Are you looking to contract with the Department of Defense (DoD)? If so, you’ll need to make sure your company’s cybersecurity is up to par. Specifically, you will need to meet the standards set out in the Cybersecurity Maturity Model Certification (CMMC), as governed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). But achieving full maturity is not easy, as there are many challenges facing organizations of all sizes.
Top Challenges for CMMC Compliance
The CMMC is the product of years of collaboration between OUSD(A&S) and various Defense Industrial Base sector (DIB) stakeholders. Contributors include University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDs), all of whom worked together to form a document that’s incredibly comprehensive — and challenging!
In this guide, we’ll detail the 5 biggest challenges to achieving CMMC compliance:
- Starting out or mapping other frameworks
- Completing the “cyber hygiene” phase
- Shifting the focus to advanced threats
- Achieving full process institutionalization
- Obtaining official third party certification
Let’s get started!
Challenge #1 Starting Out or Mapping
The first challenge involves understanding the scope of what compliance requires, whether starting from scratch or from the implementation of another, related cybersecurity framework.
The core of the CMMC is made up of 17 cybersecurity domains. These are modeled after and include the 14 “requirement families” of the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171). They themselves are based roughly on corresponding categories in Federal Information Processing Standards Publication (FIPS) 200.
The 17 domains house the 171 practices organizations need to implement in order to fulfill the 43 capabilities distributed across the domains. The total breakdown is as follows:
- Access Control (AC), comprising 4 capabilities and 26 practices.
- Asset Management (AM), comprising 2 capabilities and 2 practices.
- Audit and Accountability (AU), comprising 4 capabilities and 14 practices.
- Awareness and Training (AT), comprising 2 capabilities and 5 practices.
- Configuration Management (CM), comprising 2 capabilities and 11 practices.
- Identification and Authentication (IA), comprising 1 capability and 11 practices.
- Incident Response (IR), comprising 5 capabilities and 13 practices.
- Maintenance (MA), comprising 1 capability and 6 practices.
- Media Protection (MP), comprising 4 capabilities and 8 practices.
- Personnel Security (PS), comprising 2 capabilities and 2 practices.
- Physical Protection (PE), comprising 1 capability and 6 practices.
- Recovery (RE), comprising 2 capabilities and 4 practices.
- Risk Management (RM), comprising 3 capabilities and 12 practices.
- Security Assessment (CA), comprising 3 capabilities and 8 practices.
- Situational Awareness (SA), comprising 1 capability and 3 practices.
- Systems/ Communications Protection (SC), comprising 2 capabilities and 27 practices.
- System and Information Integrity (SI), comprising 4 capabilities and 13 practices.
Simply understanding everything that compliance will involve is a challenge in its own right. It also transitions into the much bigger challenge of implementing all the practices.
Challenge #2 Completing “Cyber Hygiene”
The second challenge has to do with a milestone: accomplishing full protection of “controlled unclassified information” (CUI). This fulfills an important requirement for DoD contractors set out in Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
It also directly corresponds to Level 3 compliance; therein lies the material challenge.
Unlike other frameworks (like NIST SP 800-171), organizations do not have to implement all of the CMMC’s practices in one fell swoop. What makes the CMMC unique is that it involves a tiered, stepwise approach to cybersecurity development. Namely, the practices are distributed across 5 maturity levels, each of which measures a threshold in practice implementation.
The levels each have their own respective focus, but the first 3 are linked in that they all involve practices that constitute “cyber hygiene.” This includes implementing the entirety of NIST SP 800-171 — all 110 of its requirements — as well as 20 more from miscellaneous sources.
Moving from “basic” to “intermediate” and then “good” cyber hygiene, an organization thus satisfies all requirements for the protection of controlled unclassified information (CUI).
Challenge #3 Taking on Advanced Threats
Reaching Level 3 compliance is far from the end of your CMMC journey. It is an important milestone, but this is at least in part because Levels 4 and 5 involve practices that are several magnitudes more complex and difficult to implement. Importantly, these later levels involve a shift in focus away from the protection of CUI and toward advanced persistent threats (APT).
As their name implies, APTs are among the most difficult cybersecurity dilemmas to deal with, comprising any and all threats posed by dedicated hackers and cybercriminals. These malicious actors make it a mission to study your cyberdefenses and constantly monitor for vulnerabilities they can exploit. In response, you need to be extremely vigilant to outpace them.
Levels 4 and 5 introduce 26 and 15 new practices, respectively. This is significantly fewer than levels 2 and 3, which add 55 and 58 practices, respectively. But what these final levels lack in quantity, they make up in quality. Plus, their difficulty compounds with the next challenge.
Challenge #4 Achieving Full Institutionalization
As noted above, one of the hardest things about CMMC compliance is wrangling all of its practices. But to make it to level 5, it’s not enough to implement all 171 practices, fully fleshing out the 43 capabilities across the 17 domains. In addition, you need to reach the final threshold of process institutionalization, a measure of systematization across the entire organization.
The cumulative process goals for each level break down as follows:
- Maturity Level 1 – Processes are simply “performed,” but not assessed as such.
- Maturity Level 2 – Processes must now be “documented,” as they are assessed.
- Maturity Level 3 – Processes must be “managed” with plans and resources.
- Maturity Level 4 – Processes must be “reviewed” and corrected regularly.
- Maturity Level 5 – Processes must be “optimizing,” always improving.
As you can see, the implementation of practices is complicated further at each level not only by the addition of extra (ever more complex) practices but also by additional process burdens.
But luckily, hitting all required practice and process thresholds leads to the last challenge.
Challenge #5 Obtaining Official Certification
The final challenge to full CMMC compliance is actually getting certified. Unlike some other frameworks, such as certain NIST guides, simply self-assessing is not enough to be compliant. Instead, you need to be certified by a neutral and qualified observer, a Certified Third Party Assessment Organization (C3PAO) accredited by the OUSD(A&S)’s CMMC Accreditation Body.
Not all C3PAOs operate in the same ways; some offer narrower services limited to just certification proper, without any advisory work to help prepare you for assessment. As such, working with these providers can incur increased costs for repeat tests if something goes wrong.
Some C3PAOs, like RSI Security, are happy to help you with every stage of the process. Our robust suite of CMMC services goes far beyond just certification. We will meet you where you are in the process, at Level 1 (or earlier!), and work with you to build everything you need to get to Level 5. We’ll set you up with plans and resources for compliance now and in the future.
Simplify Compliance With Professional Cybersecurity
Here at RSI Security, we’re committed to helping companies like yours build up cyberdefenses and secure lucrative DoD contracts, ultimately contributing to the safety of the country. We know that one of the most important stepping stones is compliance, including especially with CMMC.
But that’s far from the only cybersecurity challenge facing companies in the DIB and elsewhere.
No matter what your company needs to keep its stakeholders safe, from web filtering to open source scanning automation, we have you covered. With a decade of experience providing cybersecurity solutions to all kinds of firms, we’re your best option. Contact RSI Security today!