The Ultimate Guide to
What Is CMMC Compliance? Your Guide to The Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense (DOD) believes that security is a foundational aspect of all purchase decisions and should not be sacrificed for cost, schedule, or performance. The first version of the Cybersecurity Maturity Model Certification (CMMC) program was released in 2020. Its original purpose is to be a verification mechanism to ensure that all appropriate levels of cybersecurity practices and processes are in place amongst companies in the Defense Industrial base (“DIB”) and to protect controlled unclassified information (CUI) and Federal Contract Information (FCI) that reside on the Department’s industry partners’ networks. It builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
In November 2021, in response to more than 850 public comments, the DOD announced a significant revamp of the program, known as CMMC 2.0. CMMC 2.0 is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”) while ensuring companies still maintain sufficient safeguards needed to protect federal information.
Who’s Required to Meet CMMC Requirements?
Every organization or business that sells to or services the Department of Defense (DOD) must meet CMMC requirements commensurate with the nature of its contract and the types of data it handles on the DOD’s behalf. CMMC requirements are applicable to all prime contractors, subcontractors, and service providers of DOD contractors and not just those handling sensitive or classified data.
What Are the CMMC Requirements?
The CMMC program requirements are tiered; what each company must do depends on the nature of their relationship with the DOD and whether they process federal information. CMMC 1.0 originally had five CMMC levels of ascending sophistication. The CMMC 2.0 model identifies three maturity levels (ML) of cyber hygiene. CMMC 2.0’s three levels are:
CMMC 2.0 Level 1
This level will apply to most DIB companies (including all companies that do not handle controlled unclassified information) and requires compliance with 17 basic cyber hygiene practices.
Companies at Level 1 in CMMC 2.0 can perform an annual self-assessment with an annual affirmation that they comply with the requirements of CMMC 2.0 level one. A company officer or executive will need to sign off that the answers provided in the annual self-assessment are accurate and complete.
Although the DOD hasn’t announced what the consequences are for providing misleading information in the self-assessment, the Department of Justice intends to use the False Claims Act to pursue cybersecurity related fraud by government contractors and recipients. The DOJ will hold accountable organizations or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
CMMC 2.0 Level 2
This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171 — a set of recommended safeguards and requirements for protecting the confidentiality of controlled unclassified information (CUI).
The DOD has bifurcated CMMC 2.0 level two, requiring DIB companies working on “prioritized acquisitions” to get an independent assessment, while allowing annual self-assessments for non-prioritized acquisitions. DOD has not yet announced how it will prioritize acquisitions.
CMMC 2.0 Level 3
Level three companies will still require a government-led certification (independent assessment). The requirements are still under development for this level. Industry insiders expect that this level will apply to only the most sensitive and high-risk DOD projects. Those who have been subject to a DIBCAC High in the past are strong candidates for a Level 3 requirement.
To determine which level of CMMC your organization needs to adhere to, begin by asking these questions:
1. Does your business provide products and/or services to the DOD?
2. Does your business store, transmit, process, or access FCI or CUI?
3. In addition to the CMMC requirement, is your organization in scope for the DOD Risk Management Framework (RMF) certification?
What You Can Do to Prepare for CMMC
Keep in mind that the CMMC standard evolved from NIST SP 800-171, so it’s helpful to align with this framework as soon as possible in preparation for your CMMC certification. Below are some helpful steps your organization can take to become CMMC ready:
- Identify your data, noting where and how it’s stored
- Identify what CMMC maturity level your organization expects to need
- Conduct an internal assessment to identify gaps and remember to think like an auditor
- Plan how you will prove CMMC compliance and begin gathering the documentation
- Focus on corrective action with a resolution plan providing a timeline and resources
What Are the Most Critical CMMC Control Families?
The CMMC model contains a total of 14 families of controls known as domains. Five of these families are considered critical in the safeguarding of sensitive information and are listed here.
What’s Involved in a CMMC Assessment?
In general, preparing for the CMMC assessment is similar to preparing for other IT compliance assessments: Your team will need to create a repository of recorded evidence, including policies, procedures, and testing artifacts for presentation during the audit. Be organized and prepared to identify system deficiencies and document resolutions complete with timelines and resources. You can find the latest guidance on the CMMC Assessment Process by visiting the Cybersecurity Maturity Model Accreditation body’s website.
All businesses need to remember that CMMC compliance doesn’t end with a successful assessment. CMMC compliance is a lifetime journey for all organizations, requiring the ongoing performance of compliance and resilience activities.
Common Challenges Businesses Face with CMMC Certification
The first challenge for many organizations on the road to CMMC certification is the absence of any information security compliance program. Not only do they lack CMMC certification, but they also have minimal knowledge of, and experience with, many of the older frameworks (NIST SP 800 171, NIST 800-53) credited with birthing the current CMMC model.
Many businesses lack the security-centric architecture and compliance management tools necessary to achieve CMMC compliance. They don’t have the in-house skills or experience needed to build an effective compliance program capable of meeting CMMC standards.
Another challenge results from leadership’s lack of understanding regarding required CMMC regulations and the ability to identify the resulting compliance gaps. Many organizations also fail to grasp the potentially significant drawbacks of CMMC non-compliance, which include loss of DOD business, personal/corporate liability, and negative brand impact.
Hyperproof for CMMC Compliance
Hyperproof can help you get ready for the CMMC in the most streamlined and efficient way:
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get CMMC ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.