The Cybersecurity Maturity Model Certification (CMMC)If you are familiar with NIST 800-171, then you are ahead of the curve. NIST 800-171 was created to allow companies that had contracts with the Department of Defense to show they were protecting Controlled Unclassified Information (CUI). This included personal and confidential data that resided on non-federal systems that are being operated on behalf of a federal agency. Initially, contractors were allowed to self-certify that they met the NIST 800-171 requirements. CMMC version 1 seeks to change that by requiring a third-party assessment of the contractor’s compliance with CMMC and by mandating that the contractor demonstrate their capability to adapt to evolving cyber threats against CUI. This new CMMC requirement will affect over 300,000 different companies from large system integrators to simple mom-and-pop shops that might provide cleaning services. Does this mean that each contractor will be required to meet the same standards? No, there will be five tiers based upon function that different contractors will have to meet. Each tier increases the requirements, so a contractor at Tier 2 would have to meet Tier 1 & 2 requirements, while a company at Tier five would have to meet all the requirements for Tier 1-5. Each tier establishes a different level of cybersecurity maturity.
The 5 Levels of CMMC
- Level 1 covers the basic safeguarding of contractor information systems as listed in FAR Clause 52.204.21. It provides for things such as limiting systems to authorized users only, limiting to certain types of transactions and ensuring federal contract information is sanitized or destroyed properly. It will correspond to the 17 security requirements from NIST 800-171r1. Level 1 only has to meet 17 total practices to be compliant.
- Level 2 takes Level 1 further by requiring greater cyber hygiene to protect CUI by applying an additional 48 controls from NIST 800-171r1. CUI by definition is “Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.” Level 2 has an additional 55 practices over Level 1 for a total of 72 practices.
- Level 3 takes CMMC to the next step and requires “good cyber hygiene” to protect CUI. It encompasses all practices from NIST SP 800-171r1. This brings the total practices for Level 3 to 130 practices requires. This Level includes the need to document each practice from the lower levels. Also, vendors will need to be able to show that they have adopted a plan that includes all activities for maintaining compliance.
- Level 4 requires that contractors review and measure all their practices, and it establishes response procedures to changing techniques and procedures for advanced persistent threats. Included in the compliance requirements are additional practices from the draft of NIST SP 800-171B, requiring a total of 156 practices for compliance. Policy and planning should include all activities. Organizations will need to review and measure these activities and share their findings with upper level management.
- Level 5 requires that a company meet all previous levels and have a standard process in place for the organization to respond to and defend against advanced persistent threats. This will include that each practice from Levels 1-4 be documented. A written plan for Level 5 will include all the activities and a have process to review and measure them for effectiveness. A standardized documented approach should be used across the organization.