What is CMMC compliance?
The Cybersecurity Maturity Model Certification (CMMC) is a certification program developed by the US Department of Defense (DoD) to improve the cybersecurity of its supply chain. The certification is required for all DoD contractors and sub-contractors who handle controlled unclassified information (CUI).
CUI can include a variety of data, including:
- Financial data
- Intelligence data
- Legal data
- And more
By achieving CMMC certification, organizations can demonstrate to the DoD and their customers that they are taking appropriate steps to protect CUI and maintain the security of their systems.
The CMMC 2.0 is a three-level framework that assesses an organization’s cybersecurity capabilities and practices.
What are the three levels of CMMC certification?
CMMC establishes three certification levels that are geared to show a company’s maturity and reliability concerning their cybersecurity to help safeguard sensitive information that may be found on a contractor’s information systems. Each level builds on the previous one and requires compliance with the lower level. These levels are stronger and have a higher chance of giving your business a better certification if additional cybersecurity measures are taken to boost protection.
Foundational: A company must perform “basic cybersecurity practices” such as using antivirus software and ensuring employees change their passwords regularly. This should be done to protect Federal Contract Information (FCI).
Note: It is important to remember that FCI information is not intended for public release or use. It is provided by or generated for the government under contract to develop or deliver a product or service to the government.
Level 1 has 17 controls that are sourced from FAR 52.204-21. You can perform an annual self-assessment at this level.
A company must keep documentation of intermediate cybersecurity practices to protect any Controlled Unclassified Information (CUI) through the implementation of some of the United States Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 security requirements.
A company must have an institutionalized management plan to put into effect good cybersecurity practices to safeguard CUI. This means using all United States Department of Commercial National Institute of Standards and Technology’s Special Publication 800-171 Revision 2 security requirements.
Level 2 has 171 controls — 110 sourced from NIST SP 800-171 and 61 Non-Federal Organization (NFO) from NIST SP 800-171. You need a CMMC-AB approved C3PAO assessment every three years at this level.
Expert: A company must have implemented a process to review and measure the effectiveness of the aforementioned practices. They must also establish enhanced practices to detect and respond to changing tactics and techniques of advanced persistent threats (APT).
A company must have standardized and optimized processes established across the organization along with additional enhanced practices that provide more sophisticated capabilities to detect and respond to advanced persistent threats.
Level 3 has a maximum of 206 controls. This includes everything from Level 2, but depending on your organization adds 35 sourced from NIST SP 800-172. You need a DoD-staffed (DIBCAC) assessment every 3 years.
CMMC applies to defense industrial base businesses and their contractors who have unclassified networks that process, store, or transit FCI (Federally Controlled Information) or CUI (Controlled Unclassified Information). This includes small businesses and foreign suppliers who may not be working directly with the DoD but who may provide a service or product to a contractor that is.
What Level of CMMC Certification Should my Business be at?
The DoD statistics state that the majority of the DIB will be made up of contractors who are able to meet at least a level 2 CMMC certification. This will help ensure the protection of controlled unclassified information.
Smaller subcontractors who are just selling parts or renting out equipment to the main contractor may be able to get by with just a level 1 CMMC certification, but you should always check with your contract to make sure your business is meeting the right cybersecurity requirements in order to take on the job.
What Can My Business Do to Ensure It Is Ready for CMMC Certification and Assessment?
There are several steps businesses can take to ensure that they are able to meet the new CMMC Certification requirements. Here is a quick rundown of actions your business should start taking now to make the transition easier:
Start Preparing Now: Make sure you are clearly documenting all of your cybersecurity practices and procedures. Also, make sure that your employees understand and are able to adapt to the implementation of new procedures and practices should your business need to obtain a higher certification level.
Engage With Other Agencies to Learn Their Practices: A business cannot become CMMC compliant unless they are working with a business that is. Blue Jean Networks can help you get your cybersecurity practices up to date with the newest requirements from CMMC and get you certified to the level that you need.
Keep Up With the Development of Assessment Challenges: Many contractors are concerned, and for good reason, about what happens should a certification level or audit result is erroneous. This concern comes from the fact that the CMMC assessment has a significant impact on a business’s ability to meet the contract requirements, and a low CMMC rating could limit a contractor’s ability to obtain work.
While there is no set due process to appeal a poor certification level or audit result, the DoD does claim that one is coming. It is important to keep track of any feedback from the auditor and provide feedback to the DoD on any proposed due process procedures to help ensure that the process is adequate.
Make Sure Your Cybersecurity Process Is Flexible: When it comes to cybersecurity, there is no such thing as complete. The CMMC certification requirements will, at one point, become a minimum as the world of cyber threats changes.
The DOD has already emphasized the fact that the new CMMC certification is the starting point to helping transform a contractor’s internal cybersecurity culture to focus on preparing for evolving threats. This idea should create a culture of cyber resiliency and flexibility within your business. Keeping this in mind should help you better compete on the market for contractors and reduce the risk of cyber threats to your business’s and the government’s sensitive data.
Integris can help you conform to CMMC by implementing:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- System and Communications Protection
- System and Information Integrity
- And more!