Since 2018, the DoD has required NIST 800-171 compliance for certain DoD contracts. However, they’ve struggled with low adoption rates across the Defense Industrial Base (DIB), confusing auditing systems, and overall friction relating to compliance. In an effort to broaden compliance, simply adoption, and introduce third-party auditing (which was originally dismissed), the DoD introduced CMMC with STAR III in January 2020.
Recently, the first CMMC federal contract arrived with STAR III — a $50 billion contract for small IT businesses. What does this mean for future projects? What is CMMC? Lastly, how can your business get CMMC compliant?
The Cybersecurity Maturity Model Certification (CMMC) is a five-tiered cybersecurity standard that’s partially layered into Defense Federal Acquisition Regulation Supplement (DFARS) for DoD contracts. According to The Office of the Under Secretary of Defense for Acquisition & Sustainment, the CMMC was created to improve the security posture and maintain standards of the +30,000 companies that secure contracts from the DoD — making up the DIB.
Surprisingly, the DoD will leverage a third-party, non-profit accreditation body (i.e., The CMMC Accreditation Body)— something the DoD originally attempted to avoid with NIST 800-171. The CMM Accreditation Body website will intake applications from third parties for auditing and certification. The cost of this entire accreditation process will range due to varying network complexities (the DoD does say that the cost will be “an allowable, reimbursable cost and will not be prohibitive”). According to the DoD, only CMMC Third Party Assessment Organizations (C3PAOs) and individuals who have secured CMMC AB accreditation are allowed to perform assessments, so there is no self-assessment or DoD assessment process.
CMMC certifications are good for three years, and there will be no public posting of your success (or failure) to secure this accreditation. At this point, you’re probably wondering what makes CMMC different from the other DoD cybersecurity standards — specifically NIST 800-171. Well, it’s not really different. It’s an amalgamation of NIST 800-171 and a swarm of other standards.
CMMC Vs. NIST 800-171: What’s the Difference?
Both NIST 800-171 and CMMC have the same primary aim: protecting CUI in nonfederal systems. These are both standards created with contractors in mind, and they both cover many of the same areas. According to the DoD, CMMC levels 1-3 will encompass the security requirements (110 in total) specified in NIST SP 800-171. In addition, the CMMC incorporates security elements from a variety of other standards, including:
- NIST SP 800-53
- AIA NAS 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
- Computer Emergency Response Team (CERT) RMM v1.2.
In addition, CMMC will address your company’s “institutionalization of cybersecurity processes” — something that NIST 800-171 didn’t cover.
STAR III and CMMC Compliance
Over the next 5 years, the DoD will incorporate CMMC into all of their projects. But we’re getting our first taste already. According to FedScoop, STAR III — a $50 billion contract for small IT businesses — is the first contract where the DoD specifies that they reserve the right” to require CMMC certifications. For many small businesses, this is a chaotic situation.
Earlier this year, the DoD clarified that progress towards CMMC hadn’t been halted by COVID-19. But they also emphasized that businesses falsely claim to be “certified CMMC testers”, despite no actual position existing. CMMC is a massive undertaking. Cybersecurity costs the U.S. economy around $1 trillion a year, and trying to create a unified standard for security posture across DoD contractors is certainly difficult. And the DoD is already ripping the bandaid off. CMMC is here to stay. STAR III is the first of many DoD contracts that will have CMMC compliance baked into the requirements. Technically, STAR III doesn’t specify CMMC requirements, but they certainly made a point of mentioning it.
Perhaps the most pressing question is: how will small businesses find the time, resources, and technical skills to implement and get certified for CMMC? Luckily, it’s not as hard as it sounds. Microsoft does the heavy lifting for you.
How to Get CMMC Compliant
Your business has to be certified by a CMMC Third Party Assessment Organizations (C3PAOs) to gain a CMMC certification. But what steps do you take to align to the CMMC cybersecurity standards? There are two ways you can align with these standards:
- Implement the +110 security controls and standards in your organization using ad-hoc software, an extensive IT team, and plenty of legwork.
- Use a CMMC compliant solution.
5 levels of CMMC
- 1 (Basic Cyber Hygiene): This first level is basically equivalent to FAR 48 CFR 52.204-21.
- 2 (Intermediate Cyber Hygiene): The second level requires you to comply with FAR, 48 of the 110 practices from NIST 800-171 r1, and 7 unique data hygiene practices.
- 3 (Good Cyber Hygiene): The third level requires you to comply with FAR, all 110 of the practices from NIST 800-171 r1, and an additional 20 unique data hygiene practices.
- 4 (Proactive Cybersecurity): The fourth level requires you to comply with FAR, all 110 of the practices from NIST 800-171 r1, 11 practices from NIST 800-171B, and another additional 11 data hygiene practices (again, these are cumulative).
- 5 (Advanced and Progressive Cybersecurity): The fifth level requires you to comply with FAR, all 110 of the practices from NIST 800-171 r1, 15 practices from NIST 800-171B, and another 11 cybersecurity practices.
Each of these levels grows rapidly in complexity. Level 1 involves limiting data access, antivirus software, authentication, and sanitization. Level 5 involves creating complex, systematic cybersecurity policies, and initiatives, including advanced responses to APTs (which are advanced threats with multiple attack vectors). Levels are cumulative, so level 3 includes all of the requirements of level 2.
Microsoft Commercial Office 365 contains the policy controls and solutions you need to meet CMMC Level 1. However, if your business wants to meet requirements for the later Levels, you will need to utilize GCC High. Currently, Microsoft GCC High is FedRAMP, NIST 800-53, and NIST CSF compliant. Microsoft has stated that its existing policies and frameworks will be CMMC compliant. Still, they said that they are following the evolving CMMC situation to ensure that they’re compliant across all vectors.
In a recent blog post detailing CMMC, Microsoft noted that they are currently mapping its existing cybersecurity controls and certifications with the CMMC controls that correspond with CMMC Levels 1-5,” and they suggest that they will be compliant (via GCC High) with CMMC Level 5. further, Microsoft is working towards making GCC High compliant with CMMC, which should be a rapid process.
Meeting CMMC Level 1 – 5 Requirements With GCC High
Agile IT is one of only 8 Microsoft AOS-G partners authorized to license, implement, migrate, and manage GCC High for contractors. We can help you create a robust, CMMC complaint ecosystem using Microsoft’s GCC High cloud solution. Contact us to learn how we can help you prepare your business for future DoD contracts.