A Guide to CMMC Compliance
The U.S. Department of Defense (DOD) introduced the Cybersecurity Maturity Model Certification (CMMC) as a method to determine if an organization meets the cybersecurity requirements for storing and handling sensitive data. Whether you are an existing or prospective member of the defense industrial base (DIB) or a managed service provider (MSP) with clients aiming to join the DIB, you will need to comply with CMMC.
Despite delays, controversies and changes, CMMC is here to stay. Understanding its intricacies and preparing your business for obtaining the necessary level of certification is critical to success. This blog is intended to help you do just that.
What is the CMMC?
CMMC is an initiative to measure and certify the cybersecurity capabilities, readiness and sophistication of existing or prospective defense contractors and subcontractors. It aims to ensure appropriate protection of controlled unclassified information (CUI) and federal contract information (FCI) that is stored and processed by any DoD partner or vendor. The CMMC model is based on best practices from a variety of cybersecurity standards including NIST Special Publication (SP) 800-171, FAR, DFARS and ISO 27001.
What is the purpose of CMMC?
The sole purpose of CMMC is to verify that the information systems used by DOD contractors to process, transmit or store sensitive data meet a list of mandatory information security requirements. The DOD states that CMMC is a key component of the department’s effort towards improving the DIB’s cybersecurity against increasingly frequent and complex cyberattacks to safeguard sensitive data.
When did CMMC go into effect?
The DOD released CMMC version 1.0 on January 31, 2020, and stated that by September 2020 at least some organizations bidding for defense contracts would have to attain a basic level of certification. It is expected that CMMC will be a prerequisite for all new DOD requests for proposals by 2026.
What is the latest version of CMMC?
Shortly after its release, CMMC version 1.0 received pushback from small and midsize businesses (SMBs) over the complexity of the framework and the costs associated with compliance and third-party certification. SMB owners were concerned that the costs would eventually force them out of the DIB.
After holding congressional hearings on the public comments received on version 1.0, the DOD released CMMC version 2.0 — a framework more streamlined than its predecessor. CMMC 2.0 is expected to go into effect in May 2023 and become part of DOD contracts by July 2023.
What is the CMMC framework?
The CMMC framework ranks the reliability and maturity of an organization’s cybersecurity infrastructure, focusing on the protection of sensitive data over three levels. The three levels build on each other’s technical requirements. You must comply with lower-level requirements before adding processes to comply with a higher level of certification.
Each level contains a set of processes and practices based on the type, sensitivity and risks to the information that needs to be protected. While CMMC 1.0 had five levels of certification, CMMC 2.0 consists of only three levels.
Each domain represents a group of security practices that must be implemented by an organization. Based on the security practices they implement across all their domains, organizations are certified on three levels of compliance.
This aspect of the CMMC model refers to the security practices that an organization must implement to demonstrate a level of maturity. Organizations that implement advanced security practices attain a higher level of maturity.
The maturity processes of CMMC measure the degree to which an organization has integrated the security practices into the operations of their organization. Process maturity within an organization ensures the consistency, repetition and improvement of the practices. These processes were associated with five maturity levels of CMMC 1.0. However, CMMC 2.0 has eliminated all the maturity processes.
Certification levels refer to the processes, practices and assessment procedures that must be followed by DOD contractors. The certification level, compliance mandates and assessment requirements depend on the sensitivity of the data an organization works with.
Assessments scrutinize an organization’s IT network against the security controls needed for each level of certification. Depending on the certification level, an organization may need any of these three types of assessments:
- Self-assessment: An assessment run internally by an organization based on a self-assessment handbook for NIST 800-171.
- Assessment by a registered provider organization (RPO): These assessments are run by third-party consultants that conduct assessments to help the organization prepare for an official assessment by a certified third-party assessor organization (C3PAO).
- Assessment by a certified third-party assessor organization (C3PAO): Official assessments that are conducted during the certification process.
The CMMC 1.0 framework was built with four elements — domains, capabilities, practices and processes. These elements formed the five cybersecurity maturity levels, with Level 1 being the least mature and Level 5 the most mature. The framework listed a total of 171 practices across 17 domains.
CMMC Level 1: Basic Cyber Hygiene
Level 1 of CMMC 1.0 referred to the basic cyber hygiene of an organization needed to protect FCI. The requirements for this level (17 practices) were similar to the ones specified in 48 CFR 52.204-21 for “the basic safeguarding of contractor information systems that process, store or transmit Federal contract information.”
CMMC Level 2: Intermediate Cyber Hygiene
Level 2 consisted of a subset of requirements specified in NIST SP 800-171 and other standards. Attaining this level meant that the organization had established and documented the necessary policies and practices to easily replicate them and develop mature capabilities.
CMMC Level 3: Good Cyber Hygiene
This level focused on the protection of CUI and included all the security requirements listed in NIST SP 800-171, along with 20 additional practices. To gain this certification level, an organization had to establish and maintain a plan to demonstrate the set of activities needed to comply with CMMC.
CMMC Level 4: Proactive Cyber Hygiene
An organization could earn a Level 4 certification only after demonstrating the capability to review practices for effectiveness and take corrective action, whenever necessary. This level focused on protecting CUI from advanced persistent threats (APTs).
CMMC Level 5: Advanced Cyber Hygiene
At this level, organizations are expected to standardize and optimize processes across the organization with an increased focus on protecting CUI from APTs. They were mandated to undertake the practices (a total of 171) required to achieve this level of certification.
In November 2021, the DOD released CMMC 2.0 with the intention of reducing costs for SMBs and aligning cybersecurity requirements with other federal requirements. This security-first approach allows CMMC to be achievable and affordable for smaller organizations in the DIB.
CMMC 2.0 differs from CMMC 1.0 in the following ways:
- CMMC 2.0 has reduced the certification levels from five to three.
- With CMMC 2.0, the DOD has eliminated all maturity processes.
- The new version has also dropped 20 security requirements for CMMC 2.0. The new level only needs organizations to implement the 110 security controls mentioned in NIST SP 800-171 to ensure they securely store and share CUI.
- While plans of action and milestones (POA&M) were not allowed by the initial version, CMMC 2.0 allows for the limited use of POA&M for 1-point controls. However, it does limit the usage of POAMs for more complex 3- or 5-point controls.
- The latest version also allows waivers for certification (in very limited circumstances).
- The Level 3 of CMMC 2.0 goes beyond NIST SP 800-171 to accommodate controls from NIST SP 800-172.
- CMMC 2.0 focuses on practices across 14 domains — instead of the 17 mentioned in the older version:
- Access Control
- Awareness and Training
- Incident Response
- Personnel Security
- Risk Management
- System and Communications Protection
- Configuration Management
- Physical Protection
- Security Assessment
- System and Information Integrity
- Audit and Accountability
- Identification and Authentication
- Media Protection
CMMC 2.0 Level 1: Foundational
This is the minimum requirement for organizations to bid on defense contracts. The new Level 1 applies to organizations that access, process or store FCI only and do not deal with CUI. It includes 17 practices that must be implemented to secure FCI. Documentation of a formal cybersecurity program is not required. Level 1 contractors will be required to self-assess and have an executive sign off on their compliance.
CMMC 2.0 Level 2: Advanced
The minimum level required to protect CUI or covered defense information (CDI), Level 2 includes all 110 cybersecurity controls found in NIST SP 800-171. Level 2 also requires a fully documented cybersecurity program and necessitates an independent assessment. As CMMC 2.0 rolls out, until assessment capacity builds, some Level 2 contractors may be allowed to self-assess their compliance.
CMMC 2.0 Level 3: Expert
Even though the DOD is still developing the specific security requirements of Level 3, it has indicated that it will include all 110 NIST SP 800-171 controls plus a subset of the advanced threat controls in NIST SP 800-172.
What is CMMC compliance?
Based on the type of data your organization manages or intends to manage, you must implement the security requirements of the certification level needed to either continue your current contract with the DOD or win a new one. Only once you do this and get the necessary assessment done, you will have achieved the necessary certification level and hence, complied with the CMMC framework. Understanding each certification level’s requirements can be quite challenging, but there is an easier way to do it.
To comply with CMMC, you must first comply with the Defense Federal Acquisition Regulations Supplement (DFARS) — not NIST SP 800-171 or CMMC 2.0. The DFARS clauses in defense contracts are the compliance requirements that can be met by implementing the cybersecurity controls mentioned in NIST SP 800-171. To be precise, for the purposes of winning DOD contracts, you should not say that you are “in compliance with 800-171” or “in compliance with CMMC.” The accurate wording is that you are “in compliance with DFARS by implementing the security controls in NIST SP 800-171 and/or CMMC.”
Therefore, if you are a defense contractor looking to start your CMMC compliance journey, you must start by implementing the 110 security controls stated in NIST 800-171. Start as soon as possible since the journey can take a long time — possibly more than a year.
Who is required to be CMMC compliant?
Over 300,000 members of the DIB — defense contractors, manufacturers and SMBs — must comply with CMMC. This includes prime contractors that engage directly with the DOD and subcontractors that perform fulfillment or execution for prime contractors. Lastly, any organization intending the join the DIB must comply with CMMC.
Maintain CMMC compliance with Compliance Manager GRC
Compliance Manager GRC is a valuable compliance management automation platform with a CMMC 2.0 management template that includes an NIST SP 800-171 assessment tool. The web-hosted and role-based solution includes automated data collection, an automated report generator, and a vast library of IT controls you can use to create your own custom standards. It allows you to track and manage compliance with CMMC or any other standards all at the same time and in the same place.
Here is a snippet of what Compliance Manager GRC can do to ease your CMMC compliance journey:
- Perform a Rapid Baseline Assessment to quickly determine how far along you or your clients are in the compliance journey and generate interim reports with updated and accurate information.
- Deploy non-intrusive data collectors to collect information needed to complete the assessment.
- Automatically create a variety of reports including those required for compliance with the NIST SP 800-171 interim rule — the mandatory assessment scoresheet, the mandatory system security plan (SSP), and the POA&M documents.
- Generate a security risk assessment and management plan to remediate discovered issues.
- Compile evidence of compliance for each control, which can be directly accessed by DOD auditors.
- Help your organization or your clients prepare for CMMC 2.0 Level 1 or Level 2 assessments by bringing up the specific controls required for the specified level.
- Create ongoing evidence of compliance to help maintain adherence to CMMC and preserve a healthy audit posture.
Request a demo of Compliance Manager GRC now to make your CMMC compliance journey accurate, time-efficient and hassle-free.