The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the Department of Defense’s (DOD) response to significant compromises of sensitive information located on contractors’ information systems. The DOD is now taking a supply-chain risk-management approach to improving cybersecurity. Multiple organizations are working to put in place the compliance and accreditation program. Businesses must plan and execute their compliance strategy in an uncertain environment – leveraging FedRAMP accredited cloud services is a way to leverage the stated reciprocity arrangement between CMMC and FedRAMP to meet compliance objectives.
The CMMC measures an organization’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In simple terms, CUI is information that the Government creates or possesses or any entity that creates or possesses for or on behalf of the Government. It is information that requires safeguarding or dissemination controls according to and consistent with federal law, regulations, and government-wide policies.
FCI is information that is not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government.
CMMC incorporates pre-existing legislation such as NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others, into one unified set of cybersecurity best practices. DOD contractors have been required to comply with NIST SP 800-171 since January 1, 2018. However, it has been observed that in the past two years, the DOD has grappled with the low rate of NIST 800-171 compliance across the DIB, and CMMC was created to remedy that systemic issue of non-compliance by both primes and subs.
The DOD released CMMC Model version 1.0 to the public on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry. The CMMC released an updated version 1.02 on March 18th, 2020, and as per the CMMC Errata, all fifteen changes from the previous version were termed as “Administrative” changes (as opposed to “Substantive” or “Critical” changes).
The CMMC establishes five levels of certification that reflect the maturity level and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on the contractor’s information systems. These five levels are tiered and built upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cyber security-based practices. Practices range from basic cyber hygiene at Level 1 to advanced and progressive cyber hygiene at Level 5.
In parallel, the process levels range from simply performed at Level 1 to optimized at Level 5. It is important to note that DOD contractors must meet requirements for the level they seek in both the practice and the process realms. For example, a contractor that achieves Level 4 on practice implementation and Level 3 on process institutionalization will be certified at CMMC Level 3.
Below is an overview of the relevant processes and practices of each level:
Level 1: Basic Cyber Hygiene
This is a basic level requiring a company to perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect FCI.
Level 2: Intermediate Cyber Hygiene
At this level, a company is required to document certain “intermediate cyber hygiene” practices to begin to protect any CUI through the implementation of some of the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements.
Level 3: Good Cyber Hygiene
A company is required to have an institutionalized management plan to implement “good cyber hygiene” practices to safeguard CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.
Level 4: Proactive
At this level, a company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices to detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
Level 5: Advanced/Progressive Cyber Hygiene
This is the highest level where a company is required to have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
All DOD contractors are required to obtain a CMMC certification. This includes all suppliers at all tiers including small businesses, commercial item contractors, and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DOD to develop procedures to qualify independent Certified Third-Party Assessment Organizations (C3PAOs) and assessors that will evaluate companies’ CMMC levels. The DOD predicts that it will begin to include minimum certification requirements in Requests for Information (RFIs) as early as June 2020 and in select Requests for Proposals (RFPs) in September 2020.
Until now, the NIST SP 800-171 dictated the cybersecurity standards that all DIB companies had to follow, and CMMC is also built on the same foundation. Specifically, DFARS clause 252.204-7012 required that any company that accesses or stores CUI must self-assess its cybersecurity capabilities and self-attest that it meets all 110 security controls of NIST SP 800-171 or have a Plan of Actions and Milestones (POA&M) to do so.
One of the most significant changes from NIST 800-171 to CMMC is the shift from self-assessment to external assessments of cybersecurity compliance, which will now be conducted by Third Party Assessment Organizations (C3PAOs). Additionally, in the past noncompliance with DOD cybersecurity regulations was acceptable as long as companies prepared POA&Ms outlining plans to address deficiencies, this will no longer be the case under CMMC. Companies will still need to complete SSPs (System Security Plans), although those too will not satisfy CMMC requirements. CMMC also expands upon NIST 800-171 by supplementing that standard’s 110 security requirements. Specifically, Level 3 adds 20 new requirements that must be met to be CMMC certified. These additional practices are designed to support good cyber hygiene. It is important to note that, until CMMC is fully implemented per the timeline noted below, CMMC and NIST SP 800-171 mandates will coexist.
The DOD is aiming to add CMMC Level Requirements to DOD contract RFIs beginning in June 2020. CMMC Level requirements will be added to RFPs beginning October 2020, starting with an estimated 15 procurements for critical DOD programs and technologies, such as those associated with nuclear and missile defense. At that point, for those contracts, CMMC certification will be used as the basis for “go/no go” decisions. It is expected that approximately 1,500 primes and subcontractors will be affected in the first round of implementation and, likewise, will need to be CMMC certified by Fall 2021. The roll-out will continue over a five-year period, with the expectation that all new DOD contracts will include CMMC requirements by Fall 2026.
Getting ready for CMMC
To get started on the path to compliance, DIB companies need to determine if they are handling CUI. Once they determine where they are and what type of information they are handling, they should determine the gaps between where they are and where they want to be and create a POA&M for how to get to where you are supposed to be.
For companies handling very basic information, they only need to get to a Level 1. For others who are handling CUI, the process is more in-depth. They need to determine if their whole organization needs to be Level 3 compliant or if an enclave approach is more appropriate, whereby only part of their company needs to embrace a compliance solution. However, until there is final guidance from the CMMC-AB around the certification process, no MSP can guarantee you will meet CMMC criteria. While it’s clear that there are known controls for each level, it is not known how in-depth those controls will need to be to pass the audit and obtain the certification. But, by starting to prepare now, early adopter will most likely only need to make minor changes to their processes, ensuring they can be first in line for their certification audit.
Leveraging FedRAMP Reciprocity
The CMMC program has many similarities with the FedRAMP program for accredited commercial cloud services for use by Federal Agencies. Using FedRAMP accredited commercial services such as Amazon Web Services (AWS), organizations develop robust compliant solutions leveraging the suite of security and management tools provided by such platforms. The cloud security and compliance experts at stackArmor have developed a highly cost-efficient CMMC landing zone and security system that meets the CMMC security requirements. stackArmor has successfully helped both small businesses as well as larger businesses develop CMMC compliant environments and preparing them to be ready for assessment and authorization.
stackArmor is an AWS Partner Network (APN) Advanced Consulting Partner specializing in FedRAMP, FISMA, and DFARS compliance on AWS and AWS GovCloud for Commercial organizations. As part of the ATO on AWS partner program, stackArmor offers a Cloud GSS (General Security System) called stackArmor ThreatAlert® that is specifically tailored to meet NIST SP 800-53 security requirements on AWS and AWS GovCloud.
The stackArmor ThreatAlert® solution includes the following key components:
Using FedRAMP authorized AWS services, stackArmor provides an integrated continuous monitoring and compliance solution that includes (1) technical controls, (2) systems security plan documentation, and (3) managed services.
ISVs, SaaS providers, Federal Agencies, and Government Contractors can dramatically reduce the cost of delivering a FedRAMP, FISMA, or DFARS compliance. Have questions? Contact us to schedule a free demo of our stackArmor ThreatAlert® solution.