The Cybersecurity Maturity Model Certification (CMMC) for DoD Contractors is on the rise. Learn more about the CMMC framework and its compliance requirements.
At the end of 2020, around 18,000 private and government enterprises reported a sophisticated cyberattack on their security systems. Among those were the Defence Industrial Base (DIB) companies supporting the warfighter and contributing to the development of the US defense industry. Gaining access to confidential information held by DIB companies, hackers compromised the safety and security of the US Department of Defence (DoD) and the whole national defense sphere. The above case is not the only one when loss, modification, and disclosure of sensitive federal information has led to undercutting US national security. Therefore, to minimize cybersecurity risks within the DIB sector, DoD has developed a Cybersecurity Maturity Model Certification (CMMC) framework, which is upcoming to be adopted by DoD contractors.
Cybersecurity Maturity Model Certification (CMMC) is the security framework mandated by DoD to evaluate and enhance the state of cybersecurity within the Defense Industrial Base (DIB) sector. The framework is intended to become a verification mechanism ensuring that DIB organizations possess appropriate cybersecurity practices and processes to protect data within their environments. Thus, CMMC regulates the implementation of cybersecurity across the DIB sector. Any organization that holds DoD contracts or acts as a subcontractor should prepare for obtaining CMMC certification.
CMMC incorporates several practices and standards, but its key pillar is NIST SP 800-171. The other important references of the framework are NIST SP 800-53, National Aerospace Standard (NAS) 9933, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM). Based on these references, the framework measures an organization’s cybersecurity maturity and controls to ensure that all necessary processes and practices are in place. The initial implementation of the CMMC for all DoD contractors is mandated through Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021.
Before developing CMMC, specific cybersecurity requirements within DoD were identified by DFARS 252.204-7008 and 252.204.7012. The regulations required DoD contractors to adopt NIST’s necessary cybersecurity processes and standards (especially NIST SP 800-171) while not providing specific audit or certification requirements. The vague requirements resulted in slow and unsatisfiable adoption of DFARS (252.204-7008 and 252.204.7012) since most DoD contractors only managed to achieve a minimal level of cybersecurity hygiene practices.
Thus, to strengthen the security of data in the DoD sphere, the CMMC security framework was introduced. This framework is expected to be more effective than the previous approach because it requires a strict audit process and third-party certification as the primary conditions for CMMC compliance. Furthermore, the CMMC framework suggests better chances to ensure that the appropriate levels of cybersecurity protections and processes are in place.
CMMC is intended to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within DIB companies’ networks.
Federal Contract Information (FCI) is the information provided by or generated for the Government under a contract to develop or deliver a product/service to the Government, which is not intended for public release. FCI does not include information provided by the Government to the public or simple transactional information. The basic safeguarding requirements for FCI are specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. DoD contractors that process, store, or transmit FCI must comply with CMMC Level 1 practices.
The Controlled Unclassified Information (CUI) is the information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and governmental policies. It involves information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government.
There are many specific categories and subcategories of the CUI that the Executive branch protects. The CUI Registry provides a complete list of those. We, however, show only some of the organization index groupings such as:
The basic safeguarding requirements for CUI are specified in NIST SP 800-171.
Thus, DIB companies that work with information from one of these categories must safeguard this information at an appropriate CMMC level.
The CMMC certification is obligatory for all DIB companies that work with CUI in cooperation with DoD. These companies are suppliers, small businesses, commercial item contractors that support the warfighter and contribute to the research, development, acquisition, production, delivery, and operations of DoD systems, services, and networks. Although CMMC certification is obligatory for all of these organizations, they might need different CMMC certification levels. When implementing CMMC, DoD contractors can achieve a specific CMMC level for their entire enterprise network or a particular segment, depending upon where the information to be protected is handled and stored.
The level of the CMMC certificate depends on the type and nature of the information used by the contractor. For instance, if the DIB company holds CUI, it must be certified at a minimum of CMMC Level 3. If the organization does not possess, store, or transmit CUI but possesses FCI, obtaining CMMC Level 1 is often enough. Businesses that solely produce Commercial-Off-The-Shelf (COTS) products are not required to be certified.
As we already described, CMMC measures an organization’s cybersecurity maturity and aligns a set of processes and practices with the type of information to be protected. All these processes and practices are organized into 17 domains and mapped across five levels. There is also a set of capabilities aligned to the required practices. The simplified hierarchical view of the framework is represented as follows:
Figure 1. CMMC Model Framework (Source: CMMC Version 1.02, p. 3)
The CMMC framework measures cybersecurity maturity with five levels. Each of the five levels consists of a set of processes and practices, as shown in Figure 2:
Figure 2. CMMC Levels (Source: CMMC Version 1.02, p.4)
Each of the CMMC levels is based on various considerations, including regulations, implementation complexity, type and sensitivity of the information, threats, costs, etc. The CMMC framework also provides means for improving the alignment of maturity processes and cybersecurity practices with the type and sensitivity of the information to be protected. In general, each of the CMMC levels can be characterized by its primary focus:
Level 1 focuses on the protection of FCI and requires organizations to perform safeguarding requirements specified in FAR Clause 52.204-21
Level 2 serves as a transition step in cybersecurity maturity progression from Level 1 to Level 3 and requires the safeguarding measures to be not only performed but also documented. The level relies on NIST SP 800-171 as well as practices from other standards and references.
Level 3 focuses on CUI and implements all the security requirements specified in NIST SP 800-171. The main steps on this level are establishing and maintaining a management plan for practice implementation.
Level 4 focuses on safeguarding the CUI from a set of Advanced Persistent Threats by reviewing and measuring the existing practices for effectiveness. It relies on the security requirements from Draft NIST SP 800-171B.
Level 5 involves the CUI protection as defined in the previous levels and requires adopting additional practices to increase the sophistication of cybersecurity capabilities.
The set of the processes and practices of the CMMC framework are cumulative, which means that to achieve a specific CMMC level, DIB organizations must demonstrate compliance with the preceding levels. Furthermore, both the institutionalization of processes and implementation of practices for each specific CMMC level must be demonstrated. If an organization demonstrates different achievements for processes and practices, it will be certified at a lower of two levels.
CMMC assessment and certification process may be only conducted by authorized and accredited third-party organizations (C3PAO). C3PAO, in turn, must meet all DoD requirements and achieve full ISO/IEC 17020 compliance. The complete list of C3PAO may be found on the CMMC-AB Marketplace website.
To obtain a CMMC certificate, DIB companies should select one of the C3PAOs, plan and coordinate the assessment procedure, and complete appropriate contractual agreements. After completing the assessment, the C3PAO provides an assessment report and, if no deficiencies are detected, issues the appropriate CMMC certificate. The CMMC certificate will be valid for 3 years. However, in case of severe cybersecurity incidents, the DoD program manager may direct a re-assessment.
Before scheduling a CMMC assessment and making an agreement with C3PAO, organizations are encouraged to complete NIST 800-171 self-assessment. Detailed guidance for CMMC is provided in CMMC Assessment Guides. DIB companies are also recommended to use NIST Self Assessment Handbook 162 as an additional aid while self-directing their certification initiative. The handbook details certification requirements for NIST SP 800-171 Rev. 2, which aligns with CMMC Level 3.
In-house preparation for CMMC certification is possible for DoD contractors who have the necessary IT staff and resources. Those who do not have enough capabilities to address the requirements of NIST SP 800-171 Rev. 2 or SP 800-172 are encouraged to outsource their compliance initiative to qualified security service providers such as Planet 9.
With an understanding that the requirements of DFARS 7021 regarding CMMC compliance cannot be retroactively applied to existing DIB contracts, the current DFARS 7012 requirements will be in place through 2026. In addition to this, DoD released a DFRS related Interim Rule in September 2020. The rule specifies the application of CMMC requirements on the initial round of CMMC audits. As for now, the DoD contractors must ensure their adherence to NIST SP 800-171 by conducting a strategic assessment which will become the bridge for future CMMC compliance.
Therefore, the CMMC framework allows non-federal organizations to evaluate, demonstrate, and enhance the protection CUI they hold. DIB companies who want to become reliable DoD partners are expected to align their cybersecurity processes and policies regarding CUI with all the standards and requirements that formulate the CMMC framework. All DIB companies should also remember that the importance of CMMC certification extends beyond the local cybersecurity or contractual dimensions and is becoming a mechanism for protecting national security in conditions of a constantly changing security landscape.
To be updated with further CMMC-related information, keep reading our blog or consult the Planet 9 team. We’ll be happy to assist: