Cybersecurity Maturity Model Certification (CMMC) is an assessment model designed by the DoD (Department of Defense) to protect sensitive unclassified information. CMMC looks at several security standards used by the military and its defense contractors. Originally passed in 2018, CMMC has been revised several times but its main framework remains the same.
Any business that has DoD contracts or works with a defense supplier must be CMMC certified. However, if you’re new to CMMC you probably have several questions. In this guide, you’ll learn everything you need to know about Cybersecurity Maturity Model Certification CMMC compliance.
What is CMMC
The CMMC model encompasses several maturity levels. These range from Basic Cybersecurity Hygiene to Advanced. The concept of regulated cybersecurity standards arose in response to several DoD security breaches. The framework goes into effect in January 2020 and anyone with access to CUI should have incorporated CMMC requirements by June of the same year.
The CMMC framework applies to any company with a DoD contract. This means all DoD contractors and suppliers must meet the cybersecurity standards specified in the NIST SP 800-171 framework. If you’re not familiar with this cybersecurity framework; it protects controlled unclassified information from hackers and foreign agents.
NIST is the acronym for the National Institute of Standards and Technology which created the Special Publication 800-171 designed to protect CUI (Controlled Unclassified Information). In 2015, the DoD published DFARS (Defense Acquisition Federal Regulation Supplement). DFARS requires all private DoD contractors to meet NIST 800-171 standards. Before you can meet the standards you need to understand what classifies as CUI.
What is CUI (Controlled Unclassified Information)
Since the Cybersecurity Maturity Model Certification framework covers CUI it’s important to understand what it is. Controlled Unclassified Information is data not federally regulated but is still considered sensitive and relevant to U.S. interests.
The NARA (National Archives and Records Administration) – the executive agency in charge of creating and implementing the standards and overseeing compliance – defines CUI as,
“CUI is considered any potentially sensitive, unclassified data that require controls in place which define its proper safeguarding or dissemination. It must be consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.”
If an agency or company handles CUI, a public registry of all categories and subcategories must be compiled. The information must also be labeled as to why it is being classified as CUI. Here’s an example of how to categorize CUI.
- Bank secrecy
- Electronic monetary transfers
- Contractor registration
Defining and categorizing CUI should be relatively simple for companies that already track their data. What is a little more difficult is understanding and meeting NIST 800-171 standards. This is a requirement for Cybersecurity Maturity Model Certification.
NIST 800-171 Compliance
NIST 800-171 was created after the Federal Information Security Management Act (FISMA) was passed in 2003. Its primary goal is to improve cybersecurity around controlled unclassified information. Before being revised in 2017, there were unique standards for different agencies. Now all agencies that share CUI with private contractors must adhere to the same regulations.
NIST standards apply to any organization that stores, transmits or processes CUI for the DoD, NASA, or GSA. To meet compliance standards, all networks must meet security protocols. Companies not in compliance are at risk of losing their government contracts. It can take up to 8 months to implement all the required protocols. However, there are a few steps companies can implement almost immediately.
Fourteen areas must have security protocols in place to be NIST compliant.
- Controlled Access: Limit data access to necessary personnel.
- Training: Employees must know how to implement security protocols.
- Audit and Identity: Unauthorized access to CUI data must be documented and violators identified.
- Manage Security Configurations: How security protocols are built, along with the networks, must be documented.
- Identification Verification: An employee’s identity must be verified and documented before gaining access to CUI.
- Incident Response: If a breach occurs protocols must be in place to respond to the security threat and notification made to the affected parties.
- Maintenance: Companies must have scheduled maintenance protocols in place.
- Data Storage Protection: Hard and electronic copies of records must be safely stored.
- Access Protection: Employee access to systems must be limited to essential personnel.
- Employee Screening: Before employees have access to CUI they must have a risk assessment screening.
- Risk Assessment: Stimulations should be performed regularly to assess any security risks. This includes employees and networks.
- Assess Security Protocols: The security protocols in place need to be effective and routine assessments can identify any potential weak spots.
- System and Data Protection: Information must be protected by internal and external points of transmission. It should also be regularly monitored for any security breaches.
- Information and System Integrity: Security breaches should be quickly identified and corrected within 30 days.
Once companies with access to CUI are compliant with these fourteen areas, they can receive NIST certification. NIST compliance is required for Cybersecurity Maturity Model Certification.
Getting Cybersecurity Maturity Model Certification (CMMC)
Both NIST and CMMC require third-party auditors like RSI Security to determine if the company has met the requirements. If a contractor complies with NIST and CMMC requirements the DoD contractor will be certified. It is important to remember that NIST and CMMC certification requirements are different and having one doesn’t automatically mean that you’ll receive the other.
There are five levels companies will be graded on during the CMMC certification audit.
- Level 1 Basic Cyber Hygiene
- Level 2 Intermediate Cyber Hygiene
- Level 3 Good Cyber Hygiene
- Level 4 Proactive
- Level 5 Advanced / Progressive
Before the audit, companies will need to determine which CMMC level applies to them. This will depend on the type of data being shared, stored, or managed. The more sensitive the CUI is, the higher the CMMC level needed to pass for CMMC certification. Maturity processes are also expected to be implemented for each CMMC level. The review will look at the following,
Maturity Level 1: The organization is performing adequate security protocols for CMMC Level one status.
Maturity Level 2: Security protocols are documented and established.
Maturity Level 3: Security protocols are regularly reviewed to ensure proper implementation.
Maturity Level 4: Protocols will be reviewed for effectiveness. Higher-level management will also be looked at for issues.
Maturity Level 5: All cybersecurity protocols must be shared across the organization and documented.
There is also a timeline for certification for all DoD contractors that wish to renew or bid on government contracts.
- January 2020: The requirements for CMMC levels are released, along with the material necessary for auditor training.
- February-May 2020: Training audit assessors begins.
- June-September 2020: Audits begin with DoD third-party contractors. CMMC levels must be identified before the start of the audit.
- October 2020 and beyond: DoD contractors must be certified by an accredited assessor before they are allowed to bid on new contracts.
Before the contractor is certified, their first step should be a CMMC Readiness Assessment. This assessment will help pinpoint any potential cybersecurity issues before the certification audit.
CMMC Readiness Assessment
The main purpose of a readiness assessment is to determine what protocols need to be implemented or improved. It is designed to locate processes and system setups that do not meet the required standards. Some of the issues a CMMC Readiness Assessment might uncover include,
- How to access information systems is controlled
- How managers and information system administrators are trained
- How data records are stored
- How security controls and measures are implemented
- How incident response plans developed and implemented
Once the assessment is completed, companies will have an idea of what areas need to be addressed before the certification audit. This is when a remediation plan should be developed. A remediation plan will address any cybersecurity issues found during the assessment and implement adequate fixes. The assessment and necessary fixes must be completed by June 2020 for the initial CMMC audit. This short timeline is only one way DoD contractors are being affected by CMMC.
How CMMC Affects Contractors
The Cybersecurity Maturity Model Certification will affect DoD contractors, and others they manage CUI. The cost of implementing the necessary security protocols can be expensive. There is also the issue of the brief timeframe the government is allowing for companies to be compliant.
Companies must pay for a third-party assessor to perform the audit. It can no longer be done in-house. This, added to the implementation costs, can affect companies’ bottom line. However, the cost of not being audited by the deadline can be more expensive.
CMMC Non-Certification Penalties
Unlike other cybersecurity acts, CMMC does not have any monetary penalties. Companies found to be non-compliant will not be fined by the federal government. This is because there are over 300,000 DoD contractors and it is impossible for the federal government to check to see if everyone had a third-party audit within the allotted compliance timeline.
Instead of monetary penalties, companies will automatically lose their current DoD contracts. They will also be blocked from bidding on any new government contracts. Since government contracts are often the company’s main source of income, the penalty for non-compliance can be devastating.
By the end of 2020, it will be required that all companies with DoD contracts meet CMMC standards. It also requires that companies be NIST certified. While NIST certification has been a requirement for a few years, CMMC made one change in how a company is audited. Companies can no longer perform their audits, a third-party assessor must be brought in.
Meeting NIST and CMMC cybersecurity standards can be difficult. This is why many private contractors are turning to companies like RSI Security to help them meet compliance standards. Their certified assessors can also perform your CMMC audit.