Updated July 15, 2020

With more than 300,000 Department of Defense (DoD) companies and subcontractors essential to military operations, the defense industrial base (DIB) is a frequent and valuable target for malicious cyberattacks. Potential breaches of intellectual property in this sector could weaken U.S. defense capabilities and become a matter of national security.

In an attempt to increase the security and resiliency of the DIB, the U.S. Department of Defense launched Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) in January 2020. Adapted from industry-recognized frameworks, the CMMC represents a unified cybersecurity standard required for all contractors hoping to do work with the DoD. In this post, we’ll take a closer look at the CMMC framework and how your company can start preparing now for CMMC certification.

What is the CMMC Certification?

The CMMC is the DoD’s new certification procedure for assessing the cybersecurity environment of contracted companies. This certification verifies that contractors have adequate cybersecurity controls and policies in place to meet the security standards of the military. Prior to the CMMC, companies could self-certify their compliance under the applicable Defense Federal Acquisition Regulations (DFARS), which relies on NIST requirements, instead of achieving third-party validation. Companies in the DIB were not required to provide evidence that they were following the best security practices, and this process allowed companies with security gaps to continue to provide products and services to the DoD. This inevitably led to breaches, disruptions, and other IP theft in the defense supply chain.

Through the CMMC, the DoD expects to:

• Ensure contractors can defend against current and future cyber risks
• Verify that contractors have strong controls to protect the controlled unclassified information (CUI) that resides in the DIB’s network and systems
• Provide assurance by requiring an independent third-party validation
• Establish levels of compliance that align with the different levels of risk
• Encourage improved security at a manageable cost to the federal government
   

CMMC Certification Levels

Building upon existing frameworks and standards, the CMMC incorporates a selection of security controls from NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, DFARS 252.204.-7012, and FedRAMP to create one maturity model. The CMMC also pulls from the Federal Acquisition Regulations System, which details basic security controls for protecting CUI that all organizations must follow under the CMMC. The CMMC organizes these cyber practices and processes into five cumulative maturity levels ranging from basic cyber hygiene to advanced security operations.

• Level 1 – Basic Cyber Hygiene: Level 1 practices are foundational and required for all higher CMMC levels. This level is centered around the safeguarding of Federal Contract Information (FCI), which is government information not intended for public release, and corresponds to the requirements specified in 48 CFR 52.24-21 and NIST SP 800-171, which details 17 basic cyber hygiene practices to protect FCI.
• Level 2 – Intermediate Cyber Hygiene: Level 2 creates a maturity-based progression for organizations to transition from Level 1 to 3. At Level 2, an organization is expected to establish and document practices and policies for CMMC compliance. This level includes 55 additional cyber hygiene practices from NIST SP 800-171 as well as others and references the protection of CUI.
• Level 3 – Good Cyber Hygiene: A Level 3 certification indicates a basic ability to protect CUI and effective implementation of the security requirements of NIST SP 800-171. At this level, organizations are expected to adequately maintain activities and review policies and processes, demonstrating a plan to manage specific activities. This level requires an additional 58 cyber hygiene practices from NIST SP 800-171 and others for a total of 130.
• Level 4 – Proactive: Level 4 requires enhanced cybersecurity practices that can defend CUI from advanced persistent threats (APTs), or malicious long-term attacks to mine for sensitive information. At Level 4, organizations are expected to review and document activities for effectiveness and inform upper management of any issues. This level adds another 26 cyber hygiene practices from Draft NIST SP 800-171B plus others, for a total of 156 hygiene practices.
• Level 5 – Advanced / Progressive: Level 5 centers on the protection of CUI from APTs through the sophisticated ability to optimize cybersecurity capabilities. Organizations at this level are expected to improve and standardize process implementation across the enterprise. This level includes 15 more practices beyond the first four levels from Draft NIST SP 800-171B and others, bringing the total number of cyber hygiene practices to 171.

The five CMMC certification levels reflect the maturity and reliability of an organization’s cybersecurity infrastructure and controls, and their ability to safeguard sensitive government information. The levels are cumulative, meaning compliance with a higher level requires meeting all of the previous lower level security and technical specifications. DoD contracts with more vulnerabilities will require contractors to meet higher security standards, indicating a higher certification level will be necessary. Other than the fact that Level 3 contracts and higher will deal with significantly more CUI, specifics regarding which types of contracts are associated with each certification level have not yet been released. 

How to Get CMMC Certified

Since companies are not allowed to self-certify under the CMMC, they must be audited by a certified third-party assessment organization (C3PAO) or a credited individual assessor to achieve compliance. C3PAOs are authorized to manage the assessment process for organizations seeking compliance with the CMMC. C3PAOs provide advisory services, schedule the assessments, hire and train individual assessors, and review the results with the CMMC-Accreditation Body (AB) Quality Auditors.

Companies seeking a CMMC Certificate will first need to identify the desired maturity level they want to be audited for compliance. Companies will then need to find an available C3PAO who will schedule the assessment with the certified independent assessor. When performing the assessment, the independent assessor will evaluate security gaps and weaknesses and determine if the company’s environment meets the CMMC requirements necessary for that specific level. Companies will have up to 90 days to resolve any issues and close any gaps with the C3PAO.

If a company achieves compliance at any level, a CMMC certification notice will be public knowledge. However, specific findings will be kept private, and certification failures will not be made public.

The cost of the certification is said to be an allowable, reimbursable cost and will be valid for three years. The DoD is aiming to have 1,500 CMMC certified contractors by 2021 and 48,000 by 2025.

CMMC Timeline

The DoD is working to quickly roll out the CMMC with a target of 10 RFIs and 10 RFPs with CMMC requirements by the end of 2020, which would result in a supply chain of approximately 150 certified contractors for each awarded contract. While the first steps are expected to take place over the next few months, full implementation of the CMMC will be gradually rolled out through 2025 with over half of the primary and subcontractors assessed by 2022. However, contractors will likely need to be certified by late 2020 if they want to start bidding on certain contracts.

Important dates for the CMMC include:

• January 2020: DoD introduces Version 1.0 of the CMMC
• June 2020:The CMMC-AB released program requirements and opens registration for C3PAOs and third-party assessors
• July 2020: DoD to create and publish a CMMC training
• Summer 2020: DoD to undergo rulemaking to implement the CMMC into the DFARS regulation
• September 2020: DoD to incorporate CMMC requirements in Requests for Proposals (RFPs)
• FY 2021 – 2026: Implementation of the CMMC through a phased rollout
• FY 2026: CMMC certification a requirement for all companies doing business with the DoD

Preparing for a CMMC Certification

Even though full implementation of the CMMC will take roughly five years, companies should not wait to start on certification efforts. Writing policies, deploying solutions, and instituting the necessary changes will take considerable time. Depending on your current environment and level of cyber hygiene, your company should plan for at least six months to achieve compliance. With the DoD planning to roll out proposals requiring CMMC compliance by the end of the year, there is no time to delay on certification preparations.

To get started on compliance efforts for the CMMC, your company should:

• Determine which CMMC level your company hopes to obtain, and start reviewing the cyber hygiene requirements that will be necessary for compliance
• Start drafting a budget for CMMC compliance to include costs for enhancing security requirements, updating policies, leveraging applications, contracting a third-party assessor, and any additional measures
• Configure your existing security environment to align to NIST 800-171 requirements; contractors that have implemented all controls should be able to successfully achieve CMMC Level 3
• Build a Plan of Action & Milestones (POA&M) to ensure continual compliance with NIST 800-171 and existing contracts and establish timelines and resource requirements
• While you cannot earn CMMC compliance until C3PAOs and independent assessors are certified, you can begin planning for an initial readiness assessment with a professional cybersecurity consulting firm, like Focal Point
• Stay up to date on the latest developments of the CMMC by regularly visiting the DoD’s website for updates

The CMMC is the DoD’s first attempt to set clear cybersecurity requirements for its contractors and verify that they are implementing the appropriate level of security before handling sensitive defense information. Although the CMMC is still in its developmental stages, your company should start getting prepared for certification now by understanding its requirements, leveraging guidance from compliance experts, and aligning security controls and policies with its framework.

Want more cybersecurity insights in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.