CMMC 2.0 was announced in November 2021. The Department of Defense (DoD) continues its plan to strengthen the cybersecurity posture of the Defense Industrial Base (DIB) with proof of adequate security. Learn how the Cybersecurity Maturity Model Certification (CMMC) affects those who do business with the DoD.

What is the Cybersecurity Maturity Model Certification (CMMC)?

The announcement of the Cybersecurity Maturity Model Certification (CMMC) from the Office of the Under Secretary of Defense for Acquisition and Sustainment states the OUSD recognizes:

That security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

When talking about cybersecurity maturity model certification, we hear many similar questions:

• “Why was the CMMC created?”
• “What is my CMMC level?”
• “What are CMMC controls?”
• “What is the CMMC certification process?”
• “Does my business meet cybersecurity maturity model certification compliance requirements?”
• “Do you offer cybersecurity maturity model certification training?”

Per the OUSD, the DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC serves as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

That is a mouthful. Here are some of the key takeaways:

• The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. Learn more here: CMMC Levels.
• The DoD worked with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity.
• The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
• The CMMC must be semi-automated and, more importantly, cost-effective enough so that Small Businesses can achieve the minimum CMMC level of 1.
• The CMMC model will be agile enough to adapt to emerging and evolving cyber threats to the DIB sector. A neutral 3rd party will maintain the standard for the Department.
• The CMMC includes a center for cybersecurity education and training.
• The intent is for certified independent 3rd party organizations (C3PAO) to conduct CMMC audits and inform risk.
• The CMMC will include the development and deployment of a tool that 3rd party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.

CMMC Levels: What they look like

CMMC 2.0, released in November 2021, shows that the CMMC evolution will grow as threats evolve, and as the DIB continues its required efforts to comply with the DoD’s cybersecurity requirements. CMMC now consists of 3 levels, which look pretty straightforward.

Per the OSUD:

CMMC maturity levels will range from basic hygiene to “State-of-the-Art” and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.

The required CMMC level between 1 and 3 for a specific contract will be contained in the RFP sections L & M, and certifications will be determined by authorized third-party assessors.

As many expected, a contractor’s CMMC Level will be measured by how many NIST SP 800-171 (rev 2 and NIST SP 800-172) controls are implemented.

In short, if a contractor that handles Controlled Unclassified Information, DOES NOT have NIST 800-171 fully implemented, they will not meet CMMC requirements, regardless of what changes in the future.

Based on CMMC 2.0, here are what the CMMC Levels consist of:

CMMC Level 1: Foundational

CMMC Level 2: Advanced

CMMC Level 3: Expert

Note:
*CMMC 1.0 and 1.02 were built upon existing requirements of DFARS 252.204-7012: DIB SCC TF WG Top 10, NIST Cybersecurity Framework 1.1, ISO 27001:2013, AIA NAS 9933, CIS Critical Security Controls 7.1, CERT Resilience Management Model®, Additional DIB Inputs, and Subject Matter Experts. CMMC 2.0 was updated in November 2021, after an internal review and industry feedback.

The key takeaways here are that, regardless of how the CMMC Levels look, contractors will need to prove their implementation of security controls in order to be awarded new DoD contracts.

Many of these controls were supposed to be implemented by contractors who handle CUI by December 31, 2017!

Contractors who can prove their implementation plan, thus have reached adequate security, now have a competitive advantage over other contractors.

How does CMMC assessment and certification affect DFARS & NIST SP 800-171?

Before getting any further into the Cybersecurity Maturity Model assessment and certification, here is information for a better understanding of DFARS and NIST SP 800-171.

It is clear the DoD is taking securing the Defense Industrial Base (DIB) even more seriously than they already were.

Implementation can be challenging for small-to-medium-size businesses. That said, it doesn’t have to be.

Subject expertise is not only needed, it should be embraced.

Remember what is really at stake and why DFARS and the CMMC exist:

Our national security.

Hackers with malicious intent, potentially against the United States of America, want (and are getting) data to our defense systems.

DFARS, NIST SP 800-171 and the CMMC should be prideful accomplishments by any contractor doing business with the DoD.

When NIST SP 800-171 was announced, it showed the path to compliance and full implementation is not always the same for everyone.

Collaborating with a company that has NIST subject expertise validates that security controls are implemented correctly and efficiently.

FAQs about Cybersecurity Maturity Model Certification (CMMC)

Naturally, when cybersecurity is combined with the magnitude of something like the Cybersecurity Maturity Model Certification, there will be questions.

More questions will come, while some are still not answered. For now, you can find a lengthy list of frequently asked questions on the OSUD.

We pulled out some of the more critical questions every contractor of the DoD will want the answers to. (Updated)

When will the first CMMC Framework be released to the public?

Version 1.02 of the CMMC framework was made available in March 2020 to support training requirements. In early 2021, the industry should see the CMMC requirements as part of Requests for Information as part of a pathfinder program.

What is my CMMC level?

CMMC 1.02 is built upon existing requirements of DFARS 252.204-7012: DIB SCC TF WG Top 10, NIST Cybersecurity Framework 1.1, ISO 27001:2013, AIA NAS 9933, CIS Critical Security Controls 7.1, CERT Resilience Management Model®, Additional DIB Inputs, and Subject Matter Experts. With Cuick Trac, contractors can achieve the maturity of Cybersecurity Maturity Model Certification Level implementation.

A contractor’s CMMC Level will be measured by how many NIST SP 800-171 and NIST SP 800-172 controls are implemented. In addition, a few other practices and processes will also be required.

What is the relationship between NIST SP 800-171 rev 2 and CMMC?

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC also measures the maturity of a company’s institutionalization of cybersecurity practices and processes.

How will CMMC be different than NIST SP 800-171?

Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes. NIST SP 800-171 is the backbone of the CMMC, thus following the NIST SP 800-171A assessment guide is highly recommended.

What is the CMMC certification process?

An organization seeking certification (OSC) will coordinate directly with an accredited and independent third-party commercial certification organization (C3PAO) to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifying organizations.

How much will CMMC certification cost?

The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested with C3PAOs pricing at their discretion.

Will there be a self-certification?

No.

How do I request a CMMC cybersecurity assessment?

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification through the CMMC Accreditation Body (“Cyber AB“).

Who will perform the assessments?

An independent 3rd party assessment organization will normally perform the assessment. Some of the higher-level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).

How often does my organization need to be re-certified?

Every three years.

If my organization is certified CMMC and I am compromised, do I lose my certification?

You will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be re-certified.

What if my organization cannot afford to be certified? Does that mean my organization can no longer work on DoD contracts?

The cost of the certification process and whether it will be an allowable cost is still not clear (at the time of this is being written). Cost of implementation is expected to be completed by OSCs prior to their certification. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?

Yes. Once CMMC requirements begin to appear in solicitations, all DoD contractors must be certified at CMMC Level 1, at minimum. All contractors who handle CUI must be CMMC certified. The level of certification required depends upon the data a company handles or processes.

How will I know what CMMC level is required for a contract?

The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP).

What to do between now and your CMMC Certification Audit

The problem today is not compliance…it is implementation.

Malicious hackers do not care if you are compliant, they care if you ARE NOT implemented. That means they can more easily access your CUI!

Fortunately for contractors of the DoD (big or small), our team has worked strategically with industry leaders in both security and information technology, to develop a solution, Cuick Trac.

Every SMB faces the same challenges with cybersecurity implementations:

• Cost
• Time
• NIST and cybersecurity subject expertise
• Security Compliance Program Management

With Cuick Trac, contractors can achieve the maturity of Cybersecurity Maturity Model Certification Level 3 implementation, mapped to both CMMC v1.02 and the CMMC Assessment Guides in a matter of weeks, not months, so they are prepared for their audit from a C3PAO.

No additional internal hardware, software, technology, or configuration is required. We have it done already! Be in a position to pass your CMMC certification by utilizing CUICK TRAC’s NIST 800-171 compliant enclave, which allows for a programmatic approach to implementing the administrative and physical controls as well.

Regardless of where a contractor is in the process of DFARS 252.204-7012 compliance/implementation of NIST SP 800-171, CUICK TRAC is the solution to getting there faster and for less.