Cybersecurity Maturity Model Certification (CMMC) is the new framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It applies to all companies who are either contractors or subcontractors with the Department of Defense (DoD). It is estimated that there are around 300,000 companies who do business within the Defense Industrial Base (DIB) who will need to comply with the new regulations.
Though the CMMC Advisory Board has been formed, they have yet to train any Third-Party Assessment Organizations to certify anyone, so certification is not yet possible. But, as we will see, you can do a lot to get your proverbial ducks in a row right now. In fact, it will greatly benefit your organization when it comes time to seek certification to start working toward your desired Level of compliance because it is going to be a mammoth undertaking for those who have been fast and loose with documentation and controls for a while.
Level 1: FCI Protection
Don’t misconstrue this as an attempt to reign in the simple low-level businesses that have little to do with advanced technology. In fact, it is the opposite. The new Maturity Model allows companies who only work with FCI and not CUI to certify at a Level 1 and still do business with the DoD. True, those companies may have found previous control requirements onerous and unachievable and so may have not ever attempted compliance at all, but the CMMC prescribes the number and complexity of controls and processes based on company contact with and processing of FCI and CUI, thus drastically limiting the requirements for compliance at the lower Levels.
The new CMMC regulations are based predominantly on existing standards in NIST SP 800-171. Other referenced sources include FAR Clause 52.204-21, CIS Controls v7.1, NIST CSF v1.1, CERT Resilience Management Model v1.2, NIST SP 800-53 Rev 4, UK NCSC Cyber Essentials, and AU ACSC Essential Eight according to the newly released CMMC Model v1.0 Appendices PDF – Appendix E provided by the DoD. Pretty much, if you’ve been compliant with the NIST SP 800-171 standard and all of its 110 controls, you are more than halfway there if you handle CUI.
NIST 800-171 vs. CMMC
There are key differences between CMMC and NIST 800-171 that need to be recognized, though. NIST 800-171 has 110 controls that have Processes, Procedures, and Practices in place. “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.” That means that anyone who processes, stores or transmits CUI has to achieve full compliance with all 110 controls along with the required documentation and behaviors.
On the other hand, CMMC establishes levels of maturity for Processes and multiple levels of Practices. This means you don’t have to take on the entire NIST 800-171 requirements if all you do is manufacture combat boots. Of course, you have to be at the same level in both Processes and Practices to attain certification at a Level. So, if you are a Level 3 in your Practices, meeting all the requirements of every Domain, but you are at a Level 2 in your Processes, you will only be able to be certified at a Level 2. And Level 2 is a transitional Level, not one you want to stay at permanently.
Another difference between the current NIST 800-171 framework and the CMMC is that the NIST 800-171 does not require any outside body to determine the standing of any company. It is on-your-honor self-assessment and reporting. CMMC will require a third-party assessment organization to inspect, test, observe and certify your company as compliant. Proof of compliance will be required at the time of the bid and will be a go/no-go factor in contract awards. Levels will be defined in both Requests for Information (RFIs) and Requests for Proposals (RFPs).
Levels 3-5 focus on protecting CUI and will be required for contracts involving CUI. So, it’s not going to get easier for those companies who deal with CUI. They are going to have to comply with at least all the controls defined by NIST 800-171 at Level 3 and even more controls and Processes at Levels 4 and 5 where the focus remains on the protection of CUI but adds the necessity of dealing with Advanced Persistent Threats (APTs) like those hackers sponsored by the nation-state of China or Russia or organized crime.
In order to understand the mapping of the frameworks found in Appendix E that gives you the equivalent controls from other frameworks, it’s necessary to understand how the CMMC is organized. Compliance is broken out into many Domains. Each Domain is broken into subcategories of Capabilities. And every Capability is supported by one-to-many security controls called Practices.
It is important to reiterate here that the Level you exist on is defined by your application of all the practices of that Level ALONG WITH the processes required by that level. Practices alone will not get you certified. Your organization must follow the maturity model development of Processes, as well, which we’ll talk about later.
The CMMC defines Domains as “Key sets of capabilities for cybersecurity.” These are high-level buckets that organize the compliance approach into 17 areas that in large part originate from the Federal Information Processing Standards (FIPS) Publication 200 and correlated requirement families from NIST 800-171.
|CMMC Top Level Domains|
|Access Control (AC)||Audit and Accountability (AU)||Awareness and Training (AT)|
|Configuration Management (CM)||Identification and Authentication (IA)||Incident Response (IR)|
|Maintenance (MA)||Media Protection (MP)||Personnel Security (PS)|
|Physical Protection (PE)||Risk Management (RM)||Security Assessment (CA)|
|System and Communications Protection (SC)||System and Information Integrity (SI)||Situational Awareness (SA)|
|Asset Management (AM)||Recovery (RE)|
Capabilities, which are the next level down from domains, are defined as “Achievements to ensure cybersecurity within each domain.” There are one-to-many Capabilities under each of the 17 domains. For example, under the Domain Access Control (AC), there are four Capabilities: establish system access requirements; control internal system access; control remote system access; and limit data access to authorized users and processes. Under Domain AC there is only one Capability: Identify and document assets.
Each Capability is comprised of one to many Practices. The practices are what are called Controls in common cybersecurity parlance. To achieve a Level 1 certification, you would minimally have to meet all of the control requirements from FAR Clause 52.204-21, which would be 17 Practices. Likewise, for a Level 3 certification, you would have to meet all control requirements for NIST SP 800-171 rev 1 plus other Practices. You can see how many Practices are in each Domain by Level in the CMMC v1.0 on page 11.
So, what does this mean as far as controls go? If you want to be a Level 1 Supply Chain company, you are going to have to meet the controls described by the 17 Practices intended to protect only FCI. At this level, your company is not handling CUI. All the Practices are listed out by Domain in 2.7.2 which begins on page 12 of the CMMC v1.0. For the sake of example, the Level 1 Practices of the AC Domain are listed here.
Access Controls (AC):
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
There are 171 Practices indicated for all the Levels 1-5. Level 2 requires 65 NIST 800-171 Practices with 7 Practices from other frameworks and includes all 17 practices from Level 1. Level 2 is considered a transitional level from Level 1 companies who are seeking to achieve a Level 3 certification. It is not intended to be a destination, but a pause where you can get certified for your efforts and perhaps meet more RFP requirements while on your way to Level 3. Level 3 requires all 110 NIST 800-171 Practices with 20 additional practices from other frameworks and includes all the Practices from Levels 1 and 2. Level 4 and level 5 require all the Practices of all the other levels for protecting CUI, but with the additional focus of thwarting APTs. Level 4 adds 26 Practices, and Level 5 adds 15 Practices.
The CMMC not only requires the implementation of rigorous Practices or controls but demands that a company be mature in its implementation. What does it mean to be mature in the eyes of the DoD? For the sake of the CMMC Process Maturity equals Process institutionalization. The level of maturity is meant to reflect the degree to which the Practices are “embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that an organization will continue to perform the activity.” This includes when a company is under duress and hopefully creates consistent outcomes.
To be certified at a specific Level of the CMMC, you are going to have to implement required Processes along with all the security controls or Practices discussed earlier. This is where the CMMC diverges from other frameworks and ensures that the Practices required by each Level are not only established but effective. The five maturity Levels are Performed, Documented, Managed, Reviewed, and Optimizing.
Maturity Level 1, or Performed, does not require any additional behaviors or documentation. An organization simply performs the required Practices or controls. So, for a Level 1 certification, all you would have to do is make sure you are implementing the 17 basic controls. Process maturity is not assessed for a Level 1 company.
Maturity Level 2, or Documented, requires the beginning stages of the creation of policies and procedures that document the Domain requirements and the associated Practices that support those requirements. A policy is required for each Domain, and each policy requires the documentation of the Practices that support the implementation of that Domain policy. The point of this is to make sure the Practices are implemented in a repeatable way. So, to be Level 2 certified, you are going to have to have this documentation in place, be following it, and have the required controls in place.
Maturity Level 3, or Managed, requires that you “establish, maintain, and resource a plan that includes” each Domain. The plan illustrates how the policies, procedures, and behaviors that go along with them are managed. The plan can include top-level organizational statements of “mission, goals, project plans, resourcing, training, and the involvement of relevant stakeholders.”
Maturity Level 4, or Reviewed, requires you to review your established plans, policies and procedures on a recurring basis. For this Level, you have to measure the effectiveness of the Practices, which include thwarting APTs and report to management when something isn’t working. This Level requires that you be one step ahead of the enemy and adapt to the evolving threat landscape of tactics, techniques, and procedures (TTPs) used by APTs. These behaviors must be well established in your company to get certified.
Maturity Level 5, or Proactive, adds to the “depth and sophistication” of the Capabilities by adding more and more effective Practices for thwarting APTs. All of the Process requirements of the previous Levels remain, but the expectation is that you have both standardized and optimized your approach across all Domains and all applicable organizational units.
NIST 800-171 is still the requirement, and the best way to get ready for the CMMC is to make sure you’re compliant now. RSI Security has been helping businesses achieve compliance with complex frameworks for over 10 years. We are experts in NIST 800-171 and will be undergoing the process to become a C3PAO (Certified Third-Party Assessment Organization) once made available. We achieve 100% pass rates for our clients because we do not stop until you succeed. Contact us today to receive a free consultation and learn what you can do now to be in the best posture possible to do business with the DoD.