Update: The Department of Defense (DoD) published CMMC 2.0 in Dec 2021 to “cut the red tape” and condense the requirements of CMMC 1.0. CMMC 2.0 will be a contractual obligation for anyone in the DoD supply chain 9-24 months after the DoD finalizes and publishes the updated certification. Please note, information below is based on CMMC 1.0 and is now out of date. The Carbide Team will post a new blog with updated information when the DoD releases full details about the CMMC 2.0.
If your company wants to compete for contracts from the U.S. Department of Defense, you’ll need to meet all the requirements for the Cybersecurity Maturity Model Certification (CMMC) to achieve CMMC compliance. The CMMC represents a unified approach to cybersecurity in the defense industry. It seeks to define clear technical requirements for contractors, subcontractors, or other organizations within the defense industrial base that handle confidential unclassified information (CUI) or federal contract information (FCI) within their own business.
Drawing from three different technology standards, the CMMC is a sweeping set of security compliance requirements. Here’s the essentials you need to know to start preparing and managing your compliance.
What is the CMMC framework?
The CMMC framework was designed to be a comprehensive and scalable standard for contract and subcontract defense companies to protect information categorized as CUI. CUI is sensitive information (But not classified information, which carries even more security requirements.) The framework is intended to help the Pentagon verify the implementation of required cybersecurity policies and procedures.
The CMMC is a new certification standard developed by the DoD and first published in January 2020. Starting in December 2020, CMMC became official department policy with contracts starting to include the new cybersecurity requirements.
If you’re getting questions about CMMC compliance or expecting to see these requirements in your contracts, here’s what you need to know:
1. Identify What Certification Level Your Company Needs
The CMMC established five levels of certification to determine the maturity of an organization’s cybersecurity infrastructure, and thus its ability to safeguard CUI and FCI.
A spokesperson for the department stated most contractors will initially only need to meet Level 1 of CMMC compliance. The DoD will specify what level a company must have achieved to qualify for a contract in its Requests for Information and Requests for Proposals.
These five levels are tiered, so you must achieve compliance with the preceding level before advancing:
- Level 1 – Basic Cyber Hygiene. Your company uses essential best practices across your organization, including those for email security and password policies.
- Level 2 – Intermediate Cyber Hygiene. Your company must have documented policies and procedures that specifically address the safeguard and control of con. At this level, you’ll have to meet 55 additional cyber hygiene practices laid out in the NIST cybersecurity framework, plus 17 basic cyber hygiene practices related to protecting FCI.
- Level 3 – Good Cyber Hygiene. At this level, you’ll need to satisfy any remaining requirements in NIST SP 800-171. You’ll also be expected to regularly review policies or processes while demonstrating the ability to manage specific activities related to CUI and FCI.
- Level 4 – Proactive Cybersecurity Practices. Level four introduces additional practices from Draft NIST SP 800-171B and introduces requirements for protecting against advanced persistent threats (APTs).
- Level 5 – Optimized Capabilities. Companies at this level must demonstrate standardized, optimized, and sophisticated capabilities for managing APTs across the entire enterprise.
The levels in CMMC compliance loosely resemble the implementation groups in the CIS Controls framework, which also map to the NIST cybersecurity framework.
2. Configure Your Existing Security Environment
Having identified the level of compliance your company must achieve, start with the infrastructure that already exists. A risk assessment is often the ideal starting point for this. During this risk assessment phase, your security team should also:
- Define what CUI or FCI you hold, then identify where it’s stored or processed, and how it’s transmitted.
- Identify applicable NIST 800-171 controls.
- Bring existing policies into alignment with the cybersecurity compliance requirements.
- Document your current CUI environment and security strategy.
3. Build a Plan of Actions & Milestones for CMMC Compliance
With some 123 different controls, CMMC compliance requires project management for a phased rollout. A Plan of Action & Milestones (POA&M) describes the current security posture of an organization plus the vulnerabilities that have been uncovered in the system. It then lays out a course for corrective action to bring your infrastructure into alignment with compliance requirements.
FedRAMP provides excellent guidance on developing a POA&M and can be used to prepare for a CMMC audit.
4. Contact a Certified Assessor
Federal contractors have always been required to maintain strict cybersecurity standards when handling CUI and FCI. However, the CMMC introduces a new requirement for contractors seeking certification: third-party accreditation with a certified assessor.
Any cybersecurity expert with experience working for companies within the defense industrial base can help you prepare for the audit and certification. However, the final assessor must be accredited by the CMMC Accreditation Board for your certification to be considered valid.
Approaching a certified assessor early in your preparation process can help you identify resources to prepare.
5. Stay Up to Date with the Latest Developments of the CMMC
Cybersecurity is not a set-it-and-forget-it project, and nowhere is that truer than the CMMC. As a very new program, the CMMC is expected to take up to five years to fully implement. Since its initial publication in January 2020, the standard has already seen numerous drafts and updates.
To increase your ability to maintain CMMC compliance, make sure you have a process to stay up to date with the latest developments. If your team can get in the habit now of staying current with changes, you may be the one who beats out a competitor for a new contract.
Prepare for the CMMC compliance with Carbide
Not sure where to start? Consider backing up your team with expert advice and an information security management platform. With a centralized solution, you’ll be able to create, manage, and implement your policies from a single hub across your entire organization.
Going forward, companies operating within the defense industrial base will need to demonstrate compliance with the CMMC to win contracts from the DoD. Although many details are still developing, savvy companies are starting to assess and align their cybersecurity strategies now. By also doing so, you’ll ensure that your company stands at the forefront when new requirements start showing up in your contracts.