The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which includes nearly 100,000 companies in the supply chain. CMMC is the supply chain cybersecurity program managed by the Department of Defense’s (DOD) in response to significant compromises of sensitive information located on contractors’ information systems. The DOD is now taking a supply-chain risk-management approach to improving cybersecurity. Multiple organizations are working to put in place the compliance and accreditation program. Businesses must plan and execute their compliance strategy in an uncertain environment – leveraging FedRAMP accredited cloud services is a way to leverage the stated reciprocity arrangement between CMMC and FedRAMP to meet compliance objectives. If you are interested in learning about the CMMC Framework, leveraging FedRAMP reciprocity, and how stackArmor can help with FedRAMP and CMMC compliance acceleration, continue to read below.
About CMMC 2.0
CMMC 2.0 measures an organization’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In simple terms, CUI is information that the Government creates or possesses or any entity that creates or possesses for or on behalf of the Government. It is information that requires safeguarding or dissemination controls according to and consistent with federal law, regulations, and government-wide policies.
FCI is information that is not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government.
CMMC incorporates pre-existing legislation such as NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others, into one unified set of cybersecurity best practices. DOD contractors have been required to comply with NIST SP 800-171 since January 1, 2018. However, it has been observed that in the past two years, the DOD has grappled with the low rate of NIST 800-171 compliance across the DIB, and CMMC 2.0 was created to remedy that systemic issue of non-compliance by both primes and subs.
The DOD released CMMC Model version 1.0 to the public on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry. The CMMC released an updated version 1.02 on March 18th, 2020, and as per the CMMC Errata, all fifteen changes from the previous version were termed as “Administrative” changes (as opposed to “Substantive” or “Critical” changes). Subsequently, in Dec 2021, the Department of Defense published CMMC 2.0 program guidance.
Understanding the CMMC 2.0 Framework
The CMMC 2.0 program establishes three levels of certification that reflect the maturity level and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on the contractor’s information systems. These three levels are tiered and built upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cyber security-based practices. Practices range from basic cyber hygiene at the foundational level to advanced and progressive cyber hygiene at Level 3.
The CMMC 2.0 continues to be based on NIST SP 800-171 and 800-172 for the purposes of security controls requirements.
Below is an overview of the relevant processes and practices of each level:
Level 1: Foundational
This is a basic level requiring a company to perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect FCI.
Level 2: Advanced
At this level, a company is required to document certain “intermediate cyber hygiene” practices to begin to protect any CUI through the implementation of some of the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements.
Level 3: Expert
At this level, a company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices to detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors. This is the highest level where a company is required to have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
All DOD contractors are required to obtain a CMMC certification. This includes all suppliers at all tiers including small businesses, commercial item contractors, and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DOD to develop procedures to qualify independent Certified Third-Party Assessment Organizations (C3PAOs) and assessors that will evaluate companies’ CMMC levels. The DOD predicts that it will begin to include minimum certification requirements in Requests for Information (RFIs) as early as June 2020 and in select Requests for Proposals (RFPs) in September 2020.
CMMC 2.0 vs NIST SP 800-171: What are the differences?
Until now, the NIST SP 800-171 dictated the cybersecurity standards that all DIB companies had to follow, and CMMC is also built on the same foundation. Specifically, DFARS clause 252.204-7012 required that any company that accesses or stores CUI must self-assess its cybersecurity capabilities and self-attest that it meets all 110 security controls of NIST SP 800-171 or have a Plan of Actions and Milestones (POA&M) to do so.
One of the most significant changes from NIST 800-171 to CMMC 2.0 is the shift from self-assessment to external assessments of cybersecurity compliance for Level 2 and 3, which will now be conducted by Third Party Assessment Organizations (C3PAOs). Additionally, in the past noncompliance with DOD cybersecurity regulations was acceptable as long as companies prepared POA&Ms outlining plans to address deficiencies, this will no longer be the case under CMMC. Companies will still need to complete SSPs (System Security Plans), although those too will not satisfy CMMC 2.0 requirements. CMMC 2.0 is based on NIST SP 800-171 and NIST SP 800-172.
CMMC Implementation: Timeline
The DOD is aiming to add CMMC 2.0 to DOD contract RFIs by 2025. The program roll-out is currently in the rulemaking phase.
Getting ready for CMMC 2.0
To get started on the path to compliance, DIB companies need to determine if they are handling CUI. Once they determine where they are and what type of information they are handling, they should determine the gaps between where they are and where they want to be and create a POA&M for how to get to where you are supposed to be.
For companies handling very basic information, they only need to get to a Level 1. For others who are handling CUI, the process is more in-depth. They need to determine if their whole organization needs to be Level 2 compliant or if an enclave approach is more appropriate, whereby only part of their company needs to embrace a compliance solution. However, until there is final guidance from the CMMC 2.0 PMO around the certification process, no MSP can guarantee you will meet CMMC criteria. While it’s clear that there are known controls for each level, it is not known how in-depth those controls will need to be to pass the audit and obtain the certification. But, by starting to prepare now, early adopter will most likely only need to make minor changes to their processes, ensuring they can be first in line for their certification audit.
Leveraging FedRAMP Reciprocity
The CMMC 2.0 program has many similarities with the FedRAMP program for accredited commercial cloud services for use by Federal Agencies. Using FedRAMP accredited commercial services such as Amazon Web Services (AWS), organizations develop robust compliant solutions leveraging the suite of security and management tools provided by such platforms. The cloud security and compliance experts at stackArmor have developed a highly cost-efficient CMMC 2.0 landing zone and security system that meets the CMMC 2.0 security requirements. stackArmor has successfully helped both small businesses as well as larger businesses develop CMMC 2.0 compliant environments and preparing them to be ready for assessment and authorization.
stackArmor is an AWS Partner Network (APN) Advanced Consulting Partner specializing in FedRAMP, FISMA, and DFARS compliance on AWS and AWS GovCloud for Commercial organizations. As part of the ATO on AWS partner program, stackArmor offers a Cloud GSS (General Security System) called stackArmor ThreatAlert® that is specifically tailored to meet NIST SP 800-53 security requirements on AWS and AWS GovCloud.
The stackArmor ThreatAlert® solution includes the following key components:
- An “in-boundary” FedRAMP compliant landing zone with an integrated security system meeting NIST SP 800-53 security control requirements including FIPS 140-2 compliant remote access; MFA authentication & authorization; boundary protection; continuous monitoring & SIEM (Security Incident Event Management); and segmentation for production data.
- Pre-filled FedRAMP templates and documentation including technical control descriptions, policies, and procedures (based on the shared responsibility model) for nearly 50% of the control requirements.
- Pre-ATO and Post-ATO managed security and compliance services to meet FedRAMP compliance requirements for continuous monitoring reporting and management.
Using FedRAMP authorized AWS services, stackArmor provides an integrated continuous monitoring and compliance solution that includes (1) technical controls, (2) systems security plan documentation, and (3) managed services.
ISVs, SaaS providers, Federal Agencies, and Government Contractors can dramatically reduce the cost of delivering a FedRAMP, FISMA, or DFARS compliance. Have questions about how we help compliance-focused customers with FedRAMP, FISMA, and CMMC compliance acceleration? Contact us to schedule a free demo of our stackArmor ThreatAlert® solution.