Understanding the CMMC process
In response to increased cyber threats facing the Defense Industrial Base (DIB) sector, the Office of the under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) worked with the Department of Defense (DoD) stakeholders to establish the Cybersecurity Maturity Model Certification (CMMC). Regardless of organization size, any contractor or subcontractor managing Federal Contract Information (FCI) […]
In response to increased cyber threats facing the Defense Industrial Base (DIB) sector, the Office of the under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) worked with the Department of Defense (DoD) stakeholders to establish the Cybersecurity Maturity Model Certification (CMMC). Regardless of organization size, any contractor or subcontractor managing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) must be certified by 2025. Understanding the CMMC process can help small and mid-size businesses (SMBs) establish reasonable timelines for engaging in the required third-party assessments so that you can continue to bid on DoD contracts.
Why did the DoD create the CMMC?
Recognizing the continued attention cybercriminals pay to the DIB’s data, the DoD sought to standardize information security controls across the industry. The DoD specifically referred to the Council of Economic Advisors report that estimated malicious cyber activity cost between $57 billion and $109 billion in 2016.
With the DIB sector consisting of over 300,00 companies, the depth and breadth of the DoD’s supply chain increases data breach risks across the ecosystem. For example, according to the Ponemon Cost of a Data Breach Report 2020, 16% of 2019’s data breaches arose from vulnerabilities in third-party software. The report also noted that a third-party breach increased the costs by $207,411 on average.
With the sensitive data that DoD contractors and subcontractors manage, the agency recognizes the need to establish baseline cyber hygiene requirements for protecting sensitive data.
Why do I need to know about NIST SP 800-171?
CMMC starts by using the 110 security requirements listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. While the CMMC website applies NIST SP 800-171 revision 1, organizations should note that in February 2020 NIST updated SP 800-171 with revision 2.
NIST 800-171 sets out 14 categories of controls:
- Access Control
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
CMMC Levels 1-3 focus on meeting the controls listed in NIST 800-171 but approaches the implementation differently.
First, the CMMC is a maturity model which means that once you determine your CMMC Level, you need to be certified only to those controls. Second, CMMC goes beyond NIST’s controls and includes additional practices pulled from additional cybersecurity standards, references, or sources, including NIST SP 800-53, the Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
What do SMBs need to know about the CMMC process?
Generally speaking, most SMBs will likely fall somewhere between Level 1 to Level 3 maturity model. At the very least, all DoD contractors and subcontractors need to create basic cyber hygiene practices. As your business grows, you need to prove process maturity which incorporates documenting policies and practices based on generally accepted cybersecurity requirements.
Much of the information indicates that smaller organizations will be allowed to create policies and processes tailored to their business models. Some notes on how SMBs might manage compliance include:
- Establish a policy or set of policies that provide the scope for practices
- Clearly state purpose and scope of policy
- Review policies annually and update them accordingly
- Document practices by saying what you do, then doing what you say you do
- Define practices in a way that makes them repeatable
- Organize documented practices in a way that makes them easy to follow
- Document any changes to implemented practices
Any organization that needs to be certified at a Level 2 or above need to document basic policies and practices before engaging in a CMMC assessment.
Is there a self-certification option?
CMMC does not provide a self-certification option. However, as part of the CMMC assessment, many organizations will likely engage in self-assessments.
As part of the self-assessment, organizations will likely want to engage in a basic risk assessment, review policies, and formalize procedures. Since CMMC is based on and extends NIST 800-171, organizations should take into account the totality of their cybersecurity program maturity prior to engaging in the
Some fundamental practices that organization’s should include as part of their self-assessment are:
- Audit log review: to ensure auditability and accountability
- Event detection and reporting: to enhance incident response capabilities
- Event prioritization: to establish meaningful incident response capabilities
- Incident response procedures: to accelerate the response time and reduce impact
- CUI data handling procedures: to ensure explicit handling practices
- Public website data restrictions: to prevent sharing sensitive data on publicly accessible websites such as blogs and social media
- Data backup: to ensure resiliency if a data security event occurs
- Network device encryption: to mitigate data compromise
- Vendor risk management: to mitigate supply chain data breach risks
- Spam protection: to prevent successful phishing attacks
- Email forgery protection: to mitigate email header spoofing
- Sandboxing: to detect or block malicious emails
- DNC filtering: to reduce malware risk
By reviewing these basic, fundamental controls, you can start to gain a sense of how mature your cybersecurity program is and what extra work you need to do.
What do I need to do to get CMMC certified?
The CMMC certification process is similar to other types of regulatory compliance audits. However, it differs in a few ways.
Step 1: Determine Your Maturity Level
Before hiring a third-party to carry out the assessment, you need to establish your CMMC maturity level so you know how to define the assessment’s scope. In order to do this, you need to identify:
- FCI that you collect, store, and transmit
- CUI that you collect, store, and transmit
- Storage locations for FCI and CUI
- System components that actively use FCI and CUI
- Transfers of FCI and CUI
For organizations that need additional support for this process, the CMMC Accreditation Body (CMMC-AB) suggests hiring CMMC-AB trained professionals to provide guidance.
Step 2: Engage a Certified Assessor (CA)
To get certified, you need to find a CMMC third-party assessor organization (C3PAO). C3PAOs are organizations that the CMMC-AB has trained and certified to carry out the assessments. C3PAOs will include both CAs and Certified Professionals (CPs). The CPs can work with you to help establish best practices while the CA carries out the final assessment.
Step 3: Schedule and Complete the Assessment
After defining the scope, you need to schedule the assessment with your C3PAO or CA. You need to bring together all documentation necessary for proving that you continuously enforce the controls listed in your documented policies and practices.
Step 4: Send Assessment for Review
Once you complete the assessment with your C3PAO, you can forward the document to the CMMC-AB where Quality Auditors will provide a final review. If the Quality Auditors have findings, they will send the assessment back to you. You need to resolve any findings within 90 days.
Step 5: Review and Certification
After resolving any outstanding findings from the CMMC-AB Quality Auditors, you send the updated assessment back to the CMMC-AB for a final review. Assuming that no additional findings exist, the CMMC-AB will then issue your CMMC Maturity Level Certificate which remains active for 3 years.
CMMCplus: Helping SMBs with the CMMC Process
Not all DoD contractors are large enterprises. Many smaller organizations, including those with five or fewer employees, will need to be CMMC certified. For these organizations, the CMMC process can be overwhelming and costly.
CMMCplus helps our customers by providing an easy-to-use platform that helps you gain insight into your current maturity level and any additional practices that you need to implement. Our platform also includes a gap assessment tool that allows you to compare your current controls to the control required by your CMMC Maturity Level certification needs so that you can more rapidly comply with the model.
Finally, we work with C3PAOs and CAs who can provide the necessary guidance and assessment services so that you can continue to bid on important DoD contracts.
For more information about how CMMCplus can help your organization identify the appropriate CMMC maturity level and manage the certification process, contact us today.