The United States Department of Defense (DoD) requires the utmost protection for all of its assets and procedures. As the department directly responsible for national security and the wellbeing of all American citizens, threats of cybersecurity targeting DoD are uniquely potent.
This goes both for cyberattacks on the DoD itself, as well as its network of partnering institutions.
All organizations contracted to work with the DoD must secure themselves accordingly.
That’s why the DoD Cybersecurity Maturity Model Certification (CMMC) will soon be mandatory for all DoD contractors. The 300,000+ companies that make up the Defense Industrial Base (DIB) and DoD supply chain will all need to implement this standard soon.
Top Challenges to Attaining CMMC Certification
The CMMC is an innovative reframing of several existing cybersecurity protocols. Once implemented, it will ensure robust and consistent protection across DoD contractors, despite differences between the various industries these organizations span.
That doesn’t mean that it’ll be easy.
While cybersecurity protections are already required of DoD contractors, CMMC includes and expands pre-existing protocols. In particular, CMMC focuses on protecting two forms of sensitive data per standards set out in the National Institute of Standards and Technology (NIST) Special Publication 800-171 and the Federal Acquisition Regulation (FAR) clause 52.204-21.
The kinds of data focused on are:
- Federal contract information (FCI) – Information created by, or on behalf of the federal government, under contract, but not intended for access of the general public.
- Controlled unclassified information (CUI) – Information legally required to be protected in one way or another, but not under the status of “classified.”
Expanding existing protections to fully safeguard these forms of data requires in-depth analysis of all systems that process and store this information. This is a wide net, as these documents and other files can be much more diverse and prolific than classified information.
Therein lies one of the biggest difficulties.
How Attaining CMMC Certification Works
DoD cybersecurity certification is also challenging because of how you get certified.
Whereas DoD contractors used to be able to self-assess and control cybersecurity internally, that is no longer the case. One of the biggest changes the CMMC introduces is that now, a certified third-party assessment organization (C3PAO) is required to license your organization.
What does this mean for you?
You’ll need to prepare all documentation and proof that your business is satisfying the controls CMMC requires, whether on your own or with the help of an external organization. And then, an accredited C3PAO will sign off on your company’s ability to contract with the DoD.
That pressure of external affirmation creates more pressure and responsibility than in self-assessment situations.
But understanding what your C3PAO is looking for is the key to passing with flying colors.
Understanding the Level System
The criteria that your C3PAO will be looking for is broken down into a system of graduated levels. Collectively, they measure various practices and processes integral to cyberdefense.
These levels break down as follows:
- Basic cyber hygiene practices, performed processes
- Intermediate cyber hygiene practices, documented processes
- Good cyber hygiene practices, managed processes
- Proactive practices, reviewed processes
- Advanced/proactive practices, optimizing processes
Each level builds on the last and feeds into the next. They comprise 171 practices that stack up cumulatively, with processes escalating in depth and breadth of implementation. This is a complex system that’s inherently challenging even just to comprehend.
Implementing each level also entails its own particular challenges.
Challenges at Each CMMC Level
The CMMC level system is intended to guide companies through the various steps required to achieve perfect compliance. As such, the protections ramp up in severity and complexity, eventually maximizing protections for FCI and CUI, as noted above.
The outcomes for each level present particular challenges in terms of a common goal that needs to be attained by applying the processes and practices.
These levels’ intended outcomes fall into four distinct categories:
- Level 1: Safeguard all FCI
- Level 2: Transition to protection for CUI
- Level 3: Fully protect CUI
- Levels 4-5: Preventative measures for advanced persistent threats (APT)
Let’s walk through what challenges each goal entails:
Level 1: Safeguarding Federal Contact Information
Admittedly, the first level is the simplest.
Unlike the following levels the first requires simply bare-level presence of given practices. There are no specific quotas or figures you need to meet. The requirements break down like this:
- Processes: Performed – Practices must be performed, and process maturity is not actually measured. This is because the first practices involve measures that are performed ad-hoc or are otherwise unmeasurable.
- Practices: Basic Cyber Hygiene – 17 practices that encompass the bare minimum in terms of cybersecurity, including indexing and sanitary precautions.
Since this level simply requires performance, not specific measures, it’s an easy first step to the more robust levels to come.
Level 2: Transition to Protected Controlled Unclassified Information
At this level your company is preparing for the more stringent challenges of the next levels. Nonetheless, this stage does introduce a bevy of new practices, as well as the first process maturity measure.
Here are the requirements for level two:
- Processes: Documented – Practices must not just be performed, but also documented. This goes for all prior practices, as well as any new ones introduced at this level.
- Practices: Intermediate Cyber Hygiene – The 55 practices introduced at this stage leverage the basic infrastructure set up in level one and extend it into more detailed procedures, like rigorous backup programs and screening for users.
At this stage one of the biggest challenges is the implementation of 55 whole new practices. Keep in mind that these are cumulative with the first 17. While many of the new ones do build on the first 17, it’s still a big adjustment. In addition the burden of specific documentation protocols for all practices amplifies the difficulty of all 72.
Level 3: Fully Protect Controlled Unclassified Information
Here’s where things intensify.
The culmination of what began in the first two levels, level three is the true test of your commitment to general cybersecurity.
This stage finalizes the incorporation of all NIST SP 800-171 requirements. It entails:
- Processes: Managed – All practices are actively managed, incorporating detailed planning and execution of all practices introduced over the first three levels.
- Practices: Good Cyber Hygiene – Level three adds a whopping 58 practices, including all remaining NIST SP 800-171 protocols and several others. These controls move beyond descriptive information gathering into prescriptive functions like training.
This level presents the greatest volume of new changes, and the cumulative total reaches 130 practices. All of these now need to be performed, documented, and managed.
The volume and diversity of tasks creates a breadth and depth of difficulty not seen in the earlier levels. However, the payoff is that by level three, all basic reactive protections are set. At this point you’re well protected from all known threats.
The next levels dive into the wide range of threats that are constantly evolving over time.
Levels 4 and 5: Reduce Advanced Persistent Threats
The final two levels are devoted to protecting against threats that evade the protections listed above, as well as threats that may not yet exist.
As technology advances, cybercriminals outpace cyberdefense mechanisms.
So, levels four and five involve doing everything in your power to even the scales. At level four these measures include:
- Processes: Reviewed – Building on management, all practices must now be subject to constant review, leading to correction where necessary.
- Practices: Proactive – Beyond known threats, level four introduces 26 practices from expert guidelines beyond NIST. This includes deep, detailed analysis and testing of all existing and possible scenarios.
And at level five, they include:
- Processes: Optimizing – An ongoing process of optimization, coextensive with implementation, that permeates all prior practices and processes.
- Practices: Advanced/ Proactive – Ongoing research, development, and implementation of cutting-edge practices, including at least 15 detailed at present.
Taken together, the challenges of these levels evolve every day as cybercrime becomes increasingly complex. Unlike the first three levels, these last two entail ongoing analysis and optimization. And these processes need to be applied not only to the new practices, but to all 171 from across all five levels.
Essentially, just as the levels all build on each other, the challenges increase in complexity, multiplying with each additional process. The result? An incredibly complex network of difficulties.
Professional help is the best way to navigate them.
Maximize Your Cyberdefenses with RSI Security
RSI Security is here to help you attain CMMC compliance.
In spite of all the challenges outlined above—as well as any other issues your particular business faces—we will find a solution for you. Our suite of CMMC advisory services include in-depth analysis and training to get your entire organization up to speed. Plus, once the accreditation for C3PAO becomes available, we will be certified—to certify you.
We don’t just do CMMC compliance, either.
RSI Security offers many other compliance services, including PCI DSS, HIPAA, and any other controls you need to follow. We also offer various cyberdefense analysis and optimization solutions to keep your business as safe as possible, above and beyond legal requirements. For all your cybersecurity needs, contact RSI Security today!