Preparing for the cybersecurity maturity model certification (CMMC)
DoD contractors have had it easy over the past few years because they were only required to self attest their implementation of the NIST SP 800-171 framework with no third party validation was required. With the introduction of the Cybersecurity Maturity Model Certification (CMMC) things are changing…..

Summary:

  • DOD migrating from NIST SP 800-171 to CMMC in 2020.
  • All companies doing business with the DOD must be Cybersecurity Maturity Model Certification (CMMC) certified.
  • All DOD contractors & subcontractors will receive a cybersecurity maturity certification score between 1 & 5, with 5 being the highest and most difficult to obtain.
  • The higher your score the more contract opportunities become available.
  • CMMC Version 1.0 to be released in January 2020.
  • Starting in June 2020 requests for information (RFIs) will begin to include CMMC.
  • Cybersecurity is now an “allowable cost”.

What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC is a verification mechanism the DoD will use to determine the level of cybersecurity contractors have implemented to protect “controlled unclassified information” residing on their systems. CMMC is a replacement for NIST SP 800-171. No longer will a system security plan (SSP) and plan of action & milestone (POA&M) suffice to meet DOD cybersecurity requirements.

Does the CMMC program impact me?

If you provide services to the U.S. Department of Defense (DOD) then your company, along with 300,000 other companies that makeup he defense industrial base (DIB) is effected by CMMC. Whether you mow the lawn at a military base or are building the F-35 you will need to comply with the DOD’s new cybersecurity requirements. Luckily your cybersecurity requirements will be aligned with the security requirements of the services you provide the DOD. More on this later in the article….

What is the difference between NIST SP 800-171 and CMMC?

The CMMC will combine cybersecurity control standards such as NIST SP 800-171 and ISO 27001 into one unified cybersecurity standard. CMMC will not only look into the implementation of an organization’s cybersecurity controls, it will also assess the maturity of an organization’s cybersecurity practices, something that the NIST SP 800-171 framework did not do. The new CMMC framework does however cover many of the same domains and controls that were previously required by NIST SP 800-171

Cybersecurity Maturity Model Certification (CMMC) domains desired outcomes

When will the DOD require CMMC & who needs to certify?

Version 1.0 of the CMMC framework will be available beginning in January 2020, starting in June of 2020 CMMC requirements will be part of DOD requests for information (RFIs), and in Fall 2020 it will be included in RFPs. All companies “doing business with the DoD” must be CMMC certified whether they handle CUI or not. By 2025 all ~300,000 companies in the defense industrial base will need to be certified if they want to work on DoD contracts. Certification will generally occur before your current contract cycle is over.

Cybersecurity Maturity Model Certification (CMMC) Timeline Schedule Infographic Desired Outcomes

How can my organization earn its Cybersecurity Maturity Model Certification (CMMC)?

CMMC certification involves an independent third party non-profit organization assigning you a cybersecurity maturity level after they conduct a security assessment of your organization. You can no longer self attest to become “compliant” with DOD cybersecurity requirements, as was the case in the past. Companies will receive a 1-5 certification rating with 5 being the highest an organization can receive. The DoD is currently in the process of identifying third parties to carry out certification audits. Exactly how an organization can become CMMC certified will become clearer in the coming months.

What are the different Cybersecurity Maturity Model Certification (CMMC) levels?

There are five CMMC levels with 1 being the lowest and 5 being the highest (and hardest to achieve).

“Level 1: CMMC Level 1 focuses on basic cyber hygiene and consists of the safeguarding requirements specified in FAR 52.204-21. The Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certified organizations. Not every domain within CMMC has Level 1 practices. At both this level and Level 2, organizations may be provided with FCI. FCI is information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity

Level 2: CMMC Level 2 focuses on intermediate cyber hygiene, creating a maturity-based progression for organizations to step from Level 1 to 3. This more advanced set of practices gives the organization greater ability to both protect and sustain their assets against more cyber threats compared to Level 1. CMMC Level 2 also introduces the process maturity dimension of the model. At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program.

Level 3: An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 indicates a basic ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs). For process maturity, a CMMC Level 3 organization is expected to adequately resource and review activities adherence to policy and procedures, demonstrating management of practice implementation. 

Level 4 & 5: At CMMC Level 4 and 5, an organization has a substantial and proactive cybersecurity program. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures(TTPs) in use by APTs. For process maturity, the organization is expected to review and document activities for effectiveness and inform high-level management of any issues as well as ensure that process implementation has been generally optimized across the organization. The updates to CMMC Levels 4-5 will be provided in the next public release.”

The commentary for the above levels was directly quoted from CMMC version 0.6.

Cybersecurity Maturity Model Certification (CMMC) Levels

What happens if I don’t certify or I get a low score?

If you fail to certify you simply won’t be able to work on DOD contracts, if you earn a low score the contracts available to you will be limited as some contracts will only be available to organizations with higher scores. 

The following statement from Katie Arrington, the special assistant for cyber in the Office of the Assistant Secretary of Defense for Acquisition should clear things up: “If you’re on a contract for boots and you’re the subcontractor who’s sewing the eyelets for the laces, you may not need state of the art cybersecurity,” she said. “We want them to have good cyber hygiene. We want them to protect their employees, their IP, but as far as the government, we should not be sending them anything more than the instructions on how to make the eyelet, and a level-one certification would be good enough. The prime contractor may need a level three, because they’re receiving controlled unclassified data that has to do with where the boots need to be shipped. The contract will have specific areas of work that will have specific levels of maturity that will be needed. That’s why we’re doing an entire reeducation of our contracting officers and program managers. We want them to really understand what security is going to cost, and why you need it.” (Source)

How do you start preparing for Cybersecurity Maturity Model Certification (CMMC)?

If your organization is still working on implementing the NIST SP 800-171 framework or other recognized cybersecurity framework then you should continue to do so as the controls you are implementing will help you achieve a higher CMMC score. If your company does not currently process “controlled unclassified information” or any classified information as part of a DOD contract then you should begin implementing the 15 cybersecurity controls required by FAR 52.204-7012, read our article on it. If your organization doesn’t have a cybersecurity program in place then its best that you get in contact with a cybersecurity consultant so that they can start building one for you. This is often the most cost effective method available to small and medium sized businesses.

Great news: Cybersecurity Maturity Model Certification (CMMC) is an allowable cost!

Meeting security compliance requirements isn’t cheap nor easy, luckily the DOD will treat CMMC compliance as an “allowable cost”, meaning that the costs for becoming compliant can be billed to uncle sam.

Conclusion

  • Begin preparing for 2020
  • Work towards improving your security program
  • DOD migrating from NIST SP 800-171 to CMMC in 2020.
  • All companies doing business with the DOD must be Cybersecurity Maturity Model Certification (CMMC) certified.
  • All DOD contractors & subcontractors will receive a cybersecurity maturity certification score between 1 & 5, with 5 being the highest.
  • The higher your score the more contract opportunities become available.
  • CMMC Version 1.0 to be released in January 2020.
  • Starting in June 2020 requests for information (RFIs) will begin to include CMMC.
  • Starting in Fall 2020 requests for proposals (RFPs) will begin to include CMMC requirements.
  • By 2025 all ~300,000 companies in the defense industrial base will be certified.
  • Cybersecurity is now an “allowable cost”.
  • CMMC Draft link: https://www.acq.osd.mil/cmmc/docs/CMMC-V0.6b-20191107.pdf
Article updated on November 10, 2019.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Reach out for a free consultation

The below button will take you to a google form, once submitting a consultant will reach out to you.