Losing Sleep Over CMMC? Read This.
CMMC Explained
The “Cybersecurity Maturity Model Certification” or CMMC, will validate that contractors have adequate cybersecurity controls and policies in place to meet the security standards of the DoD. CMMC looks to be the next ‘big thing’ and is causing quite a buzz. However, unless you are shooting for the highest maturity levels, most of what is outlined in the CMMC are things most organizations should be doing already.
At its base (Levels 1-3), CMMC is NIST 800-171. NIST 800-171 is the National Institute of Standards and Technology standard governing the handling of “Controlled Unclassified Information” (CUI) in Non-Federal Information Systems and Organizations. The CMMC includes additional [maturity] controls that are not part of 800-171 in Levels 4-5.
The CMMC has levels, which are defined as follows:
CMMC Level 1 - Basic Cyber Hygiene
CMMC Level 2 - Intermediate Cyber Hygiene
CMMC Level 3 - Good Cyber Hygiene
CMMC Level 4 - Proactive
CMMC Level 5 - Advanced/Progressive
The DoD expects that the CMMC will help ensure that contractors can defend against current and future cyber-attacks.
Up to Level 3 should be very achievable for most mature organizations. If you are reading a security blog such as this one, it’s likely you already understand the need for a mature cybersecurity program (even if you don’t know how to develop one). If your organization’s security program is fairly new, or not quite where you’d like it to be yet, you still may be closer to complying than you might think.
The maturity component measures the institutionalization of security processes. Security processes will be expected to be “business as usual” and not project based orad hoc. Organizations will be expected to demonstrate practices that lead to process maturity. Process maturity measures the organization’s commitment to—and consistency in—performing these processes. Mature processes will be more likely to continue in spite of organizational changes (especially staffing).
No More Self-Assessments
One substantial difference between NIST 800-171 and the CMMC, is that NIST’s SP 800-171 allowed for self-assessments. In order for companies to be awarded a certification at the appropriate CMMC level, government contractors will need to demonstrate to assessors and certifiers the appropriate capabilities and organizational maturity. A certified third-party assessment organization (C3PAO) must certify that the organization has the proper controls and processes in place to reduce the risk of specific cyber threats.
While this may seem daunting, I’m encouraged by the DoD’s decision to require an external review. Having reviewed many self-assessments over the years, I can say that they tend to be a little too… forgiving. Organizations should not shy away from second opinions on their security.
Who is Impacted?
If you are a government contractor who has access to non-classified DoD information, you will be required to comply with the CMMC. Chances are, organizations providing services to those contractors will also be expected to comply. Said differently, this is going to impact quite a few companies.
Organizations that are not government contractors (or third parties to those contractors) may opt to certify. Many organizations follow a control framework based on NIST 800-53, however 800-53 does not have a formal certification process. That has led many organizations down the path of ISO27001, which does provide a formal certification.
How to Get Certified
Companies have to decide the level of CMMC Compliance to which they would like to certify. For many companies, that decision may be based on requirements of the DoD or a DoD contractor they conduct business with. Organizations must be audited by an accredited individual assessor at a C3PAO to achieve compliance. Third-party assessment organizations manage the assessment process for organizations seeking compliance with the CMMC and are authorized to hire and train individual assessors. They also review the results with the CMMC-Accreditation Body (AB) Quality Auditors.
The assessment will evaluate the security of the company against the CMMC standards and identify any gaps. Organizations have 90 days to address these identified gaps. At the end of the assessment, the CMMC certification will be public knowledge —gaps will not.
Full implementation of the CMMC is not required until 2025, however it seems clear that the DoD wants companies to be more aggressive than that and complying sooner especially for new third parties.
Performing a gap assessment prior to attempting to certify would certainly help ensure that there are no gaps that cannot be remediated within the 90-day window. As mentioned above, I’d recommend companies do so with an independent assessment and not rely on self-assessment.
Resources to assist your compliance effort are available at the DoD homepage for CMMC: https://www.acq.osd.mil/cmmc/index.html.