Back in 2019, the U.S. Department of Defense (DoD) announced that it was working on a cybersecurity policy that would standardize security controls in the Defense Industrial Base (DIB). The policy would establish that contractors who provide products and services within the DIB would be assessed and certified externally.
Over the course of the year, the DoD came out with various drafts of the cybersecurity policy, until it came to an acceptable form. On January 31, 2020, it publicly released the Cybersecurity Maturity Model Certification, version 1.0. This mouthful of words is commonly referred to as the CMMC. It mandated that, starting from January 2021, every DoD-related contract will include CMMC requirements that the contractors will need to maintain. If the business does not comply, it would not be able to officially obtain a government contract for the Defense Industrial Base.
Contractors need to assess their IT infrastructure and get CMMC-certified soon, or they will lose out on government contracts of considerable size. Companies that currently work with the DIB but are not CMMC-certified also risk losing contract work with the DoD. That is why it is important that businesses start to evaluate the cybersecurity infrastructure and consider having a managed service provider like Level 2 Designs assess your IT capabilities. You need to start preparing for CMMC requirements by learning about what the CMMC is and what things you need to do.
So, let’s take a step back. What is CMMC?
What is the CMMC framework?
The Cybersecurity Maturity Model Certification is a cybersecurity framework intended to strengthen the security practices used in handling government information. With over 300,000 companies in the DIB supply chain, they aimed to establish industry standards that would help all companies involved with government contracts to protect national security data. And instead of having companies state that they are handling the information properly, they would provide third-party assessments to verify proper protocol.
In addition, the DoD wanted to increase penalties for non-compliance while also enforcing the defense supply chain.
The framework builds on the cybersecurity standards created by the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) and the Defense Federal Acquisition Regulation Supplement (DFARS).
Currently, there is a strong focus on controlled unclassified information (CUI), federal contract information (FCI), and how the information exists on DIB networks. CUI refers to government-related information that requires safeguarding or dissemination controls, as identified in a law, regulation, or government-wide policy. Historically, CUI has been one of the most significant risks to national security as there are fewer measures in place to protect the information, as compared with classified information. FCI is information that is not intended for public release and is either created or provided by the government to develop or deliver a product or service to the government. This could be emails, diagrams, and other communication materials related to the contract that isn’t identified for public disclosure.
The CMMC comes as the government’s response to add more controls and processes that protect the sensitive unclassified information from threats.
Contractors will no longer be able to certify themselves in preparation for government contracts. Instead, they will be subject to third-party assessment and certification.
When Does It Take Effect?
The DoD projects that CMMC requirements will be included in all new DoD contracts starting in fiscal year 2026. Since summer 2020, the Department has been sending out a limited number of requests for information that include CMMC requirements.
The main components of the CMMC framework are domains, processes, capabilities, and practices. There are 17 Domains involved:
- Access Control
- Asset Management
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Within each domain, there are 43 capabilities numbered from C001-C043. These capabilities are then broken down into various practices and processes. Each of these practices and processes are assigned to level, ranging from Level 1 to Level 5. Practices are cumulative at each level. Therefore, a contractor must get certified at each level (starting from Level 1) before moving on to the next level. The higher your CMMC level, the more DoD contacts you can bid on.
Also, keep in mind that not all of the domains span all 5 levels. Instead, they must have a minimum of 1 level and can go up to a maximum of 5 levels.
- Practice Numbering Methodology
- XX = 2 letter Domain (ex AC = Access Control)
- # = CMMC Level
- *** = Practice number
- AC.1.001 = Limit information system access
The level required for each government contract will be written as a requirement in the request for proposal (RFP). (The level required will be specified in writing through the request for proposal (RFP)).
The first two levels in CMMC mainly focus on FCI, while the higher three levels focus on both FCI and CUI.
CMMC Certification Levels
Level 1: Basic Cyber Hygiene (Performed)
(17 practices and processes)
A company must follow 17 practices and processes in order to receive Level 1 certification. These practices are considered basic cyber hygiene and refer to activities such as making sure your employees change their passwords regularly and using antivirus software. According to Katie Arrington, the DoD’s Chief Information Security Officer for Acquisition, “CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company, and your own information.”
Level 2: Intermediate Cyber Hygiene (Documented)
(72 practices and processes)
A company must follow 72 practices and processes in order to receive Level 2 certification. Before a company can protect any CUI, they must perform intermediate cyber hygiene activities and then complete the proper documentation for such practices.
Level 3: Good Cyber Hygiene (Managed)
(130 practices and processes)
A company must follow 130 practices and processes in order to receive Level 3 certification. At this stage, the company has a good sense of their cyber hygiene practices and has created an institutionalized management plan accordingly.
Level 4: Proactive (Reviewed)
(156 practices and processes)
A company must follow 156 practices and processes in order to receive Level 4 certification. The company must have processes in place for assessing and measuring the effectiveness of their cybersecurity practices. At this level, they should be able to detect and respond to higher-level threats that can adapt and change their environment.
Level 5: Advanced (Progressive)
(171 practices and processes)
A company must follow 171 practices and processes in order to receive Level 5 certification. Once a company reaches CMMC Level 5, they must have the proper security procedures in place to detect and respond to sophisticated security threats. At this level, their processes are standardized and optimized, so that the entire company is prepared.
Benefits of CMMC Certification
So, what are the benefits of getting CMMC-certified? Sounds like another set of hurdles to jump through in order to conduct your business, right? Well, it may seem like more work for your company to do, but it actually saves you much time and money in the end. The benefits of CMMC certification are:
- You can compete for Department of Defense contracts
- Your company’s IT security systems are better coordinated and managed.
- You can respond to cyberthreats more effectively and quicker
With these main benefits, you can therefore leverage your cybersecurity efforts as an important part of your business and a reason why customers should trust your business. For more information about the CMMC update, contact the Level 2 Designs team at (877) 353-8352 for more information.