In 2020, DoD (Department of Defense) contractors will be required to have adequate cybersecurity protocols in place. This is in response to several security breaches that have occurred in recent years. One of the most notable was the October 4th, 2018 breach that affected over 30,00 civilian and military contractors.
To prevent future data breaches private companies that handle CUI (Controlled Unclassified Information) will need to prove that they have adequate security protocols in place across all networks. This will require that the company is compliant with all CMMC levels ( Cybersecurity Maturity Model Certification) that apply to the data they manage. However, before DoD contractors and associates can be certified they need to understand the CMMC standards for the five levels.
What is CMMC
CMMC is designed to verify that all DoD contractors with access to CUI have adequate cybersecurity protocols across all systems and networks. This also applies to any DoD contractor’s third-party associates. It takes DFARS (Defense Federal Acquisition Regulation Supplement) a step further by discontinuing the process of allowing contractors to perform their own security audits. Contractors and their associates must hire a third-party certified auditor in order to meet CMMC requirements.
The Cybersecurity Maturity Model Certification is based on NIST 800-171. Organizations do need to be NIST certified in order to be in compliance with CMMC. However, this does not mean that organizations will automatically be CMMC certified. The requirements for the two are different, even though both deal with CUI security.
The simple definition of CMMC is to verify that the appropriate cybersecurity protocols are in place to protect CUI. It assesses the protocols required for NIST certification. There are five levels and each has a set of supporting processes and practices. An organization has to meet these processes and practices to be certified for that level.
Cybersecurity Maturity Model Certification Levels
As previously mentioned, there are five levels in the CMMC model. The government will determine the appropriate level needed for certification based on the contracts the company administers. Basically, the CMMC level is based on the type of CUI the company manages.
CMMC Level One concentrates on basic cyber hygiene and meeting the requirements in 48 CFR 52.204-21 – part of a federal act requiring basic safeguarding of covered contractor information.
Level One is the base of the cybersecurity maturity model certification levels and all organizations must pass it for certification. The audit for this level will check to ensure the requirements are performed. The basic cybersecurity protocols are those needed for FCI, these standards are also necessary for Level Two. FCI is contractual information regarding a product or service a civilian company is supplying to the government. The information about these products and services is not intended for public release.
This is also the only level where process maturity is not addressed. It only requires that the practices are implemented and maintained.
Like Level One, Level Two also manages FCI but it’s also the start of the maturity model. It focuses on intermediate cyber hygiene which requires a more advanced set of cybersecurity protocols. This gives an organization improved abilities to protect against security breaches.
To “pass” a Level Two CMC audit, an organization must document the established operational procedures, policies, and plans to implement and maintain the protocols. Once an organization passes the Level Two assessment they can bid on and obtain government contracts that require a higher level of cybersecurity.
A Level Three assessment will require an organization to have good cyber hygiene and implemented NIST SP 800-171 Rev 1 security requirements. If an organization wants access to CUI (Controlled Unclassified Information) it should pass a Level Three assessment. This indicates that the organization has the basic protocols in place to protect CUI.
Advanced Persistent Threats (APTs) can be a problem for organizations assessed at Level Three. The maturity model is designed to help companies plan, implement, and maintain the protocols. It also requires the organization to constantly review their adherence to security procedures.
It should be noted that some assessed Level Three companies may have to meet additional protocols if they are subject to DFARS clause 252.204-7012. This can include submitting incident reports to affected parties.
A company ready for a Level Four assessment will have a substantial cybersecurity system that is also proactive. This means that the company is able to adapt its security to meet APTs by changing TTP (tactics, techniques, and procedures).
CMMC Level Four process maturity expects the organization to review and document the effectiveness of the security system.
By the time a company is ready for Level Five Assessment the cybersecurity program is progressive or advanced. The company has also shown that the system is proactive. The company has also demonstrated that it can optimize their system to block APTs.
The maturity process for Level Five is for the company to ensure that the cybersecurity protocols are established throughout the organization.
The timeframe for CMMC assessment is tight. It gives DoD contractors little time to implement the security protocols necessary for the assessment. The official CMMC levels were released in January 2020, and DoD contractors must be certified by October 2020 to bid on new government contracts.
- January 2020: CMMC Levels and requirements will be released.
- February-May 2020: The initial round of assessors will be trained
- June-September 2020: Initial round of audits will begin for a select number of DoD Programs/RFI’s with the required CMMC Levels identified and contractors wishing to bid on those Programs will need to be certified to the required level in order to receive the RFP.
- October 2020 and beyond: DoD contractors will need to get certified by an accredited Assessor to bid on new work
Many DoD contractors are turning to cybersecurity companies like RSI Security to help them prepare for the upcoming audit.
Preparing for a CMMC Audit
It can take up to eight months for audit results. With the short timeframe, it is recommended that organizations have a third-party perform an assessment. It will consist of four parts, each one designed to help the company prepare for the CMMC Level Assessment.
- Readiness Assessment and Gap Analysis
- Remediation Plan
- Monitoring and Reporting
- System Security Plan (SSP)
Readiness Assessment and Gap Analysis
This step is designed to give DoD contractors a clear understanding of how close they are to meeting the standards for their CMMC Level. It will look at the processes outlined in NIST·
- How is data stored and access to information controlled?
- Are the incident response plans in place, current, and effective?
- Are the IT staff and other personnel adequately trained?
- How are security protocols implemented and maintained?
Once the readiness assessment is completed, the Gap Analysis will identify any areas that might be at risk and create a plan to resolve the issue.
A remediation plan is created to address any security gaps that were uncovered during the gap analysis. Its purpose is to correct the gaps so the contractor is CMMC compliant. There are five parts to the remediation plan,
- Create the activities necessary to address and resolve security issues.
- Allocate the resources required to mitigate problems and close security gaps.
- Create a timeline for the organization, with projected completion dates and milestones.
- Provide insights into how security vulnerabilities were uncovered.
- Description of risk levels, established priorities, and estimated remediation costs.
The information from the five parts should be documented for reference.
Continuous Cybersecurity Monitoring and Reporting
This step applies to contractors that are CMC compliant. The maturity model requires that systems are monitored for threats. Any detected threat should also be documented, along with response time to implement a “fix”.
Updated Security Plans
CMMC level compliance requires that any security changes be documented. Some of the information that should be documented can include,
- Company cybersecurity policies
- Employee security responsibilities
- Administration tasks
- Network diagrams
NIST 800-171 requires that if the SSP (system security plan) protects CUI information any security changes concerning each system or network with access to the controlled unclassified information must be documented. Some government contracts require a review of the updated SSP. Without documentation showing the updated security plans, the contractor might not be eligible for DoD business.
The first two steps need to be in place before a company is ready for a CMMC level assessment. The second two steps are designed to help an organization stay in compliance and progress through the Cybersecurity Maturity Model Certification levels.
What to Expect From a CMMC Level Assessment
By June 2020 the first CMMC level assessment will begin. Companies that prepared for the audit will find it easier to be certified for their level. However, even prepared organizations aren’t sure what to expect from an audit. According to the Office of the Under Secretary of Defense for Acquisition & Sustainment — Cybersecurity Maturity Model Certification
“Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.”
The DoD has confirmed several details that apply to a CMMC level audit. These include,
- All DoD Contractors will need to become CMMC Certified by passing a CMMC Audit.
- Passing the audit will validate they have met the appropriate level of cybersecurity for their business with DoD.
- Certification will become a requirement for any organization that wishes to hold the Department of Defense contracts or act as subcontractors on DoD-related projects.
- The DoD will employ certified third-party assessor organizations (C3PAO’s) to conduct audits on DoD Contractor information systems and verify that DoD Contractors have met the appropriate level of cybersecurity controls.
- Based on the audit results, contractors will be awarded the applicable certification (from Level 1-5) if they meet the requirements of 100% of the controls for that level.
- While 3rd party organizations will normally perform assessments, some of the higher-level evaluations may be performed by DoD assessors within the Services, the Defense Contract Management Agency (DCMA), or the Defense Counterintelligence and Security Agency (DCSA).
Simply put, there must be a third-party certified audit performing the CMMC level assessment. It cannot be done in-house. Adequate security protocols must be in place for the CMMC level the organization is applying for. Without CMMC certification, companies may not be able to bid on government contracts.
There isn’t a lot of time before all DoD contractors need to be assessed for their required CMMC level. The short timeframe has left many organizations with questions on how to prepare and what to expect during the audit.
Not only is RSI Security certified to perform a CMMC audit, but their certified personnel can also help organizations prepare for the assessment.