What Is the Cybersecurity Maturity Model Certification (CMMC)?
What is CMMC? CMMC stands for Cybersecurity Maturity Model Certification, a method of determining the cybersecurity standards of DoD contractors. Last year, the Department of Defense announced that companies bidding on defense contracts must meet the appropriate level of CMMC certification in order to work with the DoD on new contracts.
What is CMMC?
Cybersecurity compliance is more commonplace today than ever, and now government agencies are recognizing the importance of having strict compliance policies in place for themselves and their contractors.
The Cybersecurity Maturity Model Certification, while announced in January 2020, has been long in the making.
Since as far back as 2010, government officials and industry executives have been publicly expressing their concerns about the Government’s tolerance of contractors that consistently delivered “compromised” capabilities to the DoD and Intelligence Community.
The Mitre Corporation, a not-for-profit that is endorsed by and conducts research on behalf of the Government, concluded that, “There is no consensus on roles, responsibilities, authorities, and accountability … Improved cyber and supply chain security requires a combination of actions on the part of the Department [of Defense] and the companies with which it does business.”
In other words, the cybersecurity standards of the DoD and contractors it worked with were severely lacking.
As a result, Mitre recommended that the DoD build out its acquisition process by adding an additional “pillar” (security) to its existing pillars of cost, schedule, and performance.
That’s the reason we now have CMMC.
The DoD says that by fiscal year 2026, all new contracts will have CMMC requirements and those businesses that are not compliant will be ineligible to win contracts.
What Is CMMC Compliance?
The CMMC model is split into five distinct “Levels”, beginning with 1 and the highest level being 5.
Level 1 is the most basic level; with each ascending level, the requirements become stricter and more secure.
RFPs will state which level of CMMC compliance is required by the contractor.
CMMC compliance applies to the entire supply chain, though segmenting requirements for contractors and sub-contractors means that not every contractor has to abide by the exact same standards, even if they are working together on the same contract.
What Are the Levels?
Level 1: Basic Cyber Hygiene
Level 1 is focused on basic cyber protections. It is the foundation that all the other levels are built on and consists of the fewest practices with 17.
Level 1 has no process institutionalization maturity requirements—organizations are instead expected to perform its associated practices.
The areas that concern Level 1 are Access Control (AC), Identification and Authentication (IA), Media Protection (MP), Physical Protection (PE), System and Communications Protection (SC) and System and Information Integrity (SI).
Level 2: Intermediate Cyber Hygiene
Level 2 represents the second-biggest jump in complexity, adding an additional 55 practices for a new total of 72.
Unlike Level 1, Level 2 requires that compliance processes be documented, but not managed, reviewed or optimized.
Many domains are introduced here in a step up from the first level, with new areas to be considered including Audit and Accountability (AU), Awareness and Training (AT), Configuration Management (CM), Incident Response (IR), Maintenance (MA), Personnel Security (PS), Recovery (RE), Risk Management (RM) and Security Assessment (CA).
Level 3: Good Cyber Hygiene
Level 3 is the biggest jump in terms of the security practices that must be followed, with another 58 added for a total of 130.
Level 3 also requires that procedures be planned, managed and maintained.
It introduces two additional domains: Asset Management (AM) and Situational Awareness (SA).
Level 4: Proactive
Level 4 is about refining the cybersecurity processes that should now be in place. This level requires that cybersecurity policies and activities be reviewed and measured to determine their effectiveness.
There are an additional 26 practices that must be followed, most predominantly in System and Communications Protection (SC) and Risk Management (RM).
Level 5: Advanced/Progressive
Like Level 4, Level 5 is all about ironing out the kinks for the best protection an organization can afford itself. It is expected that organizations standardize and optimize a documented approach in all areas across all applicable organization units.
There are a final 15 practices that are required to be followed, most notably in Incident Response (IR).
What Level Is Required?
CMMC compliance is purposefully designed with the five levels so that subcontractors at the bottom of the supply chain don’t need to invest in compliance that is unnecessary for the data they are handling.
As we noted, prime contractors at the top of the supply chain will be those most likely to have to abide by the highest levels, 4 and 5.
Those companies lower down on the supply chain will more commonly find themselves having to comply with the lower levels of 1, 2, and 3.
Most businesses can reasonably expect to have to be compliant with Level 3 requirements, but it will be dependent on the specific DoD contract.
All DoD contractors and subcontractors will need to have passed a CMMC audit from a certified third-party and prove their compliance with the appropriate standards moving forward.
This certification is good for three years. The only exemptions are for contractors producing commercial-off-the-shelf (COTS) items and those contracts less than $35,000.
Companies bidding on new contracts will be expected to have the correct level of CMMC compliance, but for existing contracts companies will be given until September 2025—the last year of the four-year phased rollout—to comply.
I Am NIST 800-171 Compliant, Do I Need to Do Anything?
Yes, but it will be significantly easier for you.
CMMC compliance builds on what NIST 800-171 already does, adding additional controls.
Generally speaking, NIST 800-171 is roughly equivalent to Level 3, so businesses that already have this level of compliance will find it easier to make that step.
For reference, CMMC Level 3 includes 100% of the NIST 800-171 controls and adds a further 20 controls for a total of 130.
In short, if you are NIST 800-171 compliant, your organization will still have to ensure the additional controls are implemented in order to meet CMMC compliance.
Self-Certification Is Not Allowed
Self-certification is not permitted to determine CMMC compliance. Companies must have a third-party audit and certify that they are compliant at the right CMMC Level.
Also, CMMC does not allow for any open POA&Ms (plan of action & milestones)—every control must be passed in order to earn the certification at the time of taking it.
However, businesses are encouraged to complete a self-assessment in preparation to scheduling an assessment, for which guides can be found through the DoD.
What Should You Do Now?
The assessment guide from the DoD is 430 pages long, and understandably organizations may not have the time or patience to go through it page by page.
Therefore, it’s recommended to employ the services of an MSSP that specializes in compliance to get your business up to standard.
When using a third-party for compliance, they will perform a risk audit and gap analysis to get a comprehensive understanding of your current controls for data and what needs to be done to be compliant with CMMC.
After that, an MSSP can be retained on a long-term basis and make sure you remain compliant while providing on-going cybersecurity support to prevent breaches while you get on with running your business.
To learn more about how Impact can help with your CMMC compliance, visit our Compliance Services page and learn about our approach, team, and what you can expect from a partnership with us.