Just a year ago, the DoD rolled out its Cybersecurity Maturity Model Certification (CMMC) program. The CMMC certification process requires the defense industrial base (DIB) to attain third-party certification to ensure government contractors practice one of five cybersecurity levels, depending on the kind of data they touch.
Although the deadline for CMMC compliance is still 2025, some changes to the program are currently being discussed. The Department of Defense is making changes to the oversight of its independent accreditation body as part of an update to the CMMC program, dubbed “CMMC 2.0”. CMMC-AB CEO Matthew Travis said in a statement, “We congratulate the Department of Defense’s leadership and the CMMC Executive Steering Group on formulating what we see as meaningful and compelling improvements to the implementation of CMMC.
The CMMC-AB will hold a “Town Hall” meeting on Nov. 9 to discuss changes to the program. And the deadline for scratching your head and starting to prepare a roadmap to certification is now! Fortunately, this blog (and our CMMC for Dummies ebook) will outline the paths you have to follow to reach your ultimate destination on time.
Get a feel for the road to CMMC certification.
The process for becoming CMMC certified will require effort on your part, followed by a third-party assessment. But the DoD’s goal is not to burden you or deter innovation. So, understanding the landscape and how it may change is vital to being a good mission partner.
There are three objectives for the CMMC program:
- To incorporate a unified set of cybersecurity requirements into acquisition processes and contracting language. The program includes several levels of cyber requirements. These levels allow for flexibility to apply requirements appropriate to the defined sensitivity level of information at issue.
- To provide the Department assurance, via external assessment, that all contractors and subcontractors participating in a given award meet mandatory cybersecurity requirements.All prime contractors are accountable for ensuring that their suppliers are implementing appropriate cybersecurity requirements.
- Develop supporting resources, information, and training to help contractors improve cyber readiness and comply with the Department’s requirements.
“Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award,” DHS CIO Eric Hysen says. “This process is a critical step in our progress towards protecting the Homeland.”
Knowing your location on the map.
There are five levels of CMMC certification, depending on how you interact with government data:
- CMMC Level 1: Your organization safeguards federal contract information (FCI). This level requires you to follow basic cybersecurity hygiene practices. You may already do this, so now you just need third-party certification.
- CMMC Level 2: You handle FCI and serve as a transition step in cybersecurity maturity progression to the point of protecting controlled unclassified information (CUI). You will need to meet Level 1 requirements and document your cyber hygiene across every aspect of your business.
- CMMC Level 3: Your organization handles and protects CUI. You will need to meet the 110 compliance control requirements found in NIST 800-171, plus a few other requirements. If you already meet NIST 800-171 requirements and the Defense Acquisition Regulations Systems (DFAR) Interim Rule, you are well down the road to certification.
- CMMC Levels 4-5: Your company protects CUI and reduces the risk of advanced persistent threats. If you touch-sensitive data, you’ll need to document tactics, techniques, and procedures.
Taking the smartest route to CMMC certification.
Most organizations will seek Level 3 or above certification. Coincidentally Level 3 and above is where things get a bit complicated with the need to meet multiple controls. DoD contractors and suppliers who are large enough to have the resources in-house can do it DIY. Others may need to enlist third-party help.
Here are a few resources and thought nuggets that can ease your journey:
- Self-assessment. The National Institute of Standards and Technology (NIST) provides a Self-Assessment Handbook – NIST 162 to help contractors provide products and services for the federal government. This handbook is a great resource but only covers certification up to CMMC Level-3.
- Certified CMMC Assessor (CCA) or Certified CMMC Professional (CMMC). This credentialed individual is authorized to deliver assessments, training, and consulting as part of a CMMC Third-Party Assessor Organization (C3PAO). Only the CMMC Accreditation Body (CMMC – AB) certifies these third-party pre-assessment consultants, and they are experts at getting you down the road quickly.
- Automation. CMMC certification controls are built on existing Security Technical Implementation Guides (STIGs), and Center for Internet Security (CIS) benchmarks for securely configuring your hardware and software. Automation not only saves truckloads of time and money but it gives you a way to monitor and document your compliance continually. Having data that proves your practices will help a lot come certification time.
Reaching CMMC certification–and a new level of the client relationship.
The ultimate reward of CMMC compliance is helping our country combat the never-ending attacks on our systems and data. Protecting sensitive data has become a national security issue for everyone in both the private and public sectors. But beyond that, it’s a way of engaging in your client’s mission in a way that builds greater trust, loyalty, and enthusiasm.
If you are only beginning your journey, it’s time to research the C3PAOs and automation tools to make your journey easier. If you are already automating the STIG and CIS benchmarks in your CMMC requirements, you are way ahead of the pack. Just a little legal documentation, and you’ll be ready for your audit! See you on the road!
For more changes and frequent updates, visit https://www.acq.osd.mil/cmmc/index.html