of government contract procurement. The standards will be regularly updated to keep ahead of emerging cybersecurity threats.
How can you prepare for CMMC Compliance?
You may be asking, ‘what CMMC level do I need?’. This will be made clear in the RFI or RFP for the contract you are bidding on. You will then need to set out a roadmap to achieve the required CMMC level by the time of contract award, and the first step is to assess your baseline compliance.
With Nipper, you can accurately assess your cybersecurity compliance against 42 CMMC security practices across 9 domains. Nipper’s impact reports help you prioritize non-compliance issues and address risks efficiently. Reports provide detailed remediation advice and exact technical fixes for every risk found.
Nipper reports can be integrated into SIEMs and GRC systems, helping you track your compliance throughout the network.
Find out more about how Nipper can help you achieve CMMC compliance