Department of Defense contractors and subcontractors have a big change to cybersecurity governance regulations. Current cybersecurity standards (NIST 800-171) are being updated into a new framework called CMMC.
The CMMC Accreditation Body recently recommended that the best place to start with CMMC is by becoming NIST 800-171 compliant. RSI Security provides NIST 800-171 assessments, so we brought our experts together to provide a comprehensive guide to achieving CMMC compliance. This guide includes understanding the basics of CMMC and outlines a phased approach to gaining the highest level of CMMC.
What is CMMC and who is it for?
CMMC stands for Cybersecurity Maturity Model Certification. CMMC is a new framework for organizations doing business with the Department of Defense (DoD). CMMC applies to any organization that stores, processes, and/or transmits either:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
The evolution of CMMC
CMMC evolved from the current NIST 800-171 standard. According to the DoD, malicious cyber activity is costly to the US economy. In 2016, malicious activity cost an estimated $57 billion to $109 billion dollars. It is more than the money though. Any loss of CUI has an impact on both the national economic security and national security. It is the duty of the Defense Industrial Base (DIB) to reduce this risk through excellent cyber hygiene.
Other reasons for creating CMMC
The DoD believes CMMC will enhance the cybersecurity posture of the DIB. Two major aspects of CMMC that will help enhance the DIB’s cybersecurity posture are:
- Requiring third-party assessors to verify contractor and subcontractor compliance
- Defining the CMMC level on a contract-by-contract basis, because each level has a different scope of focus
Basic CMMC terminology and concepts
In order to understand CMMC, let’s go through the essential terms and concepts.
CMMC consists of domains, capabilities, and practices
Domains and Capabilities are a way to categorize the practices. A domain (e.g. Access Control) contains one or more capabilities (e.g. establish system access requirements) which in turn have one or more practices. Practices are the security controls, or the activities performed to ensure security. An example of one practice would be: “Limit information system access to authorized users[…].”
The CMMC processes
CMMC is more than practices, it also includes processes that apply to all domains. A process is how an organization ensures effective implementation of practice activities. An example of a CMMC process would be: “Establishing policies” or “documenting procedures.” CMMC is a maturity model. The applicable practices and processes increase at each level.
What is a maturity model?
A maturity model is a benchmark of best practices and standards. Maturity models often contain levels to evaluate progression. These levels are like sports leagues where a baseball player is evaluated and placed into Double A, Triple A, or Majors. Organizations test their current capabilities against the benchmark. Then, in turn, use the progression as a prioritized roadmap to get to their desired level.
The five levels of CMMC
CMMC contains five levels of maturity. Each CMMC level will continue to add practices and processes. This is because each level has a unique focus.
- Level one focuses on the basic safeguard of Federal Contract Information (FCI).
- Level two is a transition step to protecting Controlled Unclassified Information (CUI).
- Starting with level three, an organization will be ready to protect CUI. Levels 3 – 5 increase their protection by adding practices and processes.
- Levels four and five have requirements focused on reducing Advanced Persistent Threats (APTs). APTs are attacks sponsored by nations or very large organizations.
How practices and processes build at each level
Figure A - Total number of practices (in purple) at each level; documented processes required at each level.
Figure A demonstrates how many practices and processes exist within each level. CMMC has a total of five processes. Level one requires minimal to no maturity in processes. Level five requires optimized processes across the entire organization.
Implementation of practices and processes
While progressing through the levels, any new process added needs to cover previously implemented practices. For example, level one does not include documented policies. Level two will require documented policies for all level one and level two practices, a total of 72 practices. In level three there are 58 practices added. Documentation started in level two will now need to include the new practices.
Determining level certification
An organization must follow all related practices and processes to certify at a given level.
Example: An organization implements all level three practices. The documentation is only for level two processes, and not the level three managed plan. The organization is then only eligible for level two certification.
How to prepare – a phased approach
Preparation should follow the maturity model; with the same three steps:
- Assess practices & remediate as needed
- Document processes
- Level up
If an organization is working on NIST 800-171 compliance, a similar approach should be used focusing on the 110 CMMC practices that map to NIST 800-171. These are found in levels one through three.
Start preparation for CMMC with Level One
Using a phased approach described above, start with assessing all 17 practices included in level one. Level one does not include documentation. Consider using this subset of practices to start documenting policies and procedures. This way it is more of a warm-up before documenting all 72 practices in level two.
How to assess compliance
First, go through all practices and determine which are applicable to the organization. Next, determine the state of applicable practices. Is the implementation of the practice in full, partial compliance or non-compliance?
To assist with making these determinations, use the following resources:
- For practices that map to NIST 800-171 there is a “Self Assessment” reference guide: https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
- For a deeper level of information, use the following NIST 800-171 document which outlines the assessment objectives for each requirement: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf
- CMMC provides information that goes into great detail about each practice. CMMC Model v1.0 Appendices PDF – Appendix B: https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Appendices_20200203.pdf
- And of course, security advisory and consultant services can help
Create a remediation plan for any practices not assessed at “Full Compliance.” This is best documented in a “Plan of Actions & Milestones” (POA&M) type document.
How to document policies
The first process to put in place is “documented policies.” CMMC defines a policy as a high-level expectation for planning and performing. A policy should include:
- A clearly stated purpose;
- Defined scope (ex: enterprise, department, information-system wide/specific)
- Defined roles and responsibilities of activities/practices covered
- Procedures to carry out and meet the intent
- Regulatory guidelines policy addresses)
- Senior managements’ signature(s)
How to document practices as procedures
For the second process, CMMC states that “Practices need to be established, documented, and followed.” Think of a documented procedure. The elements of this documentation include:
- Specific activities involved in satisfying the intent of the related policy
- Documented practices explaining how to perform the task or activity in a repeatable way
For levels two through four the detail can vary. Documentation can be as simple as a handwritten desk procedure or something more formal. In level five this documentation will become managed and controlled as an organization-wide standard operating procedure.
Continue with assessing Level Two
Move on to level two after assessing, planning remediation, and documenting level one. Begin again with assessing and planning the remediation of the new practices. There are 55 new practices from level one to level two, which is the second-largest jump in the number of practices.
Add to documentation
After the level two assessment, add the new practices into the existing documented policies and procedures. Level two also has a practice that requires a System Security Plan (SSP). It is important to start this documentation as well. An SSP is a requirement for NIST 800-171 today.
Assess and document Level Three
When ready for level three, start again by assessing and planning remediation for new practices. This is the largest addition of practices between levels. A total of 58 new practices moving from level two to three. Add these new practices to existing documented policies, procedures, and the SSP.
Congratulations on NIST 800-171 compliance
An organization achieves NIST 800-171 compliance when they have:
- Implemented or documented remediation for all level one through three practices. Or at minimum the subset of those practices that came from NIST 800-171.
- Implemented documented policies, procedures, and the SSP.
This is a huge achievement, and further continuation will assist with future CMMC compliance. It is recommended to continue with the managed plan process at least, in order to complete all level three requirements. It is also important to note that CMMC requires all items to be remediated for certification, and POA&Ms will not be accepted.
Implement the Level Three process
The level three process is creating and documenting a “managed plan.” This plan outlines how the organization will achieve compliance in each domain. The CMMC defines a “managed plan” to be the strategic level objectives to inform the leadership of the status as it relates to each domain.
The elements of a managed plan
The managed plan can be stand-alone, embedded in a more comprehensive document, or distributed among multiple documents. No matter which way it is implemented, it is important to have the following elements:
- Mission and/or vision statement
- Strategic goals/objectives in a SMART format
- Specific, Measurable, Attainable, Result-focused, Time-bound
- Relevant standards and procedures
- A project plan to record activities, due dates, and organizational resources
- Training needed to perform the domain activities
- Involvement of relevant stakeholders
Documenting “organizational resources” for all activities
CMMC indicates the project plan in the level three managed plan needs to include:
- Assigned people resources (appropriate knowledge, skills, and abilities)
- Defined funding needs, established budget, and resolved gaps
- Proper oversight, executive, and maintenance
- Provision of specific tools required and people trained for those tools
Assess and document Level 4
In level four there are only 26 new practices. Start with assessing the new practices. Add the new practices to existing documentation (policies, procedures, SSP, and managed plan) . Once completed, it is time to focus on the level four process.
Level Four process requirement
The level four process is how the organization reviews and measures implementation effectiveness. Refer to the SMART goals from the managed plan for measuring practice implementation. CMMC indicates that corrective action is necessary when goals are not met.
The elements of a review process
- Establish appropriate metrics and measure appropriate attributes (qualitative or quantitative)
- Higher-level managers must participate in the review
- Managers above the immediate level of managers responsible for the process
- Identify problems/deviations from the plan; corrective actions and tracking to closure
- Reviews should be both periodic and event-driven
- Status reviews of activities
- Issues identified in process and plan reviews
- Risk associated with activities
- Recommendations for improvements
- Status of improvements being developed
- Schedules for achieving milestones
Assess and document Level Five
Level five is the last and highest step in CMMC. Begin with assessing the last 15 CMMC practices. Then add the last practices to all previous documentation. After that, it’s time to put in place the fifth process.
Documenting standard practices
The fifth process is standardizing practices across the entire organization to create consistency. Use an asset library to manage and control the standards. Create a review process by which to make changes or updates. The organization should document lessons learned from planning and performing these practices.
How to document standard practices
A standardized practice should include the following:
- Practice description
- Practice activities to be performed
- Process flow including diagrams
- Inputs and expected outputs
- Performance measures for improvement
- Procedures for process improvement
Repeating the three steps for all levels takes time
There it is, the three steps to achieving CMMC compliance:
- Assess practices & remediate as needed
- Document processes
- Level up
Do not wait to start, as achieving CMMC will take considerable time and resources.
171 practices and five processes to achieve the highest compliance
If the highest level of CMMC is your organization’s goal, then there is a lot of work to be done. In addition to implementing 171 practices, there are the five processes:
- Documented policies
- Documented procedures
- Managed plan
- Review process
- Standardized organization-wide procedures
Remember that the best place to start is with NIST 800-171. This gives organizations the best chance to achieve CMMC level three compliance.
RSI Security can help
RSI Security can conduct assessments against the existing NIST 800-171 standards. During a NIST 800-171 assessment, we will take into consideration current CMMC information provided. Other services we provide include: