The Department of Defense has just released Version 1.0 of CMMC, the Cybersecurity Maturity Model Certification program. It will provide the basis for ensuring compliance under DFARS (Defense Federal Acquisition Regulation Supplement). It replaces the Version 0.7 draft, which was released in December 2019.
The basics of CMMC
Exactly what is CMMC? It’s a certification process for companies in the Defense Industrial Base (DIB). It’s a standardized way to measure a DIB company’s ability to protect federal contract information and controlled unclassified information (CUI). Five levels of certification are defined, based on the processes and practices which an organization carries out. Contractors doing work for the DoD must get the certification, and their subcontractors have to as well. The defining document is available online.
Accredited third parties will carry out the certification. For many years, the DoD has required its contractors to have an appropriate level of security, but verification has been informal up to now. In 2020, certification will become a requirement for all defense contracts. The higher the certification level a company has, the more contracts it will qualify for.
Cyberattacks are a constant issue, and international espionage is a fact of life. Systematic certification will better protect information which is important to national security. While the details of the certification process haven’t been disclosed yet, the CMMC document states the requirements. Companies can start getting ready for certification now.
CMMC domain structure
CMMC uses a domain-based model, building on the Federal Information Processing Standards (FIPS) and the NIST SP 800-71 controls. There are 17 domains in all. Each domain includes one or more capabilities, and each capability includes at least one practice. Every practice is associated with a certification level. Most of the practices reference one or more standards for clarification.
Domains cover not only cybersecurity but physical and personnel issues as well. Required practices include physical protection, accountability, and training are important, especially when qualifying for the higher levels.
A domain may not necessarily include practices at all five levels. To take a simple example, the Situational Awareness (SA) domain includes one capability, “Implement threat monitoring.” It contains one Level 3 practice and two Level 4 practices.
Most of the domains are more complex, with multiple capabilities containing required practices at all levels. The lower levels consist mostly of common-sense practices within the reach of most businesses. The highest levels require specialized personnel and around-the-clock readiness.
Relationship to security standards
CMMC didn’t develop its practices from scratch but rather brought together elements of well-established standards. They include:
- 48 CFR 52.204-21: Basic safeguarding of covered contractor information systems
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
- NIST SP 800-171: Protecting controlled unclassified information in nonfederal systems and organizations
- United Kingdom Cyber Essentials
- Australia Essential Eight
Each of the five levels defines a set of supporting practices and processes. The higher levels include all practices and processes for the levels below them. All contractors need at least a Level 1 certification. Compliance at a given level may apply only to the parts of a business that do sensitive work for the DoD. The levels have the following requirements in brief:
- Level 1: All certified contractors need to carry out basic cybersecurity practices, as specified in 48 CFR 52.204-21. They have to meet physical protection requirements, including limited access, escorting of visitors, and audit logs. There are no process maturity requirements at this level; while security practices are necessary, the institutionalization of them isn’t mandatory.
- Level 2: Intermediate level cybersecurity is required at this level. It includes a greater emphasis on accountability, incident response, and limitations on access. The organization needs to establish and document policy, practices, and a plan at the institutional level for each applicable domain.
- Level 3: Organizations that have access to CUI or generate it need Level 3 certification. This level requires “good cyber hygiene,” meeting the requirements of NIST SP 800-171 Rev. 1. Processes need to have adequate resources supporting them, and activities need to be reviewed for adherence to policies.
- Level 4: The cybersecurity program needs to be “substantial and proactive.” This level emphasizes the prevention and mitigation of advanced persistent threats (APTs), adapting to changing attack tactics. Activities need to be reviewed for effectiveness, and management has to be kept aware of issues that arise.
- Level 5: The highest level requires an advanced cybersecurity program with the ability to optimize its capabilities. Process maturity needs to include standardization of activities and sharing of improvements across all units. Specialized personnel are necessary, including a security operation center and a cyber incident response team with 24/7 capabilities.
Implications for current contractors
The CMMC requirements apply not just to new contractors but to businesses working on existing contracts. Contractors will have six months after the publication of the requirements to obtain certification. Subcontractors also have to be certified.
A business should start with a self-assessment to determine where it falls short of its target level and fix whatever issues turn up. The more compliant a business is when it starts a certification audit, the smoother the process will be. Failure to get certified could result in the loss or suspension of existing contracts. New RFPs will be restricted to organizations that meet a specified certification level.
The process of obtaining certification is considered an allowable cost. Contractors will be able to recover the costs they put into improving their security and carrying out the certification process. For some companies, the best strategy will be to get a certification at a lower level quickly and then work on reaching a higher level.
Accredited third-party organizations will perform certifications. The process is likely to be complicated, especially for Levels 4 and 5, so a business needs to allow enough lead time and plan for a certain amount of disruption.
Agile IT has extensive experience in securing compliance with US government standards. As a Microsoft Partner, we assist in setting up Azure Government and Office 365 GCC High to be fully compliant with ITAR and with DFARS. Agile IT is one of only 8 AOS-G partners authorized to sell, migrate, and manage Microsoft’s GCC High environment to meet CMMC level 5. For more information, request a quote.