A Complete Guide to the CMMC Framework
Over the last few years, the federal government has been developing the CMMC or Cybersecurity Maturity Model Certification. This program is being deployed on a rolling basis through the year 2025 and is projected to impact roughly 300,000 companies across the defense industrial base (DIB) supply chain.
Due to the far-reaching implications of the CMMC framework, affected businesses must familiarize themselves with the requirements of this new certification.
What Is the Cybersecurity Maturity Model Certification?
Efforts to develop the CMMC were spearheaded by the Office of the Under Secretary of Defense for Acquisition and Sustainment, sometimes referred to as the OUSD(A&S).
This office has partnered with key DoD stakeholders, federally funded research and development centers, university-affiliated research centers, and corporations within the defense industrial base.
Together, they created a unified standard that is meant to serve as a guide for implementing cybersecurity protocols. These standards do not only apply to the DoD directly, but also to the more than 300,000 companies that make up the DIB supply chain.
The maturity model was developed in response to the surge in cyber threats that are being directed at DoD contractors.
The first iteration of the CMMC was released on January 31, 2020. Since then, the OUSD(A&S) has released two major updates. The latest version is known as the CMMC Model v1.02.
What the CMMC Means for DoD Contractors
Before the release of the CMMC, each contractor was responsible for developing and monitoring the security of their IT resources. This included safeguarding any DoD data that was being stored or transmitted on their networks.
The result? Massive inconsistencies in cybersecurity practices among the several hundred thousand companies involved in the DIB supply chain.
DoD contractors must begin reviewing the CMMC’s requirements immediately, as deployment of this certification system has already started. Compliance with the Cybersecurity Maturity Model Certification will be included in future DoD contracts. Each company will have to pass a third-party assessment in accordance with their designated CMMC level.
The first step DoD contractors need to do, if they haven’t already, is to complete a NIST 800-171 Self-Assessment and upload the score to theSupplier Performance Risk System(SPRS) website. The Defense Federal Acquisition Regulation Supplement (DFARS) is referenced in nearly all DoD contracts and specifies cybersecurity standards that are required by law.
Since 2017, the DFARS 252.204-7012 clause has required defense contractors to implementthe 110 cybersecurity controls defined in NIST 800-171 to protect Controlled Unclassified Information (CUI).But the big change cameNovember 30, 2020when the DFARS NIST 800-171 Interim Rulewas put in place that requires contractors to perform the Self-Assessment.
In addition to the Self-Assessment and Score, contractors are required to generate some documentation to validate compliance. This includes a System Security Plan (SSP) showing currently implemented controls and a Plan of Action & Milestones (POA&M) for controls not fully implemented. Some written policies and procedures are also required to validate that these controls are implemented.
Contractors that start self-assessing and identifying weaknesses in their current cybersecurity protocols will be better prepared for the CMMC certification process. The OUSD(A&S) webpage includes assessment guides for contractors so that they will know which criteria they will be graded on.
Why Was the CMMC Introduced?
An Uptick in State-Sponsored Hacking
In just the last few years, there has been a massive uptick in state-sponsored hacking. Companies within the DoD supply chain have been the target of cybercrimes that were instigated by industry competitors, international criminals, and foreign nations.
A few of the countries that pose the greatest threat to the DIB include Iran, Russia, North Korea, and China.
Like every other developed nation, the U.S.’s military is outfitted with advanced technological assets. This makes their supply chain especially vulnerable to cybersecurity threats. The CMMC is designed to protect essential weapon systems throughout their entire life cycles.
Inconsistent Cybersecurity Practices by Subcontractors
Subcontractors were identified as the most vulnerable component of the DIB supply chain. The DoD’s tier-one contractors generally have multimillion-dollar cybersecurity budgets. They are also closely regulated. Conversely, subcontractors are loosely monitored and held to much less stringent standards.
Since a large portion of the defense industrial base consists of small and medium-sized suppliers, this lack of regulation has left the DoD open to cyberattacks.
CMMC regulations are being applied universally. This ensures that any company involved in the DoD supply chain meets the minimum security standards.
A Need to Shift Corporate Culture
Unfortunately, many smaller DoD defense suppliers do not view themselves as likely targets for cybercriminals. This lax approach towards cybersecurity is ingrained in the culture of the DIB supply chain.
One of the primary goals of the CMMC is to facilitate a cultural shift that will change the entire defense contractor industry.
The CMMC will be incorporated directly into defense contractor agreements. Failing to comply with the regulations outlined in the CMMC will result in stiff penalties. Violators could have their current contracts voided and will lose out on future opportunities with the DoD.
Laying the Framework for Improved Cybersecurity
The CMMC functions in a “maturity model” format. It is divided into five progressive certification levels.
Lower levels lay the groundwork for higher tiers. For instance, achieving a Level 2 CMMC requires the contractor to meet all of the Level 1 conditions, in addition to the more stringent regulations of the higher tier.
According to the verbiage of the Cybersecurity Maturity Model Certification, contractors will have the freedom to “achieve a specific level for its entire enterprise network or for particular segments where the information to be protected is handled and stored.”
However, there is one important caveat. The DoD will determine the minimum maturity level that a supplier must attain before they can respond to a RFP (request for proposal).
The five levels of the CMMC are as follows:
Level 1
The least stringent certification level requires contractors to perform routine cyber hygiene practices. Specifically, they must require employees to regularly update passwords, use antivirus software, and take other basic steps to protect federal data.
Level 1 subcontractors do not necessarily need to deploy these protocols across their entire network. They only have to meet these minimum standards for the “particular segments” that contain Federal Contract Information (FCI).
Level 2
The Level 2 CMMC requires companies to take more intermediate steps to protect FCI. This includes adhering to the National Institute of Standards and Technology’s (NISTs) security requirements as outlined in Special Publication 800-171. This guide explains how to protect Controlled Unclassified Information (CUI).
In addition, Level 2 contractors must adhere to the minimum standards that are required for Level 1 CMMC certification.
Level 3
Level 4
Contractors that want to receive a Level 4 CMMC certification must establish review and measurement processes that track the effectiveness of their cybersecurity protocols. They must also develop tactics to detect and respond to advanced persistent threats.
Level 5
In order to achieve the highest level of CMMC certification, contractors will need to develop standardized cybersecurity processes and demonstrate their efficacy.
Assessors will stringently review every component of the company’s cybersecurity protocol. Even seemingly minor vulnerabilities may cause the applicant to fail the certification process.
CMMC Compliance
The Cybersecurity Maturity Model Certification’s five maturity levels are further divided into 17 domains. These domains include a total of 43 capabilities. Some domains include a single capability, while some incorporate as many as five different aptitudes. Not all domain capabilities are required for each level of CMMC.
According to theNational Institute of Standards and Technology, a capability can be defined as “a set of mutually reinforcing security controls implemented by technical, physical, and procedural means.” These controls are generally selected with the goal of achieving specific information security-related outcomes.
The 17 domains and 43 capabilities are as follows:
Access Control
Access control is the cybersecurity principle of regulating what or who can view certain resources within a network. The CMMC has allocated 4 essential capabilities under this domain.
In order to be in compliance, contractors must:
- Establish system access requirements
- Control remote system access
- Control internal access
- Limit access to authorized individuals
Access control is one of the most basic components of cybersecurity, which is why the CMMC places such emphasis on it during the assessment process.
Asset Management
Asset management or IAM (identity and asset management) focuses on managing digital identities of authorized users. This domain encompasses all policies, technologies, and programs that are designed to reduce access risks within a network.
The CMMC requires contractors to identify and document assets in order to comply with this capability domain.
Audit and Accountability
Also known as AU, the audit and accountability domain is designed to ensure that a contractor has sufficient controls in place. These controls are designed to provide evidence for system transactions so that they can be audited.
The AU process allows administrators to trace back and recover data in the event of a system failure, breach, or other incidents.
The four capabilities of the AU domain include defining audit requirements, performing regular auditing, identifying and protecting audit-related data, and reviewing and managing logs. Again, not all of these capabilities are required for all levels of CMMC.
Awareness and Training
Awareness and training are essential to changing the culture within a company. As the name suggests, the “awareness and training” domain is geared towards improving staff awareness of cybersecurity threats. This program also focuses on training those employees on how to identify and safeguard against these dangers.
The AT domain includes two capabilities, which are as follows:
- Actively improving security awareness
- Conducting regular training
A well-designed AT program is one of the best ways of protecting a company’s valuable data while also helping them to adhere to CMMC standards.
Configuration and Management
Configuration management (CM) is the domain that focuses on maintaining consistency within an organization. Configuration management utilizes automation to allow teams to build out systems more rapidly. It is also essential for auditing purposes, as it allows companies to track when changes occur within their network.
The CMMC identifies two capabilities that fall under the umbrella of CM. Contractors being assessed on this domain must establish configuration baselines and perform configuration and change management.
Identification and Authentication
The identification and authentication domain addresses concerns about unverified entities gaining access to a contractor’s network. This domain includes only one capability: Contractors must deploy an authentication process that grants access to authorized entities only.
Incident Response
The most comprehensive domain included in the CMMC is incident response. This domain contains five total capabilities, which contractors must demonstrate in order to obtain certification. These capabilities are focused on detecting and responding to cybersecurity incidents.
The five capabilities within this domain are as follows:
- Planning an incident response protocol
- Detecting and reporting cybersecurity incidents
- Developing a threat response to confirmed incidents
- Deploying a post-incident review process
- Testing the incident response protocol?
By including such a robust IR domain, the CMMC framework ensures that top-tier contractors have adequate cybersecurity protocols in place in the event of a breach.
Maintenance
Maintenance of their network is one of the most basic requirements set forth by the CMMC. This domain capability is included in every certification level.
While one would expect that DoD contractors already do this, there were concerns that smaller defense suppliers were neglecting to properly maintain their IT resources. Managed services for IT support is an option for smaller defense suppliers.
Media Protection
The “media protection” domain highlights key aspects of the General Services Administration’s IT Security Procedural Guide: Media Protection. The GSA states that media protection includes three integral elements, while the CMMC domain lists four capabilities. These are as follows:
- Identifying and marking media files
- Protecting said media
- Sanitizing media files
- Protecting media during transfers
Media protection capabilities must be designed to control access to any media related to CUI or other DoD contract data.
Personnel Security
As noted above, subcontractor security protocols were one of the DoD’s major concerns during the creation of the CMMC. It only stands to reason that personnel security is one of its seventeen designated domains. This domain includes two capabilities.
Contractors must develop and utilize a screening process for their personnel. In addition, they have to proactively protect CUI while personnel are interacting with said data. Failure to do so during precertification can result in a failed assessment while violations that occur post-contract can cause the agreement to be voided.
Physical Protection
Physical protection protocols are one of the most often overlooked aspects of cybersecurity. The CMMC wants to remedy the issue by assessing contractors’ current security practices. These companies must restrict physical access to key resources such as servers, computers, and other IT equipment.
Recovery
While most of the CMMC domains are directed at preventing data breaches, the “Recovery” capability focuses on overcoming a successful cyberattack. Companies being assessed on this domain capability must have data back-ups. The specific backup requirements can be found in the assessment guide.
Risk Management
Risk management strategies are integral to improving cybersecurity across the defense industrial base supply chain. As a result, the CMMC assesses contractors on their risk management protocols.
To meet the minimum standards, companies must have protocols in place to identify and evaluate cyber threats. They must also develop a plan to proactively manage those risk factors.
Security Assessment
Also referred to as CA, the security assessment domain includes three capabilities. They are as follows:
- Developing a security plan
- Defining and managing controls
- Performing routine code reviews
Regular security assessments will help contractors identify shortcomings in their systems that may be exploited by cybercriminals.
Situational Awareness
Systems and Communications Protection
The SC or “systems and communications protection” domain contains two capabilities. The CMMC framework requires contractors to define the security requirements for their systems and communication resources. They must also control communications assets at system boundaries.
System and Information Integrity
The last of the 17 domains is “system and information integrity.” This domain includes the final four capabilities outlined by the CMMC.
Contractors that are being assessed for adherence to this domain must:
- Identify and manage information system shortcomings
- Perform routine system and network monitoring
- Actively identify malicious data
- Implement an advanced email protection protocol
The SI domain focuses on maintaining the sanctity of a contractor’s network. When used in conjunction with the other 16 domains, this set of capabilities can help contractors improve cybersecurity protocols.
Who Does the CMMC Apply to?
Ultimately, the CMMC will apply to any DoD contractor. However, it is being deployed in stages over the course of five or more years.
As contracts expire, the DoD will make CMMC adherence a requirement of future agreements. They will also list the requisite CMMC level in new requests for proposals and requests for information (RFIs). In fact, they began including these CMMC requirements in RFIs in 2020.
The defense industrial base supply chain is incredibly complex. As a result, there is a potential that different suppliers on the same contract may have to meet varying certification levels.
When Does the CMMC Become Effective?
The Cybersecurity Maturity Model Certification is already being utilized. However, contractors that are serving out active agreements with the DoD are not required to obtain certification.
Despite that fact, these companies should begin reviewing CMMC requirements that are being listed for new RFPs, as this will help them determine what level of certification they will need in the future.
Since implementing robust cybersecurity protocols is a time-consuming endeavor, the contractors that take a proactive approach will be more agile when renewing agreements.
How to Prepare for the CMMC
Fortunately for DoD contractors and subcontractors, the OUSD(A&S) has provided them with plenty of information about the Cybersecurity Maturity Model Certification framework.
With that being said, we wanted to identify several ways that affected companies can start preparing for this landmark certification process.
Defense suppliers should:
Start Refining Current Cybersecurity Practices
While the OUSD(A&S) has not yet established any concrete accreditation procedures, contractors must start preparing for certification. Due to the vastness of the DIB, accreditors are likely to receive a flood of assessment requests. This will create a backlog that could delay the rollout of the CMMC program.
Companies that plan ahead and refine their cybersecurity practices could capitalize during the transition process. They may be able to obtain certification more quickly, thereby gaining the opportunity to respond to RFPs and earn lucrative contracts.
The top-tier contractors should also reach out to their preferred subcontractors. They should assist these entities with refining their own cybersecurity protocols. If these subcontractors fail to meet CMMC requirements, then those larger suppliers can no longer rely on their services.
Review RFPs and RFIs
As noted above, the DoD started including CMMC level requirements on some RFIs as early as 2020.
While they are not stringently enforcing all of these domain capabilities yet, contractors should start reviewing these RFPs and RFIs. By doing so, they can gain a better understanding of the CMMC level required for the services that they traditionally provide.
Contractors can determine what changes they will need to make to their cybersecurity protocols in order to be eligible for future contracts of similar scope.
In addition to reviewing RFPs, defense suppliers should actively engage with the Department of Defense and other agencies. This will allow them to glean additional insights about the CMMC framework and the certification process.
Review the Assessments on the OUSD Website
The assessment guides that the OUSD(A&S) published on their website are invaluable resources for defense contractors. These guides break down each domain and capability in great detail, which means that contractors can all but guarantee a passing review during the assessment process.
The assessment guides should be thoroughly reviewed prior to implementing changes to current cybersecurity protocols. This will help contractors avoid making unnecessary and potentially expensive alterations to their existing practices.
It is vital that DoD contractors make every effort to meet assessment requirements. A negative assessment will limit which RFPs that a contractor can respond to. In turn, this could negatively impact brand reputation and profitability.
Be Flexible
As a maturity-based framework, the CMMC will likely be amended to include new cybersecurity best practices.
Once a contractor has obtained the certification level required for DoD contracts, it does not mean that they can rest on their laurels. Instead, they must remain flexible so that they can respond appropriately to new requirements and maintain an optimal level of data security.
The CMMC has the potential to change the entire landscape of the defense industrial base and the thousands of companies that it includes. It is also positioned to become a valuable resource to defense suppliers, as it provides a detailed roadmap to improving cybersecurity protocols. Contractors that take full advantage of this assessment framework will be ideally positioned to compete in an ever-evolving industry