2020 saw a lot of changes, and not just in the personal sector of our lives. At the beginning of the year, the US Department of Defense (DoD) – recognizing a growing need for increased cybersecurity – released a new certification system for all of its contractors and subcontractors. The Cybersecurity Maturity Model Certification (CMMC) is set to become a new standard by which DoD contractors are judged.
In this article, we will be looking in-depth at what the CMMC is, what it means for you, and how to start preparing to receive your certification so your organization is prepared for auditing when the time comes.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The CMMC is a mandatory certification required for all DoD contractors and subcontractors. Essentially, it is the DoD’s way of ensuring that all their contractors have sufficient cybersecurity to reduce the risk of devastating cyberattacks targeting confidential information. Because the CMMC reassigns security monitoring to accredited third-party auditors, the DoD can comfortably trust that contractors and subcontractors have necessary cybersecurity measures in place.
The CMMC consists of five levels of cybersecurity maturity. Each level is assigned certain processes and practices that must be met to allow the contractor to work with certain types of information.
The purpose of the CMMC
With cyberattacks increasing every year, the DoD recognizes a need for increased cybersecurity to protect sensitive information. The CMMC is designed to ensure that all contractors and subcontractors privy to this information have a demonstrated mastery of necessary processes and practices to keep private information safe.
The CMMC is also intended to establish a common standard for cybersecurity that is consistent and reliable and can be used across various sectors. Additionally, it mitigates some of the risks associated with self-assessment and ensures – via third-party auditing – that contractors actually have the level of security they say they do.
Maturity levels
The CMMC uses five distinct levels of maturity to determine the scope of your cybersecurity and, thus, which projects you are eligible for. From the most basic level to the most advanced, they are as follows:
Level 1: Basic Cyber Hygiene
This level focuses on protecting Federal Contract Information (FCI). It is characterized by limited/documentable processes and 17 basic hygiene practices.
Level 2: Intermediate Cyber Hygiene
At this level, organizations must have an established process to document their practices and processes. This level requires a total of 72 hygiene practices.
Level 3: Good Cyber Hygiene
The third level of CMMC requires that the organization maintains a plan for managing and implementing practices, as well as protecting Controlled Unclassified Information (CUI). There are a total of 130 hygiene practices required for this level.
Level 4: Proactive
To achieve level four, organizations must review and measure their practices to determine their effectiveness and to resolve ineffective practices as they are discovered. There are 156 best hygiene practices associated with this level.
Level 5: Advanced/Progressive
The final level of the CMMC is concerned with protecting CUI from Advanced Persistent Threats (APTs) through optimizing and standardizing processes and utilizing all 171 hygiene practices.
You can determine the CMMC level you are required to certify by understanding what information your organization has access to. It is possible to improve your maturity rating over time as the CMMC must be renewed every three years.
Domains, capabilities, processes, and best practices
The CMMC is made up of 17 unique domains ranging from asset management and security assessment to physical protection and situation awareness.
Each of the domains is made up of a selection of processes and capabilities, which, in turn, inform the CMMC practices. The CMMC model contains 171 practices, which are divided among the five maturity levels. You can find a complete list of the CMMC domains, processes, and practices in the following CMMC document.
Proving your capability in each domain by demonstrating mastery of both practices and processes will help ensure better cybersecurity and allow contractors to achieve a certain CMMC maturity level.
Projected completion time
Obtaining a CMMC is not a quick and easy process. Depending on your current state of cybersecurity, you may find yourself needing to make comprehensive changes that may take months to successfully integrate. Even if your remediation is relatively simple, you should plan for the CMMC to take no less than six months, though completion time will typically fall between nine and 12 months.
While the DoD is allowing five years to completely roll out CMMC, it is important to remember that DoD contracts will start to include CMMC requirements in 2021 – so contractors who prioritize their CMMC will likely benefit immediately.
What does the CMMC mean for me?
Before the CMMC was rolled out, DoD contractors operated under the NIST 800-171, which allowed compliance readiness self-certification. Within the next five years, the DoD will require all members of the supply chain to remain compliant with CMMC standards.
There are three main differences between the CMMC and previous cybersecurity compliance practices:
- Self-assessment is no longer available. Instead, contractors must successfully pass a CMMC audit completed by a third-party accredited assessor.
- The CMMC is not optional. No contractor will be able to bid on new projects – and they may not be able to complete current projects – without the proper CMMC.
- Certification does not last indefinitely. No matter your level, each CMMC lasts for three years before it must be renewed.
As of 2021, all contractors and subcontractors must have at least a level 1 CMMC to bid on new contracts, continue to work on previously held contracts, or take part in the DoD supply chain. Higher maturity levels will give clearance to more sensitive military data, as well as demonstrate your organization’s competent cybersecurity practices.
Who is required to receive a CMMC?
All contractors and subcontractors working in the DoD supply chain will be required to maintain a CMMC and remain compliant with the outlined CMMC standards. However, not every organization will be required to maintain the same maturity level.
A 6-step approach to the CMMC
Outwardly, the process to achieve a CMMC may seem simple, yet it is important to note that no two organizations will have the same experience. Your current cybersecurity, future goals, resources, and more will play a part in how quickly and easily you obtain the CMMC.
That being said, most organizations will generally find themselves using the same approach to a CMMC certification.
Step One: Familiarize yourself with CMMC requirements and determine your desired CMMC maturity level.
Utilize online resources and identify which CMMC maturity level will be the best fit for your organization.
Step Two: Reach out for preparation assistance, if desired.
While not required, it may help to seek out a trained CMMC-AB professional for expert knowledge and guidance, which will help simplify and streamline the process.
Step Three: Create a gap analysis plan.
A gap analysis plan will help you determine if your organization is prepared for CMMC auditing. Your gap analysis plan should clearly outline your current level of cybersecurity and what you must do to achieve the desired maturity level.
Your gap analysis will help you create and implement a strategic plan that will bridge any identified security gaps.
Step Four: Perform any necessary remediation.
Working off of the findings in your gap analysis plan, take any necessary action required to close the gaps you have identified. Both the monetary and time costs associated with this step may vary wildly, depending on what remediation your organization requires.
Because your remediation plan will likely include policy, technology, and procedure resolutions, it is important to document any actions you take to close security gaps.
Step Five: Schedule and complete an audit with an accredited C3PAO.
Once you have closed the gaps in step four, it is time for your audit and assessment. To complete this step, you must engage a third-party auditor from the CMMC-AB Marketplace and schedule your assessment with a certified assessor.
Step Six: If necessary, resolve any findings.
Should the C3PAO’s certified assessor discover any gaps, you will have up to 90 days to resolve them.
Once your assessment is complete, the CCMC-AB will review it and, if the assessment is approved, they will grant your organization a 3-year CMMC.
A less stressful CMMC process
After many years of self-assessing your organization’s cybersecurity, implementing the new CMMC standards may seem like a daunting task. To that end, we offer four things every contractor should do to simplify the accreditation process.
1. Remain patient and flexible.
Remember that the CMMC is a relatively new change for everyone. As nearly 300,000 contractors scramble to become CMMC compliant, auditors are trained, and organizations struggle to understand the shifting scope of cybersecurity with new and confusing information, remember to remain patient.
2. Keep good documentation.
Many of the CMMC processes require extensive documentation – start early. Document each step of your progress as you implement your remediation plan, and continue to standardize and optimize cybersecurity throughout your organization.
3. Begin the process early.
It is important to act with urgency, but do not attempt to cut corners. Instead, give yourself ample time to become CMMC compliant. The longer you can demonstrate that your cybersecurity plan is operating effectively, the more trustworthy and credible you will seem, and the higher the maturity level you will be able to enjoy.
Even if you are not planning on bidding on any new projects soon, begin becoming CMMC compliant today. Not only will it make the process much less stressful, but it will also give your organization an edge over the others that are waiting until the last minute.
4. Outsource as necessary.
The simplest way to ensure compliance is often by outsourcing to a company that specializes in CMMC. These organizations will be able to help you better understand and apply CMMC standards. If you do choose to outsource, be sure to utilize a trustworthy professional as you will still be held responsible for your own cybersecurity.
Now is the time to prepare for your CMMC
Maintaining cybersecurity is imperative for organizations and contractors, especially those working with the DoD. While the new CMMC model may feel overwhelming, remember that planning wisely and beginning early is the best way to ensure you meet compliance standards, retain a competitive edge over other contractors, and mitigate a stressful change.
When it comes to CMMC, our final word of advice is this: don’t rush, but don’t wait!
Additional resources
https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf