The U.S. Department of Defense released the first version of the Cybersecurity Maturity Model Certification (CMMC) back on January 31, 2020. Since that time, there has been a flurry of different industry experts working towards helping clients understand and prepare for getting certified under CMMC. But what is it?
The Cybersecurity Maturity Model Certification (CMMC)
If you are familiar with NIST 800-171, then you are ahead of the curve. NIST 800-171 was created to allow companies that had contracts with the Department of Defense to show they were protecting Controlled Unclassified Information (CUI). This included personal and confidential data that resided on non-federal systems that are being operated on behalf of a federal agency. Initially, contractors were allowed to self-certify that they met the NIST 800-171 requirements. CMMC version 1 seeks to change that by requiring a third-party assessment of the contractor’s compliance with CMMC and by mandating that the contractor demonstrate their capability to adapt to evolving cyber threats against CUI. This new CMMC requirement will affect over 300,000 different companies from large system integrators to simple mom-and-pop shops that might provide cleaning services. Does this mean that each contractor will be required to meet the same standards? No, there will be five tiers based upon function that different contractors will have to meet. Each tier increases the requirements, so a contractor at Tier 2 would have to meet Tier 1 & 2 requirements, while a company at Tier five would have to meet all the requirements for Tier 1-5. Each tier establishes a different level of cybersecurity maturity.
The 5 Levels of CMMC
- Level 1 covers the basic safeguarding of contractor information systems as listed in FAR Clause 52.204.21. It provides for things such as limiting systems to authorized users only, limiting to certain types of transactions and ensuring federal contract information is sanitized or destroyed properly. It will correspond to the 17 security requirements from NIST 800-171r1. Level 1 only has to meet 17 total practices to be compliant.
- Level 2 takes Level 1 further by requiring greater cyber hygiene to protect CUI by applying an additional 48 controls from NIST 800-171r1. CUI by definition is “Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.” Level 2 has an additional 55 practices over Level 1 for a total of 72 practices.
- Level 3 takes CMMC to the next step and requires “good cyber hygiene” to protect CUI. It encompasses all practices from NIST SP 800-171r1. This brings the total practices for Level 3 to 130 practices requires. This Level includes the need to document each practice from the lower levels. Also, vendors will need to be able to show that they have adopted a plan that includes all activities for maintaining compliance.
- Level 4 requires that contractors review and measure all their practices, and it establishes response procedures to changing techniques and procedures for advanced persistent threats. Included in the compliance requirements are additional practices from the draft of NIST SP 800-171B, requiring a total of 156 practices for compliance. Policy and planning should include all activities. Organizations will need to review and measure these activities and share their findings with upper level management.
- Level 5 requires that a company meet all previous levels and have a standard process in place for the organization to respond to and defend against advanced persistent threats. This will include that each practice from Levels 1-4 be documented. A written plan for Level 5 will include all the activities and a have process to review and measure them for effectiveness. A standardized documented approach should be used across the organization.
CMMC is coming – be prepared
So, when will this be measured? The first round of RFP’s that include CMMC are expected to drop in September 2020. It will then be dependent on when the DoD awards the contract. CMMC is coming, and it’s important to prepare now instead of later. This affects every member of the of the Defense Industrial Base. Implementing NIST 800-171 will help in establishing the technical controls for CMMC. If you are already a Tripwire Enterprise customer, you can download the CMMC policy compliance technical controls off our Tripwire customer center to help prepare for your CMMC audit. If not, you can learn more about how to be prepared for CMMC here: https://www.tripwire.com/solutions/solutions-by-industry/government/cmmc-compliance-with-tripwire/.