The Cybersecurity Maturity Model Certification (CMMC) is here. As mentioned in other blog posts, without a single standard to govern all cybersecurity risks, industries and regulatory bodies are authoring and enforcing their own frameworks to address the specific needs of their given domains. It should come as no surprise that the Department of Defense (DOD) – the government agency charged with keeping the United States safe – would have their own set of standards for contractors, too.
And rightly so. The DOD currently maintains strict internal controls governing the security and management of Controlled Unclassified Information (CUI). However, audits have revealed third-party vendors often view these measures as optional after a defense contract is secured.
Consider the cliché about an organization only being as strong as its weakest link: If a third-party vendor has poor cyber hygiene and does not secure CUI properly, the vendor becomes a target for threat actors looking to access DOD data. In addition to real-world threats to national security, the reputational damage from a data breach can quickly morph into a company-ending event for the vendor.
With all that is on the line, the Cybersecurity Maturity Model Certification (CMMC) was introduced to ensure mature and adaptive cybersecurity controls are present along the DOD supply chain to help combat new and emerging threats. However, there is still a lot of confusion about what it is and who should hold the certification.
Making Sense of the Alphabet Soup
Before we go further, everyone knows the United States Department of Defense is no stranger to acronyms, so it makes sense that we rehydrate several first. Where possible, links are provided to official government sources for the further definition to save you a few internet searches:
- DOD: The United States Department of Defense
- CUI: Controlled Unclassified Information
- DFARS: Defense Federal Acquisition Regulation Supplement
- CMMC: Cybersecurity Maturity Model Certification
- CMMC-AB: CMMC Accreditation Body
- OUSD A&S: Office of the Under Secretary of Defense for Acquisition and Sustainment
- DIB: Defense Industrial Base
- FFRDC: Federally Funded Research and Development Centers
- POA&M: Plan of Action and Milestones
- COTS: Commercially available off-the-shelf products
Who needs to complete the CMMC?
Does the CMMC apply to me?
Previously, the OUSD A&S evaluated vendors’ key metrics such as cost, schedule, and performance. Security is now part of the evaluation process since the OUSAD A&S “recognizes that security is foundational to acquisition.” Since the CMMC framework evaluates the cybersecurity posture of the DIB and their subcontractors, the CMMC standards will impact over 300,000 organizations worldwide, according to the DOD.
In short, contractors and sub-contractors providing product and/or services to the DOD presently or in the future will be required to attain CMMC Certification to demonstrate their cybersecurity posture, including FFRDCs, manufacturers, and of course, cloud service providers.
Companies that solely produce COTS products do not require a CMMC certification.
I’ve already completed my FedRAMP certification. Do I need this, too?
In interviews of Katie Arrington, CISO at the OUSD A&S, mentioned planned reciprocity between FedRAMP and other certifications where control was previously certified. In other words, if a FedRAMP control is in place that matches the control outlined in the CMMC, the vendor will receive credit for that control. Other established standards, such as ISO 27001, will receive similar treatment. However, organizations will still have work to do where things do not line up.
One example: FedRAMP has three levels of security designation (Low, Moderate, and High), whereas the CMMC has five, ranging from Level 1-Basic Cyber Hygiene to Level 5-Advanced/Progressive Cyber Hygiene. So, depending on the corresponding level of accreditation required for a contract, an organization may still need to certify a control. The CMMC-AB will most likely make the final call.
Another major difference between FedRAMP and CMMC is the treatment of POA&Ms. The POA&M is a key document in the security authorization package and monthly continuous monitoring activities. It lets a vendor identify their known weaknesses and security deficiencies and describe the specific activities they will take in the future to correct them. In most instances, if a POA&M is in place for a deficiency, it will not preclude a contractor from securing a contract. However, enforcement of the completion of the POA&Ms is often left up to the procuring agency, which is often ill-equipped or too understaffed to enforce the POA&Ms. Without enforcement, there is little incentive to complete the POA&M.
The CMMC is different and aims to fix this. Per Arrington, the CMMC is not allowing plans of action and promises “to get better” at some point in the future. It’s binary: the control – and ultimately the contractor – is either compliant or not a complaint. There is no middle ground.
However, there is some good news as it pertains to levels.
CMMC Levels
CMMC: Levels 1 – 5
If you plan on responding to a DOD Requests for Information (RFIs) or Requests for Proposals (RFPs), the agency will specify the compliance level. Contractors, however, can – and are encouraged – be certified in advance. The CMMC has 5 different levels ranging from “Level 1,” where an organization is not assessed but demonstrates basic cyber hygiene, to “Level 5,” where an organization has standardized and optimized process implementation across the organization.
Source: Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Version 1.02
The levels encompass 171 cybersecurity best practices and seventeen (17) domains, including:
- Asset Control
- Asset Management
- Audit and Accountability
- Awareness and training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Production
- Personnel Security
- Physical Protection
- Recover
- Risk management
- Security Assessment
- Situation Awareness
- System and Communications Protection
- System and Information Integrity
Although a close examination of each level is beyond the scope of this post, check back as we dig deeper into each level in future blog posts.
What are the advantages of obtaining at least Level 1 certification today?
If your eyes are rolling when asked to complete yet another certification, there is an upside. In addition to having a strong cybersecurity program in compliance with what is striving to be the new international standard, companies in compliance with the CMMC certification will receive prioritization for government contracts, much like women or veteran-owned organizations.
In the short run, the CMMC will be a competitive advantage for companies pursuing lucrative government contracts. The DOD is planning on having the rollout complete by 2025, when it will be the bar to even compete.
Moreover, as you progress through the levels, work from an earlier level counts toward the next. Starting today on Level 1 or Level 2 gets you that much closer to the requirements in Level 4 or Level 5 in the future.
How ControlMap help?
One of the main tenants of the CMMC is the principle of “certify once; use many.” For example, CMMC Level 1 contains practices that correspond to safeguarding requirements in the Federal Acquisition Regulation (FAR) clause 52.204-21+. CMMC Level 3 encompasses all the security requirements of NIST SP 800-171.
Manually identifying disparate requirements across independent frameworks to reuse your effort becomes exponentially cumbersome very quickly, especially if the information is stored across many documents and spreadsheets. ControlMap and its robust crosswalk mappings identify work completed in other frameworks that are applicable to the CMMC. This saves your organization time and money associated with completing the audit and demonstrates adherence to multiple frameworks, regulations & control sets.
We encourage you to learn more,