New changes have been made to the cybersecurity requirements DoD (Department of Defense) contractors need to meet for compliance. Version one of the CMMC (Cyber Maturity Model Certification) model was released in January 2020 and all DoD contractors must be certified before they can bid on a government project.
This has led to some confusion among contractors. DoD CMMC certification has different requirements that are tier-based. Contractors must be level certified according to the type of CUI (Controlled Unclassified Information) they manage or handle. This is decided by the DoD. Once you know the level of CMMC certification you need, the next is to understand what is required for compliance.
In this guide, you’ll find information on the steps you need to take for CMMC certification. You’ll also understand why it’s important for DoD contractors to be in compliance.
What is CMMC DoD?
DoD contractors have been required to maintain specific cybersecurity protocols since the passage of DFARS (Defense Acquisition Federal Regulation Supplement) in 2015. It requires all private contractors working for/with the DoD have specific security measures in place that meet the standards set down in the NIST SP 800-171 framework.
The Cybersecurity Maturity Model Certification (CMMC) works with NIST SP 800-171 to ensure contractors have the appropriate level of security in place according to the type of controlled unclassified information they handle. CMMC is a tool that shows auditors that your organization is in compliance with the necessary regulations.
CMMC may be a tool that helps contractors meet regulations and stay in compliance. However, it is more than that. Non-compliance will be detrimental to an organization’s profit margin. Without the certification, contractors will not be permitted to bid on DoD projects. Before a bid can be submitted, the organization must pass the certification test for their assigned CMMC level.
Understanding the Five CMMC Levels
There are five CMMC levels, each one builds off of the other until the contractor is certified at the 5th tier. As previously mentioned, the DoD assigns contractors the level of security they need to meet to be certified.
Level 1 – Basic Cyber Hygiene
This level concentrates on if an organization is practicing basic cybersecurity hygiene. Certification requires that the contractor meet the requirements detailed in 48 CFR 52.204-21. The practices established in Level 1 are required to be met by all contractors and they set the foundation for the rest of the model.
Level 1 – and Level 2 – certification allows contractors to manage FCI. This is information that is intended for the government and not for public release.
Level 2 – Intermediate Cyber Hygiene
Level 2 certification requires an organization to use advanced security protocols capable of protecting data from cyber threats. At this tier, the contractor must be able to prevent more advanced treats than an organization rated Level 1. Documenting the security protocols implemented and maintained is also introduced at Level 2. This also includes plans and policies that outline the implementation of the security program.
Level 3 – Good Cyber Hygiene
When an organization is certified at Level 3 it will have implemented the security controls required under NIST SP 800-171. If the contractor has access to or generates CUI it should be Level 3 certified. This shows that the organization is able to meet most threats and keep information secure. However, organizations at Level 3 may find it difficult to fend off APTs. (advanced persistent threats).
If the contractor also needs to meet DFARS clause 252.204-7012 standards, where they will be required to document and report any cybersecurity incidents.
Level 4 – Proactive Cyber Hygiene
A strong and proactive cybersecurity program is required for Level 4 certification. The contractor can effectively protect CUI by consistently upgrading its security TTP (tactics, techniques, and procedures) that are employed against APTs. The organization is also required to document and review all security protocols for effectiveness. If any issues are discovered, upper management must be promptly notified.
Level 5 – Advanced and Progressive Cyber Hygiene
This is the top tier in the maturity model. Certification at this level shows that the organization is not only capable of protecting CUI, but it also has a cybersecurity program that changes to meet advanced threats. For certification, the organization must show that its security process is standardized across all networks. This includes any third-party associates.
As you can see, each lower level builds up until an organization has an advanced cybersecurity program and documentation to reach tier five certification. Once DoD contractors have determined the certification level it is time to prepare for the audit.
How to Prepare For a CMMC Audit
DoD contractors will want to prepare for a CMMC audit. This applies even for Level 1 certification. A self-assessment test – while not valid to be used for certification – will highlight any areas in a cybersecurity program that need to be addressed before the third-party audit.
The main area DoD contractors need to pay attention to are the controls outlined in NIST SP 800-171 Rev 1. If these controls are currently in place, the organization should be able to obtain certification up to CMMC Level 3.
Not all contractors are immediately ready to meet DoD CMMC requirements. In this case, an organization has two options. They can meet the standards in-house or work with a certified CMMC consultant like RSI Security. There are benefits to both options, though only one will be best for your business.
If you have the available IT personnel and resources, your organization can meet the CMMC requirements without having to outsource the project to a third-party consultant. Using an internal IT staff can save businesses money. There is a “Self-Assessment Handbook – NIST Handbook 162” that will guide the IT team. Unfortunately, it only covers NIST SP 900-171 Rev. 1, which is only valid up to CMMC Level 3. Currently, a self-assessment handbook for Rev. B is not available.
Organizations that need to meet the controls listed in NIST SP 900-171 Rev. B will need to contract an outside CMMC consultant.
The majority of DoD contractors find that it’s more effective to have an outside MSSP (Managed Security Service Provider) specializing in CMMC certification come in and help the organization meet compliance standards. There are several advantages to outsourcing the project to a consultant. This includes,
- Organizations can save time and money by getting and maintaining compliance standards.
- A consultant will have the necessary tools and documentation for Gap Analysis and a System Security Plan.
- Consultants will be able to perform any remediation steps that might be required for compliance.
- Have the documents to prove that compliance is reached and being maintained when the CMMC audit is conducted.
While both options can ensure that a DoD contractor is compliant and ready for a CMMC certification audit, bringing in an outside consultant is often the best choice. Organizations receive the documentation necessary to show that they have implemented security protocols and maintain them. If you do not meet compliance standards, the consultant is responsible instead of the organization. This can prevent non-compliance fines and other penalties from being leveled at the business.
DoD CMMC Readiness Assessment
Once the security protocols are in place and a DoD contractor is ready for the CMMC audit, the first step is to get a Readiness Assessment from a third-party MSSP consultant. The purpose of the assessment is to see how close or far away the organization is from meeting CMMC level standards. Some of the potential issues the assessments scans for are,
- Is access to information controlled and how is it limited?
- How are system administrators and managers trained, is it adequate?
- Are the data records securely stored and protected from breaches?
- Are all security controls and measures properly implemented?
- How are response plans to security incidents created and implemented?
This is why gap analysis is important. Without it, organizations won’t know what – if any – changes need to be made to their existing security protocols in order to be in compliance. While a gap analysis can be done in-house, bringing in a third-party consultant to conduct it can be more effective. A consultant can also help create a remediation plan to address the problems.
What is a CMMC Remediation Plan
The remediation plan is based on the results of the Readiness Assessment. The plan should address all issues that affect cybersecurity. It will include everything from small, inexpensive solutions to the network and/or the existing security protocols to more expensive ones that might require an entire reworking of the organization’s system.
A remediation plan not only points out problems within the security program it also simplified the process an organization needs to take to implement the changes. Everything is documented for quick and easy reference. Once the changes in the remediation plan have been implemented, the DoD contractor is ready to schedule the audit.
It’s important for DoD contractors to pass their CMMC audit. For some, it can mean the future of the organization. Without DoD CMMC certification organizations will not be allowed to bid on contracts. It also takes time for the certification process and there can be a waiting list for the audit. Creating and implementing the changes in a remediation plan can help ensure that a DoD contractor passes its first audit without any problems.
Important Dates DoD Contractors Need to Know
To avoid getting caught in a backlog of DoD contractors waiting for their CMMC audits, there are a few dates that organizations need to be aware of. These are the milestones that apply to the maturity model.
January 2020: A complete list of CMMC levels and the subsequent requirements for each one will be released. This includes the training materials auditors need to know to be accredited.
February – May 2020: Training starts for the first group of CMMC assessors.
June – September 2020: The first round of CMMC audits start for DoD contractors that have been identified at a specific level. These contractors will need to be CMMC certified before their bids will be accepted for a DoD project.
October 2020 and Beyond: All DoD contractors must be CMMC certified to bid on any new government project. The audit must be performed by an accredited assessor.
Failure to meet these milestones will result in a contractor’s ability to continue working for or with the Department of Defense.
CMMC DOD Certification Made Easy
All DoD contractors must be CMMC certified by October of 2020 if they wish to be allowed to bid on new government projects. This means that they must have adequate cybersecurity protocols in place, along with the necessary documentation. This can be done in-house by the organization’s IT team but outsourcing to an accredited MSSP is often more effective.
RSI Security helps businesses become NIST 800-171, DFARS, & CMMC compliant. Ensure your CDI or CUI information fully complies with regulations, contact us today.