Cybersecurity Maturity Model Certification (CMMC): Tips for Compliance

Following a string of 83 data breaches in 2019 alone, the United States Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC). The CMMC framework is a unified national standard for improving cybersecurity. Companies in the defense industrial base (DIB) must implement CMMC requirements in order to win contracts. Read on to find out how you can achieve compliance.

Introduction to the CMMC

CMMC is a cybersecurity standard created by the Office of the Under Secretary of Defense (OUSD) for Acquisition & Sustainment. It seeks to respond to cyber threats by standardizing the way that DoD contractors secure critical information.

To achieve CMMC certification, DIB companies must implement appropriate cybersecurity practices and processes to protect all sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) they process or store. Organizations receive a cybersecurity maturity score on a scale from one to five. This score determines the level of trust the DOD places in the organization and impacts everything from hiring to contracts.

Under previous guidelines (the Defense Federal Acquisition Regulation Supplement [DFARS] 252.204-7012), to demonstrate their cybersecurity resilience, contractors could self-attest to compliance with NIST SP 800-171. However, this model resulted in a number of high profile data breaches such as the Solar Winds affair, as well as violations of the False Claims Act.

To improve cybersecurity, the CMMC now requires a CMMC third-party assessor organization to certify that contractors have met the cybersecurity requirements. The DoD plans implementation of the new CMMC requirements through a phased rollout with the additional requirements becoming effective in 2025, as discussed in more detail below.

To achieve compliance with CMMC requirements, organizations still need a thorough understanding of NIST SP 800-171, since the CMMC certification process uses that framework as guidelines to help measure system security, assess the maturity of a security program and provide a score.

Who must comply with the CMMC?

The CMMC maturity model applies to every company within the DoD supply chain, including not just those in the defense industrial base, but also those in procurement, construction or development. This includes prime contractors who interact directly with the DoD, as well as subcontractors who work with contractors to execute DoD contracts.

Size and relationship to a contract do not matter. There is no loophole for small businesses working on “minor” portions of a contract. Therefore, every contractor and subcontractor dealing with any form of defense information must prepare for a review of their cybersecurity practices. Failing to comply will not lead to monetary penalties, but being certified is a prerequisite to winning contracts.

What types of data does CMMC protect?

The CMMC protects two types of data:

• Controlled Unclassified Information (CUI) — This includes any unclassified information made by the government that needs protection. It includes private federal employee information, contractor information, legal material, technical drawings, electronic files and more. To deal with CUI, an organization must have a maturity level rating of 3 or higher.
• Federal Contract Information (FCI) — FCI consists of any information that the government provides or creates under a contract in order to deliver a service or product, but that is not released to the public. Improper disclosure of this data may pose a significant threat to the inner workings of DOD logistics and activities.

Dealing with FCI requires only level 1 or 2 certifications.

CMMC timeline

Contractors have until 2025 to prepare their systems to handle FCI and CUI as required by CMMC. However, the Pentagon recently moved from deploying CMMC only in tabletop exercises to its use in the field through the award of 15 “pathfinder” contracts. This pilot program focuses on level 3 companies and their subcontractors; more companies must comply as the rollout proceeds.

What is the assessment methodology?

In 2020, the DoD issued an Interim Rule that supplements the CMMC program with an assessment methodology for evaluating whether companies are compliant. Under this rule, CMMC certification proceeds in two steps You must repeat the certification process every three years.

• Step 1. Assessors apply the NIST SP 800-171 DoD Assessment Methodology to the company. This methodology classifies potential threats to a project into three tiers (high, medium and low), based on the sensitivity of the information and programs involved. Every contractor seeking high or medium level approval must provide access to facilities, systems, and personnel. Gaining access to CUI or FCI is impossible without such scrutiny.
• Step 2. If a company passes step 1, the assessment process assigned the company a maturity level.

CMMC Certification Levels (Maturity Levels)

There are five CMMC levels. Each level has specific requirements:

• Level 1: Basic cyber hygiene — Companies at level 1 perform basic cyber hygiene. Data must be error-free, and applications and information systems that store or process sensitive information like personally identifying information (PII) must have proper access controls. Standard procedures like obscuring PII and data quality assurance help you comply with this level. The NIST guidelines offer 17 basic security controls for this level.
• Level 2: Intermediate cyber hygiene — The next level involves 72 controls (including the level 1 controls); these comprise a little over half of all NIST 800-171 controls. At this stage, your company must protect FCI and CUI in a repeatable way. Auditing, media protection, backup and recovery, maintenance, and system integrity are important at this level. The major difference between levels 1and 2 is the implementation of a plan and procedures for protecting data.
• Level 3: Good cyber hygiene — Level 3 requires implementing 132 controls, spanning the entirety of the set laid out by NIST SP 800-171 for CUI. Companies at this level typically deal with controlled but unclassified information. It requires a strong plan to deal with cybersecurity threats and the means to carry it out through awareness, training and incident response.
• Level 4: Proactive cyber hygiene — Level 4 requires demonstrated excellence in deploying 156 controls under NIST and other sources. The 24 added from level 3 deal largely with vetting security practices: The company must regularly assess and revise its policies for maximum effectiveness, and higher management is kept updated on issues.
• Level 5: Advanced cyber hygiene — Level 5 adds an additional 25 requirements related to advanced threat detection and protection; this level is required for companies dealing with highly desirable information. Companies need to deploy more sophisticated tools such as anomaly detection, and be able to flexibly respond to threats.

CMMC framework components, levels and domains

Getting up to speed with the CMMC requirements requires an understanding of 17 different domains. 14 of the domains come from Federal Information Processing Standards (FIPS) 200 and NIST SP 800-171; CMMC adds three more: recovery, situational awareness and asset management. Here is the complete list:

• Access control — Know who has access to your systems and strictly limit access by job role.
• Audit and accountability — Track users with access to sensitive data. Collect event logs and investigate the information for improper or suspicious activity.
• Asset management — Track hardware and software assets to avoid allowing outdated and unwanted technology to lead to a data breach
• Awareness and training — Provide regular training for employees on how to prevent breaches and how to respond if one occurs.
• Configuration management — Establish baseline configurations that protect systems from unwarranted access, setting reasonable defaults to avoid exposing your company to threats.
• Identification and authentication — Use authorization rules and practices, such as multi-factor authentication, to avoid exposure of mission-critical information.
• Incident response — Create a plan for quickly investigating, reporting on and resolving security incidents.
• Maintenance — Regularly patch and upgrade technologies and facilities to minimize vulnerabilities.
• Media protection — Identify and protect media, and create protocols for sanitation and disposal.
• Personnel security — Conduct appropriate personnel screening and background checks. Be ready to provide evidence that your CUI is protected during personnel actions like transfers or turnovers.
• Physical protection — Protect your facilities, staff and systems from physical threats like unauthorized access, theft and damage.
• Recovery — Set up a solid backup and recovery plan in the event of partial or total data loss.
• Risk management — Periodically assess risks, develop strategies to counter them, and measure progress.
• Security assessment — Assess security by reviewing previous audits, your risk management strategy, and other information.
• Situational awareness — Implement real-time monitoring for your technologies and respond to threats appropriately.
• System communications and protection — Define the security required to protect each system.
• System and information integrity — Identify and manage flaws in systems, find hazards, and review network security for potential issues.

How can I get CMMC certification?

All defense contractors will need to undergo an official audit performed by an independent CMMC third-party assessor organization (C3PAO) or an individual certified by the DoD. The DoD does not accept a result from any other auditor. The CMMC Accreditation Body has more information on who is a certified auditor.

In general, a CMMC certificate will be valid for 3 years and will not be made public, but it will be posted on specific DoD databases. Recertification is required after this period of time or in the event of data loss.

A DIB company that suffers a cybersecurity incident won’t lose its CMMC certification automatically. However, you must follow proper reporting procedures. Contact the DoD and prepare a thorough report of the incident detailing why it occurred and how such a breach can be prevented in the future.

How can I get ready for a CMMC certification audit?

A good guideline to follow when preparing for your audit is Executive Order 13556, which standardizes how the executive branch deals with unclassified information that needs protection.

More broadly, consider using the following high-level checklist:

1. Get advice from your federal or state agency. Make sure you understand what’s expected of you.
2. Audit your current data and technologies. Gather as much information as you can on the current state of your security, including user access controls, software being used and available security procedures. Identify where you store, process or transmit CUI and FCI.
3. Build a solid plan. Next, create a solid CMMC compliance program or plan based on the level of certification you seek. For example, companies seeking the highest maturity levels will want to harden their networks and separate technologies dealing with highly sensitive information from the rest of their infrastructure.
4. Conduct a gap analysis. Assess your current cybersecurity maturity level and determine what you need to do to reach the appropriate level. Make the necessary changes based on the gap analysis.
5. Implement your policy. Train your staff and set dates to assess your organization as a whole. Persistence is the key to hardening your systems and promptly spotting and blocking attacks.
6. Hire a professional to oversee compliance. This individual will interact with your IT team to make sure all standards are met. They will also prepare evidence and documentation to prove that your organization is protecting CUI.
7. Extend your review. Make sure all subcontractors, as well as everyone in your supply chain, are also compliant with NIST SP 800-171.

How does Netwrix help with CMMC compliance?

Using established best practices and understanding the compliance lifecycle is a good way to build a solid foundation for compliance with any standard, including the CMMC. With the Netwrix Data Security Platform, you can achieve, maintain and prove compliance with less effort and expense. You can automate processes like change, access and configuration auditing, ensure accurate discovery and classification of sensitive data, and get insights into your data and infrastructure security.

FAQ

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is a standard established by the United States Department of Defense (DoD) to make sure that the cybersecurity protocols used by defense contractors are strong enough. CMMC is a collection of existing cybersecurity standards and frameworks such as DFARS, FAR and NIST.

Who is subject to CMMC certification?

CMMC applies to every company within the DoD supply chain, including not just those in the defense industrial base, but also those in procurement, construction or development. This includes prime contractors who interact directly with the DoD, as well as subcontractors who work with contractors to execute DoD contracts.

How can I get CMMC certification?

You can get CMMC certification by getting audited by a third-party assessment organization (3PAO) or individual assessor. The DoD will release more details about how you can get certified as we get closer to the CMMC rollout in 2025.

Mike Tierney

Former VP of Customer Success at Netwrix. He has a diverse background built over 20 years in the software industry, having held CEO, COO, and VP Product Management titles at multiple companies focused on security, compliance, and increasing the productivity of IT teams.