The Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense (DOD) believes that security is a foundational aspect of all purchase decisions and should not be sacrificed for cost, schedule, or performance. The first version of the Cybersecurity Maturity Model Certification (CMMC) program was released in 2020. Its original purpose is to be a verification mechanism to ensure that all appropriate levels of cybersecurity practices and processes are in place amongst companies in the Defense Industrial base (“DIB”) and to protect controlled unclassified information (CUI) and Federal Contract Information (FCI) that reside on the Department’s industry partners’ networks. It builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
In November 2021, in response to more than 850 public comments, the DOD announced a significant revamp of the program, known as CMMC 2.0. CMMC 2.0 is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”) while ensuring companies still maintain sufficient safeguards needed to protect federal information.
Hyperproof can help organizations put themselves in the best position to bid on and win DOD contracts, by implementing a robust security compliance program that meets DOD expectations and improves resilience. Sign-up for a personalized demo to see how we can help you with your CMMC compliance effort:
Get expert assistance in putting together a project plan that gets you on track to meet CMMC requirements and your customers’ expectations
Intuitive software you can use to stand up a compliance program that meets NIST SP 800-171 and CMMC requirements
Manage compliance work seamless, as Hyperproof integrates with the productivity tools you already have
Conduct a gap assessment and identify key actions that need to be met to satisfy CMMC requirements
Quickly collect evidence to document your effort toward CMMC compliance. Reuse evidence across multiple information security/compliance audits.
Automatically generate System Security Plans for CMMC compliance
Who's Required to Meet CMMC Requirements?
Every organization or business that sells to or services the Department of Defense (DOD) must meet CMMC requirements commensurate with the nature of its contract and the types of data it handles on the DOD’s behalf. CMMC requirements are applicable to all prime contractors, subcontractors, and service providers of DOD contractors and not just those handling sensitive or classified data.
What are the CMMC requirements?
The CMMC program requirements are tiered; what each company must do depends on the nature of their relationship with the DOD and whether they process federal information. CMMC 1.0 originally had five CMMC levels of ascending sophistication. The CMMC 2.0 model identifies three maturity levels (ML) of cyber hygiene. CMMC 2.0’s three levels are:
CMMC 2.0 Level 1
This level will apply to most DIB companies (including all companies that do not handle controlled unclassified information) and requires compliance with 17 basic cyber hygiene practices.
Companies at Level 1 in CMMC 2.0 can perform an annual self-assessment with an annual affirmation that they comply with the requirements of CMMC 2.0 level one. A company officer or executive will need to sign off that the answers provided in the annual self-assessment are accurate and complete.
Although the DOD hasn’t announced what the consequences are for providing misleading information in the self-assessment, the Department of Justice intends to use the False Claims Act to pursue cybersecurity related fraud by government contractors and recipients. The DOJ will hold accountable organizations or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
CMMC 2.0 Level 2
This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171 -- a set of recommended safeguards and requirements for protecting the confidentiality of controlled unclassified information (CUI).
The DOD has bifurcated CMMC 2.0 level two, requiring DIB companies working on “prioritized acquisitions” to get an independent assessment, while allowing annual self-assessments for non-prioritized acquisitions. DOD has not yet announced how it will prioritize acquisitions.
CMMC 2.0 Level 3
Level three companies will still require a government-led certification (independent assessment). The requirements are still under development for this level. Industry insiders expect that this level will apply to only the most sensitive and high-risk DOD projects. Those who have been subject to a DIBCAC High in the past are strong candidates for a Level 3 requirement.
To determine which level of CMMC your organization needs to adhere to, begin by asking these questions:
1. Does your business provide products and/or services to the DOD?
- Yes: Move on to the next question
- No: The CMMC doesn't apply to you
2. Does your business store, transmit, process, or access FCI or CUI?
- Yes: Must reach Level 2 maturity
No: Does your system directly influence a CUI environment?
- No: Level 1 is required
- Yes: Level 2 is required
3. In addition to the CMMC requirement, is your organization in scope for the DOD Risk Management Framework (RMF) certification?
- No: Remain at Level 2
Yes: Have you been subject to a DIBCAC High in the past?
- No: Remain at Level 2
- Yes: Level 3 is likely required
What You Can Do to Become Ready for CMMC
Keep in mind that the CMMC standard evolved from NIST SP 800-171, so it's helpful to align with this framework as soon as possible in preparation for your CMMC certification. Below are some helpful steps your organization can take to become CMMC ready:
- Identify your data, noting where and how it's stored
- Identify what CMMC maturity level your organization expects to need
- Conduct an internal assessment to identify gaps and remember to think like an auditor
- Plan how you will prove CMMC compliance and begin gathering the documentation
- Focus on corrective action with a resolution plan providing a timeline and resources
What are the Most Critical CMMC Control Families?
The CMMC model contains a total of 14 families of controls known as domains. Five of these families are considered critical in the safeguarding of sensitive information and are listed here.
Access control, including:
- Proper account management and enforcement using authentication management and directory systems
- Least privilege and separation of duties to govern the network and system access
- Auditing the right events to provide the correct information to auditors
Systems integrity, including:
- Malicious code and spam protection to thwart endpoint attacks
- Information systems monitoring driven by monitoring detection technology in conjunction with automation and endpoint detection software
- Integrity and failure control to ensure all data changes are authorized and provide a plan for business continuity and disaster recovery
Configuration management, including:
- Inventory, baselines, change control, and security impact analysis allowing only authorized configuration changes while updating inventory and monitoring data
Security assessment and authorization, including:
- Security assessments to provide point-in-time snapshots of environments
- Risk tracking
- Continuous system monitoring with vulnerability scans run as often as possible
Incident response, including:
- Creation of a documented incident response plan
- Handling and execution of events based on data classification and incident criticality
- Routine training and testing to ensure proper function during actual response event
What's Involved in a CMMC Assessment?
In general, preparing for the CMMC assessment is similar to preparing for other IT compliance assessments: Your team will need to create a repository of recorded evidence, including policies, procedures, and testing artifacts for presentation during the audit. Be organized and prepared to identify system deficiencies and document resolutions complete with timelines and resources. You can find the latest guidance on the CMMC Assessment Process by visiting the Cybersecurity Maturity Model Accreditation body's website.
All businesses need to remember that CMMC compliance doesn't end with a successful assessment. CMMC compliance is a lifetime journey for all organizations, requiring the ongoing performance of compliance and resilience activities.
Common Challenges Businesses Face with CMMC Certification
The first challenge for many organizations on the road to CMMC certification is the absence of any information security compliance program. Not only do they lack CMMC certification, but they also have minimal knowledge of, and experience with, many of the older frameworks (NIST SP 800 171, NIST 800-53) credited with birthing the current CMMC model.
Many businesses lack the security-centric architecture and compliance management tools necessary to achieve CMMC compliance. They don't have the in-house skills or experience needed to build an effective compliance program capable of meeting CMMC standards.
Another challenge results from leadership's lack of understanding regarding required CMMC regulations and the ability to identify the resulting compliance gaps. Many organizations also fail to grasp the potentially significant drawbacks of CMMC non-compliance, which include loss of DOD business, personal/corporate liability, and negative brand impact.
Hyperproof Can Help You Achieve Cybersecurity
Maturity Model Certification Step by Step
Hyperproof can help you get ready for the CMMC in the most streamlined and efficient way:
- Get expert assistance in putting together a project plan that gets you on track to meet CMMC requirements and your customers’ expectations
- Intuitive software you can use to stand up a compliance program that meets NIST SP 800-171 and CMMC requirements
- Manage compliance work seamless, as Hyperproof integrates with the productivity tools you already have
- Conduct a gap assessment and identify key actions that need to be met to satisfy CMMC requirements
- Quickly collect evidence to document your effort toward CMMC compliance. Reuse evidence across multiple information security/compliance audits.
- Automatically generate System Security Plans for CMMC compliance