In January 2020, the U.S. Department of Defense (DoD) released the latest version of its Cybersecurity Maturity Model Certification (CMMC).

The CMMC is a certification procedure developed by the Department of Defense (DoD) to certify that DoD contractors have the controls to protect sensitive data including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  The CMMC Model is based on the best-practices of different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 and others into one cohesive standard for cybersecurity.

In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) in response to DFARS 252.204-7012. This request from contracting authorities was often post-award, and several companies received severe penalties through the False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts.

In addition, in 2018 MITRE had released the report entitled Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War” which assesses the state of cybersecurity of the Defense Industrial Base (DIB). According to the report, most government contractors were not meeting the requirements of DFARS 252.204-7012, and many more did not have the understanding or means to meet the regulations. Since the DIB sector consists of over 300.000 companies that support the defense industry and contribute towards the research, engineering, development, acquisition, production, sustainment, and operations of DoD systems, networks, capabilities and services, the loss of intellectual property may pose an increased risk to national security.

Further, according to a presentation by Katie Arlington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, the vast majority of contractors have not implemented the requirements of the NIST SP 800-171 within their information systems. It was therefore apparent that a fourth element should be included in the acquisition process: security. CMMC addresses the DoD’s intent to make security the foundation of the preexisting acquisition criteria (cost, performance, and schedule).

The CMMC in Greater Detail

The CMMC model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of the information to be protected and the associated range of threats. The model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards and frameworks. The model framework organizes these processes and practices into a set of domains and maps them across five levels of maturity. To provide additional structure, the framework also aligns the practices to a set of capabilities within each domain.

Figure 1: CMMC Model Hierarchical View. Source: CMMC Model, version 1.0

Process maturity or process institutionalization characterizes the extent to which an activity is embedded in the operations of an organization. The more deeply ingrained an activity, the more likely it is that the organization will continue to perform the activity –including under times of stress –and that the outcomes will be consistent, repeatable and of high quality.

On the other hand, practices are activities performed at each level for the domain. The model consists of 171 practices mapped across the five levels for all capabilities and domains.

Levels and Domains

The CMMC model measures cybersecurity maturity at five levels. Each of these levels consists of a set of processes and practices, as depicted in Figure 2 below. The CMMC levels and the associated sets of processes and practices across domains are cumulative. This means that for an organization to achieve a specific CMMC level it must also demonstrate achievement of the preceding levels.

Figure 2: CMMC Levels. Source: CMMC Model, version 1.0

Further, the contractor must demonstrate both the institutionalization of processes and the implementation of practices for the specified CMMC level in order to be certified for that level. Otherwise, the organization will be certified at the lower of the two levels where both requirements are met.

The CMMC model provides a means of improving the alignment of maturity processes and cybersecurity practices with the type and sensitivity of the information to be protected and the associated threats. As a result, CMMC levels focus on:

  • Level 1: Safeguarding Federal Contact Information (FCI)
  • Level 2: Transition step to protect Controlled Unclassified Information (CUI)
  • Level 3: Protect CUI
  • Levels 4 & 5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

Finally, the CMMC model consists of 17 domains, which originate from FIPS-200 and NIST SP 800-171.

Figure 3: CMMC Model Domains. Source: CMMC Model, Version 1.0

In effect, the CMMC framework aims to verify the implementation of processes and practices associated with the achievement of a maturity level. CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect CUI at a level appropriate to the residual risk, accounting for any information flow down to its subcontractors in a multi-tier supply chain.

As opposed to NIST SP 800-171 certification, there is no self-certification process for CMMC. The DIB contractor will coordinate directly with an CMMC-accredited and independent third-party assessment organization to request and schedule a CMMC assessment. The contractor will have to specify the level of the certification requested based on the company’s specific business requirements. The certification at the appropriate CMMC level will demonstrate the maturity in capabilities and organizational processes to the satisfaction of the assessor.
When implementing CMMC certification, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segments, depending on where the information to be protected is handled and stored.

In addition to the obvious efforts that DIB contractors have to undertake to achieve CMMC certification, being certified brings various advantages. First, the company will be included in the DoD certified contractors’ list, having more possibilities to get valuable contracts. Being among the first to achieve this certification will place your business ahead of the competition and will have a strategic advantage against your competitors.

In addition, a positive to the new certification will be the elimination of ambiguity. The industry has struggled to grasp compliance and understand how the DoD would enforce compliance. For example, Aerojet Rocketdyne was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 252.204-7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and the company was not able to adequately defend themselves based on their own self-assessment. Now companies will be able to rely on CMMC assessment performed by accredited third-party organizations and minimize the risk of potential FCA actions.

Businesses can begin their preparation for CMMC certification assessment early. They may follow these simple steps:

  • Have a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in place. These plans are a must for NIST SP 800-171 compliance and are the baseline for CMMC.
  • Configure your existing environment or opt for a cloud-based environment to meet NIST 800-171 compliance.
  • Include security requirements in the overall corporate budget.
  • Attend the CMMC industry days scheduled for Q3 of 2020.

ITEGRITI will keep you updated you of any developments on the CMMC timeline. Furthermore, our experienced personnel can advise you on how to be prepared for a CMMC assessment. Follow us on Twitter and LinkedIn for further updates.