Phil Keeney – Managing Director, Technology Solutions, Stambaugh Ness
The Cybersecurity Maturity Model Certification is one of the biggest compliance shake-ups that is causing waves in the industry. The Department of Defense (DoD) has replaced its self-assessment model with one of the most stringent cybersecurity frameworks: the Cybersecurity Maturation Model Certification (CMMC). What does this mean for organizations wanting to do business with the DoD? Let’s take a look.
What is CMMC?
CMMC is a new cybersecurity maturity standard for DoD contractors. Specifically, CMMC is designed to ensure all DoD contractors have sufficient security controls in place to protect sensitive information.
It could be argued that the DoD was forced to release CMMC, as many contractors failed to properly implement the previous self-assessment model. Given that CMMC mandates a significantly higher standard of cybersecurity than its predecessor, it should reduce the risk of adversaries penetrating the systems of defense contractors.
Although currently not confirmed, there have already been rumors that — if successful — CMMC could be expanded to cover all government contracts in the future.
Who Needs to Comply with CMMC?
Anyone who wants to do business with the DoD will need to be certified under CMMC.
Subcontractors aren’t exempt. Every organization throughout the supply chain will need some level of certification. Currently, it’s assumed that the level of certification needed will vary by organization type and by the type of information held or transmitted. It may prove logistically and technologically complex to have multiple organizations involved with different levels of certification.
Once the standard is fully in force, the rule will be simple: No certification, no contract.
What’s Included in CMMC?
CMMC is a comprehensive compliance standard for cybersecurity. Based on industry best practice — and borrowing heavily from existing frameworks — the standard requires DoD contractors to establish and maintain controls across 43 cybersecurity capabilities.
Similar to existing frameworks, CMMC includes five levels of certification:
- 1. Performed. Requires the basic controls needed for essential cyber hygiene. This level of certification will be needed by contractors that hold or process mildly sensitive content such as Federal Contract Information (FCI).
- 2. Documented. Covers slightly more advanced controls required for ‘intermediate’ cyber hygiene. This level is largely based on the requirements of NIST 800-171. Contractors with this certification will hold or process FCI and possibly more sensitive content such as Controlled Unclassified Information (CUI).
- 3. Managed. Managed Level 3 certification represents a moderate standard of cyber hygiene for an established organization and requires all 110 NIST controls with an additional 20 controls from various sources. This level will be a requirement for the majority of DoD contractors that hold or process CUI.
- 4. Reviewed. Going beyond simple cyber hygiene, level 4 certification requires contractors to take a proactive approach to measuring, identifying, and blocking threats, including Advanced Persistent Threats (APTs).
- 5. Optimizing. To be certified at level 5, contractors will need to have a fully mature cybersecurity function across all 43 capabilities.
Note that the requirements for many capabilities increase as you progress through the five levels of certification. At the lower levels, many capabilities (e.g., threat monitoring) aren’t required at all.
What Level of Certification Will You Need?
Ultimately, all new DoD contracts will require bidders to achieve a specific level of certification. Existing DoD contractors have a little more leeway. It’s currently not known when the full framework will be enforced across all DoD contractors, but most guesses place it within 2-3 years. However, if you’re a current DoD contractor wanting to bid on new contracts, you’ll need to be certified.
To cut a long story short, if your organization is an existing or aspiring DoD contractor, you should begin preparing for CMMC certification immediately.
What Does the Certification Process Look Like?
At the current time, it’s not known exactly what the certification process will look like. Here’s a rundown of what we do know:
- There will be no self-assessment option. All contractors will need to be certified by an external assessor.
- The CMMC will accredit C3PAOs — CMMC 3rd Party Assessor Organizations — and individual assessors and maintain a public list of approved assessors.
- Contractors will pay a certified assessor to inspect their operations for compliance. This assessment will become part of the cost of doing business with the DoD.
- Exact costs have not yet been published. They will depend on factors such as the level required and the complexity of the contractor’s network.
To learn more about this topic, I hope you’ll join my session at the upcoming Digital Agility Summit on January 21, 2021. Find out more about the exciting agenda and register here.