What is Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) new program to assess and enhance the cybersecurity posture of the defense supply chain. The CMMC will be a certification process that will assess a defense contractor’s ability to protect sensitive government information and verify the implementation of cybersecurity requirements.
The CMMC will have five cumulative certification levels – ranging from “Basic Cyber Hygiene” to “Advanced”. Any company that wants to do business with the DoD, regardless of their current contracts or relationships, will be required to be certified by an independent third-party assessor.
Why is CMMC created?
It is about securing the DoD supply chain. Cybersecurity weaknesses in the defense supply chain are a threat to both national security and economic security. The CMMC program aims to improve the cybersecurity posture of companies throughout the defense industrial base (DIB) multi-tiered supply chain.
The vast majority of the 300,000 suppliers that make up the DIB are small- and medium-sized businesses. CMMC is being designed specifically for small suppliers as they are most vulnerable to cyber threats in the supply chain. These subcontractors are increasingly being targeted by nation-state attackers as they have limited resources to adequately secure their systems and safeguard sensitive customer data.
With the CMMC program, the Defense Department aims to establish a “unified cybersecurity standard” to enhance the protection of sensitive data, namely, federal contract information (FCI) and controlled unclassified information (CUI), within the DIB supply chain. CMMC combines various cybersecurity standards such as the National Institute of Standards and Technology (NIST) 800-171, NIST 800-53 and others into one unified standard to secure the DOD supply chain.
CMMC requires an independent third-party assessment and certification process. This will replace the NIST 800-171 compliance through a self-attestation process as required in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. Defense contractors will engage directly with a certified third-party assessment organization (C3PAO *) to have their organization audited and certified.
All companies (prime contractors and subcontractors) conducting business with the DoD must comply with CMMC and achieve certification at the required CMMC level. The required CMMC compliance level will be specified in the Request for Proposals (RFP) and will be used as a “go” or “no go” criteria to bid on or receive contracts. Contractors will be required to meet the certification level at the time of an award. The prime contractors will be required to flow down the appropriate CMMC requirement to their subcontractors.
The CMMC Model
The CMMC framework has five defined levels, each with a set of supporting practices and processes. Practices range from Level 1 (Basic Cyber Hygiene) to Level 5 (Advanced/Progressive). In parallel, processes range from being performed at Level 1, to being documented at Level 2, to being optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.
Levels 1-3 includes practices that the largely derived from security requirements within NIST SP 800-171 Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Practices in Levels 4-5 are derived from security requirements within NIST SP 800-171B (draft), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.
The official CMMC version 1.0 framework was released in January 2020
CMMC requirements will be part of DoD’s requests for information (RFIs) starting summer 2020
CMMC requirements will be included in Requests for Proposals (RFPs) starting in fall 2020
How can my organization prepare for CMMC?
It is not too early to start preparing. All defense contractors can take steps to get ready to meet CMMC certification requirements:
Assess and understand your organization’s current cybersecurity posture and identify vulnerabilities and compliance gaps against the CMMC framework and other security risk areas.
Plan and implement risk remediation activities including developing policies and procedures; conducting security awareness and training; implementing technical controls and cybersecurity processes to meet the standards in CMMC.
Work with cybersecurity compliance experts early to identify and close any compliance gaps and get ready for your CMMC assessment.
How can Aristi help?
Aristi Technologies is at the forefront of CMMC program developments. We have extensive experience in cyber compliance standards including NIST SP 800-53, NIST 800-171 (the core of the CMMC framework), NIST Risk Management Framework (RMF) and Federal Information Security Management Act (FISMA).
Aristi specializes in working with small and mid-sized businesses to assist not only in complying with cybersecurity requirements such as CMMC but also help improve your security posture to better defend against ever-increasing cyber threats.
Talk to us to learn how Aristi can help your organization get ready for CMMC compliance.