Organizations that work with the US military need to prove their security maturity with the CMMC framework. Preparation requires knowing the framework inside and out, scoping out what Level of compliance you need, and then implementing it and getting ready for assessment.
Is your organization ready for DoD compliance? Schedule a consultation to find out.
How to Prepare for CMMC Implementation
The Cybersecurity Maturity Model Certification (CMMC) is a form of regulatory compliance required for organizations in the Defense Industrial Base (DIB) sector. It proves they’re ready to secure sensitive information critical to the security of US military personnel and all Americans.
Certification can be challenging, but preparation can be streamlined into three basic functions:
- Understanding the basics of the CMMC 2.0 framework
- Determining the scope of certification (CMMC Level) needed
- Implementing all required controls per the DoD’d assessment guidance
Working with a CMMC advisor will help you plan and execute your implementation.
Understanding the CMMC Framework
The DoD uses CMMC assessments to ensure that contractors it works with can protect specific kinds of sensitive data germane to military contract work. Organizations seeking contracts will implement a specific set of controls based on the Level required per their contract. Then, they conduct assessments (self-assessment or assisted, based on Level) to achieve certification (compliance).
The CMMC was originally released in 2020 under the supervision of the Office of the Under Secretary of Defense (OUSD) Acquisition and Sustainment (A&S). But it is now overseen by the DoD’s Chief Information Officer (CIO) with input from OUSD Intelligence and Security (I&S).
Upon its release in 2021, the CMMC 2.0 framework replaced CMMC v1.02, with major changes to the way it gauges maturity. It has different controls and a simpler Level schema. It also overhauled the assessment protocols, emphasizing flexibility and accessibility over rigid uniformity. Still, even with these changes, understanding what’s required can be challenging.
Implementation: What Controls Do You Need?
CMMC is a cyber maturity model, meaning that it measures the depth and complexity of an organization’s systems. It accounts for a range of maturities, which it categorizes as Levels.
- CMMC Level 1 Implementation – Organizations implement a set of 15 baseline practices derived from NIST SP 800-171 for Foundational security maturity.
- CMMC Level 2 Implementation – Organizations implement 110 practices, adapted from and covering the entire scope of NIST SP 800-171, for Advanced security maturity.
- CMMC Level 3 Implementation – Organizations adopt all of the above, plus an as-yet-undefined set of practices from NIST SP 800-172, for Expert security maturity.
The Level your organization needs to achieve will likely be spelled out in a specific contract you are targeting. Beyond this, organizations can also undergo scoping to assess what Level they’ll need based on the kinds of data most closely associated with their work (see below).
Assessment: How to Verify Security Maturity
The DoD also requires different assessment protocols at each Level, providing more or less assurance at different intervals. At present, the specific requirements break down as follows:
- CMMC Level 1 Assessment – Organizations are expected to conduct self-assessments and provide affirmation documentation, with or without assistance, on an annual basis.
- CMMC Level 2 Assessment – Most organizations must conduct triennial third-party assessments; a select subset with less exposure to CUI may self-assess triennially.
- CMMC Level 3 Assessment – Organizations will be expected to conduct triennial government-led assessments (infrastructure for Level 3 is still under development).
One major goal in the CMMC 2.0 rulemaking involved reviewing and resolving conflicts that had arisen in the CMMC assessment ecosystem. The new and improved Cyber AB (formerly CMMC Accreditation Body) certifies assessors for third-party assessors for most Level 2 organizations.
Determining Your Implementation Scope
As noted above, the CMMC Level your organization needs to achieve should be established on the DoD contract you’re targeting. However, if your organization is taking a proactive approach and seeks certification prior to competing for a contract, it can also determine its likely scope by the kinds of data it manages. Working with a compliance advisor can also help you scope.
In general, CMMC Level 1 applies primarily to Federal Contract Information (FCI), whereas Level 2 concerns both FCI and Controlled Unclassified Information (CUI). FCI includes data concerning government contracts not suitable for public release. CUI is broader in scope, including any information deemed sensitive but not fully classified. The Information Security Oversight Office (ISOO) maintains a registry of all CUI types and relevant regulatory bodies.
Scoping guidance documents available from the DoD clarify which assets are in scope for CMMC assessments at Levels 1 and 2. At present, no such guidance is available for Level 3.
CMMC Level 1 Scoping Guidance
According to the official Level 1 scoping documentation, the primary focus of CMMC Level 1 assessments is “FCI Assets.” These are any virtual or physical assets that can do the following:
- Process FCI, allowing access, data input or editing, generation, printing, etc.
- Store FCI in a latent or “at-rest” state in or on any physical or virtual medium
- Transmit FCI between assets or locations in any physical or digital method
Any assets that do not allow for these functions are not in scope for Level 1 assessments and thus do not need to be accounted for in any official capacity. There are also “Specialized Assets” that do not need to be assessed as long as they are documented properly. These include but are not limited to government properties, Internet of Things (IoT) devices, and test equipment.
CMMC Level 2 Scoping Guidance
Per the DoD’s Level 2 scoping documentation, the primary focus is “CUI Assets.” Like FCI Assets, these include any software or hardware that process, store, or transmit documents that constitute or contain CUI. Beyond Level 1 requirements, organizations must provide a basic network diagram of all CUI Assets and other in-scope assets during their pre-assessment.
And, in addition to CUI Assets, Level 2 scoping also includes the following:
- Security Protection Assets that constitute or contribute to protections for CUI
- Contractor Risk Managed Assets that could possibly come into contact with CUI
- Specialized Assets, mirroring those of Level 1, but now in-scope for Level 2
The only fully out-of-scope assets for Level 2 assessments are those that are physically or logically segmented away from CUI such that they have no connection to it whatsoever.
CMMC Level 3 Scoping Speculation
At present, the DoD has not publicly stated what threshold of CUI processing or other factors will necessitate CMMC Level 3 assessment. However, it can be assumed that organizations with greater amounts and varieties of CUI are most likely to require the highest CMMC Level.
In addition, insights from earlier versions of CMMC may be useful here. Namely, before the overhaul to CMMC 2.0, there were five Levels instead of three. The DoD maintains that the current Level 3 corresponds with what was Level 5 in the previous version. And that Level specified that its heightened protections were required for organizations that face advanced persistent threats (APT) to CUI. This suggests that the threshold for Level 3 in the current version may also depend upon risk factors in addition to the volume and variety of CUI controlled.
Implementing and Assessing Security Practices
Equipped with the knowledge of your assessment scope, all that remains is implementing controls and ensuring systems are ready for self-, third-party, or government-led assessments.
As noted above, the practices that comprise the CMMC 2.0 framework are adapted from NIST Special Publications. The DoD provides detailed assessment guidance documents that explain which controls are required at Levels 1 and 2. NIST SP 800-171 distinguishes between Basic and Derived Requirements, which CMMC does not. And NIST SP 800-172 builds on this distinction further, adding “Enhanced” Requirements to already-established protections.
While no formal information is available yet about which practices from NIST SP 800-172 are applicable at Level 3, familiarity with its controls will aid in assessment preparation efforts.
CMMC Level 1 Implementation Requirements
NIST SP 800-171 comprises 110 Requirements distributed across 14 Families. In CMMC 2.0, corresponding controls are called “practices,” and their groupings are not named (they were “Domains” in CMMC v1.02). Level 1 covers a small number relative to the entire SP 800-171.
Per the Level 1 assessment documentation, the required practices break down as follows:
- Level 1 Access Control (AC) –
- AC.L1-3.1.1: Authorized Access Control
- AC.L1-3.1.2: Transaction and Function Control
- AC.L1-3.1.20: External Connections
- AC.L1-3.1.22: Control of Public Information
- Level 1 Identification and Authentication (IA) –
- IA.L1-3.5.1: Identification
- IA.L1-3.5.2: Authentication
- Level 1 Media Protection (MP) –
- MP.L1-3.8.3: Media Disposal
- Level 1 Physical Protection (PE) –
- PE.L1-3.10.1: Limit Physical Access
- PE.L1-3.10.3: Escort Visitors
- PE.L1-3.10.4: Physical Access Logs
- PE.L1-3.10.5: Manage Physical Access
- Level 1 System and Communications Protection (SC) –
- SC.L1-3.13.1: Boundary Protection
- SC.L1-3.13.5: Public Access System Separation
- Level 1 System and Information Integrity (SI) –
- SI.L1-3.14.1: Flaw Remediation
- SI.L1-3.14.2: Malicious Code Protection
- SI.L1-3.14.4: Update Malicious Code Protection
- SI.L1-3.14.5: System and File Scanning
Organizations preparing for CMMC Level 1 can also begin implementing additional controls from the remainder of NIST SP 800-171, since all of them will be required for CMMC Level 2.
CMMC Level 2 Implementation Requirements
At CMMC Level 2, organizations implement 110 practices that cover the entire range of controls in NIST SP 800-171. Organizations that were already NIST compliant may find that mapping protections from those Requirements to CMMC practices is a straightforward process.
According to the Level 2 assessment documentation, these are the added practices:
- Level 2 Access Control (AC) –
- AC.L2-3.1.3: Control CUI Flow
- AC.L2-3.1.4: Separate Duties
- AC.L2-3.1.5: Least privilege Principle
- AC.L2-3.1.6: Non-Privileged Account Use
- AC.L2-3.1.7: Privileged Functions
- AC.L2-3.1.8: Unsuccessful Login Attempts
- AC.L2-3.1.9: Privacy and Security Notices
- AC.L2-3.1.10: Session Lockouts
- AC.L2-3.1.11: Session Terminations
- AC.L2-3.1.12: Control Remote Access
- AC.L2-3.1.13: Remote Access Confidentiality
- AC.L2-3.1.14: Remote Access Routing
- AC.L2-3.1.15: Privileged Remote Access
- AC.L2-3.1.16: Wireless Access Authorization
- AC.L2-3.1.17: Wireless Access Protection
- AC.L2-3.1.18: Mobile Device Connections
- AC.L2-3.1.19: Encrypt Mobile CUI
- AC.L2-3.1.21: Portable Storage Use
- Level 2 Awareness and Training (AT) –
- AT.L2-3.2.1: Role-Based Risk Awareness
- AT.L2-3.2.2: Role-Based Training
- AT.L2-3.2.3: Insider Threat Awareness
- Level 2 Audit and Accountability (AU) –
- AU.L2-3.3.1: System Auditing
- AU.L2-3.3.2: User Accountability
- AU.L2-3.3.3: Event Review
- AU.L2-3.3.4: Audit Failure Alerts
- AU.L2-3.3.5: Audit Correlations
- AU.L2-3.3.6: Reduction and Reporting
- AU.L2-3.3.7: Authoritative Time Sources
- AU.L2-3.3.8: Audit Protections
- AU.L2-3.3.9: Audit Management
- Level 2 Configuration Management (CM) –
- CM.L2-3.4.1: System Baselining
- CM.L2-3.4.2: Security Configuration Enforcement
- CM.L2-3.4.3: System Change Management
- CM.L2-3.4.4: Security Impact Analysis
- CM.L2-3.4.5: Access Restrictions for Changes
- CM.L2-3.4.6: Least Functionality Principle
- CM.L2-3.4.7: Nonessential Functionality
- CM.L2-3.4.8: Application Execution Policies
- CM.L2-3.4.9: User-Installed Software
- Level 2 Incident Response (IR) –
- IR.L2-3.6.1: Incident Handling
- IR.L2-3.6.2: Incident Reporting
- IR.L2-3.6.3: Incident Response Testing
- Level 2 Maintenance (MA) –
- MA.L2-3.7.1: Perform Maintenance
- MA.L2-3.7.2: Control System Maintenance
- MA.L2-3.7.3: Sanitize Equipment
- MA.L2-3.7.4: Inspect Media
- MA.L2-3.7.5: Nonlocal Maintenance
- MA.L2-3.7.6: Maintenance Personnel
- Level 2 Media Protection (MP) –
- MP.L2-3.8.1: Media Protection
- MP.L2-3.8.2: Media Access
- MP.L2-3.8.4: Media Markings
- MP.L2-3.8.5: Media Accountability
- MP.L2-3.8.6: Portable Storage Encryption
- MP.L2-3.8.7: Removable Media
- MP.L2-3.8.8: Shared Media
- MP.L2-3.8.9: Protected Backups
- Level 2 Personnel Security (PS) –
- PS.L2-3.9.1: Screen Individuals
- PS.L2-3.9.2: Personnel Actions
- Level 2 Physical Protection (PE) –
- PE.L2-3.10.2: Monitor Facility
- PE.L2-3.10.6: Alternative Work Sites
- Level 2 Risk Assessment (RA) –
- RA.L2-3.11.1: Risk Assessments
- RA.L2-3.11.2: Vulnerability Scans
- RA.L2-3.11.3: Vulnerability Remediation
- Level 2 Security Assessment (CA) –
- CA.L2-3.12.1: Security Control Assessment
- CA.L2-3.12.2: Plan of Action
- CA.L2-3.12.3: Security Control Mapping
- CA.L2-3.12.4: System Security Plan
- Level 2 System and Communications Protection (SC) –
- SC.L2-3.13.2: Security Engineering
- SC.L2-3.13.3: Role Separation
- SC.L2-3.13.4: Shared Resource Control
- SC.L2-3.13.6: Network Communication by Exception
- SC.L2-3.13.7: Split Tunneling
- SC.L2-3.13.8: Protect Data in Transit
- SC.L2-3.13.9: Terminate Connections
- SC.L2-3.13.10: Cryptographic Key Management
- SC.L2-3.13.11: CUI Encryption
- SC.L2-3.13.12: Collaborative Device Control
- SC.L2-3.13.13: Mobile Code
- SC.L2-3.13.14: Voice Over Internet Protocol (VOIP)
- SC.L2-3.13.15: Communications Authenticity
- SC.L2-3.13.16: Protect Data at Rest
- Level 2 System and Information Integrity (SI) –
- SI.l2-3.14.3: Security Alerts and Advisories
- SI.l2-3.14.6: Monitor Communications for Attacks
- SI.l2-3.14.7: Identify Unauthorized Uses
Similar to Level 1, organizations preparing for Level 2 might consider beginning to implement controls from NIST SP 800-172. They build on SP 800-171 and are required at Level 3.
CMMC Level 3 Implementation Speculation
As noted above, no information is available yet on the exact specifications of CMMC Level 3 assessment. However, the DoD has established that practices would be adapted from NIST SP 800-172, which utilizes the same Families as SP 800-171, adding 35 new Requirements.
It can be assumed that the practices for Level 3 will be based on some or all of the following:
- Enhanced Access Control Requirements –
- 3.1.1e: Employ authorization for critical operations
- 3.1.2e: Restrict access to owned resources
- 3.1.3e: Control information flows
- Enhanced Awareness and Training Requirements –
- 3.2.1e: Provide training on specific, named threats
- 3.2.2e: Include practical risk mitigation exercises
- Enhanced Configuration Management Requirements –
- 3.4.1e: Maintain authoritative sources for accountability
- 3.4.2e: Automate detection of abnormalities
- 3.4.3e: Automate updates and availability
- Enhanced Identification and Authentication Requirements –
- 3.5.1e: Identify access bidirectionally
- 3.5.2e: Automate password management
- 3.5.3e: Authenticate devices alongside users
- Enhanced Incident Response Requirements –
- 3.6.1e: Establish a security operations center
- 3.6.2e: Establish a cyber threat response team
- Enhanced Personnel Security Requirements –
- 3.9.1e: Regularly assess and re-certify CUI access
- 3.9.2e: Adjust CUI access based on new information
- Enhanced Risk Assessment Requirements –
- 3.11.1e: Employ threat intelligence in risk mitigation
- 3.11.2e: Conduct proactive cyber threat hunting
- 3.11.3e: Utilize automation and analytics in risk mitigation
- 3.11.4e: Document security system plans and rationale in mitigation
- 3.11.5e: Assess the effectiveness of security solutions regularly
- 3.11.6e: Monitor and address risks across the supply chain
- 3.11.7e: Develop plans for addressing supply chain risks
- Enhanced Security Assessment Requirements –
- 3.12.1e: Conduct penetration testing regularly
- Enhanced System and Communications Protection Requirements –
- 3.13.1e: Diversify system components to combat malicious code
- 3.13.2e: Introduce unpredictability through change management
- 3.13.3e: Employ technical and procedural means to deter attackers
- 3.13.4e: Employ physical and/or logical isolation mechanisms
- 3.13.5e: Distribute and relocate system functions and resources
- Enhanced System and Information Integrity Requirements –
- 3.14.1e: Verify the integrity of software using root of trust mechanisms
- 3.14.2e: Monitor systems and assets for anomalous behaviors
- 3.14.3e: Ensure security-critical assets are in scope of protections
- 3.14.4e: Refresh systems exclusively from known, trusted states
- 3.14.5e: Regularly review storage and remove unnecessary CUI
- 3.14.6e: Utilize external threat intelligence in risk mitigation
- 3.14.7e: Verify the correctness of access and audit logs
Organizations that process the most CUI, or who are exposed to the most advanced threats to that CUI, should consider implementing some or all of SP 800-172 in preparation for Level 3.
Working with an advisor is the best way to streamline your CMMC and NIST implementation.
Optimize Your CMMC Framework Implementation
Organizations preparing for DoD compliance need to understand the CMMC 2.0 framework in its entirety. That will allow for an accurate scoping and efficient implementation, which in turn will set you up for streamlined self, third-party, or government assessment.
RSI Security has helped countless organizations prepare for and achieve DoD compliance on the road to lucrative military contracts. We’re committed to service above all else, helping your organization plan for and execute security assurance so you can focus on what you do best.
For further guidance on CMMC framework implementation, assessment, and what you should do to prepare for seamless DoD compliance at any Level, contact RSI Security today!