that the Department of Defense (DoD) stops 36 million emails each day containing malware, viruses, and phishing plots from hackers, terrorists, and foreign adversaries attempting to gain unauthorized access to sensitive information concerning military systems and defense plans.
Because of the enormous risk to controlled unclassified information (CUI) stored on contractor systems, the DoD recently introduced a new security framework designed to ensure all vendors follow appropriate cybersecurity protection measures and processes.
This new standard replaces the DoD's old self-attestation model, and includes a third-party audit and certification process. According to the official CMMC FAQ
site hosted by the DoD, “for contracts that require CMMC you may be disqualified from participating if your organization is not certified.” Additionally, contractors and subcontractors may be disqualified from bidding on RFPs if they are not compliant with CMMC requirements.
What Is CMMC Compliance?
The Cybersecurity Maturity Model Certification (CMMC) is the latest security framework mandated by the DoD for any contractor that sells into the Defense Department. It verifies that suitable levels of cybersecurity systems and processes are established to ensure fundamental cyber hygiene practices. CMMC is designed to secure CUI stored on networks of DoD contractors.
The DoD released CMMC version 1.0 to the public on January 31, 2020.
Who Needs CMMC?
There are nearly 300,000 companies in the Defense Industrial Base (DIB), including contractors and subcontractors. By 2025 all DoD suppliers will need to achieve at least Level 1 CMMC compliance.
What Are the CMMC Levels?
The CMMC model includes five levels, each with a corresponding set of practices and processes. The DoD requires contractors to meet both the associated practices and the given processes to achieve each specific CMMC level.
The CMMC maturity level organizations must achieve to gain the DoD’s approval depends on the sensitivity of the information each contractor will need to engage, and the range of cyberthreats associated with that data.
Below is a summary of the process and practice standards for each of CMMC's five levels.
CMMC Level 1
Level 1 parallels the FAR 52.204-21 requirements
, which all federal contractors must meet. Therefore, if you're already doing business with the DoD, you should already be compliant. The 17 controls outlined in Level 1 are all basic cyber hygiene practices and outline the bare minimum any contractor should already have established.
CMMC Level 2
Level 2 requires your organization to set up and document practices and policies to guide the implementation of your CMMC efforts. By documenting practices, individuals can perform them in a repeatable manner and develop mature capabilities.
Level 2 practices comprise many of the security requirements specified in NIST SP 800-171
, along with best practices from other standards and references.
CMMC Level 3
Level 3 requires you to establish, maintain, and resource a plan that demonstrates the management of activities for practice implementation. Your plan may include information on missions, goals, project plans, resourcing, required training, and involvement of key stakeholders.
Level 3 is all about the protection of CUI and includes all security requirements specified in NIST SP 800-171
, and some additional methods to mitigate threats.
You need at least a Level 3 CMMC certification if you store, process, or transmit CUI or hold export-controlled data
—defined as "information or material that cannot be released to foreign nationals or representatives of a foreign entity, without first obtaining approval or license from the Department of State for items controlled by the International Traffic in Arms Regulations (ITAR)."
CMMC Level 4
Level 4 requires that you review and measure practices for effectiveness. At this level, your organization can take necessary corrective action, informing leadership of any issues on a recurring basis.
Practices for Level 4 focus on the protection of CUI from advanced persistent threats (APTs), which are attacks sponsored by nations or very large organizations, and comprise a subset of the enhanced security requirements from Draft NIST SP 800-171B
and other cybersecurity best practices found in CERT Resilience
and CIS Controls v7.1
CMMC Level 5
Level 5 requires you standardize and optimize process implementation across the organization. At the same time, its practices center on protecting CUI from APTs, increasing the depth and sophistication of your cybersecurity capabilities.
How Should You Prepare for CMMC?
Achieving CMMC compliance takes time. Plan for at least six months if you're starting from scratch. From drafting policies and deploying solutions to establishing essential cultural changes within your organization, your efforts will quickly add up.
If you want to stay ahead of the transition to CMMC certification, there are five questions every DoD contractor should ask themselves:
- Is your organization NIST 800-171 compliant? According to NIST 800-171 (which aligns with CMMC Level 3), contractors should routinely assess their organizational systems' security controls to determine their effectiveness. So, in preparation for CMMC, assess your current organization for NIST 800-171 compliance.
- Do you have an updated system security plan (SSP)? NIST 800-171 also requires contractors to document and update SSPs, including company policies, network diagrams, and relationships with other systems. If you don't already have an SSP, create one. If you do have one, make sure it's up to date.
- Have you created a plan of action & milestones? Your POA&M documents the remediation project plan and helps establish timelines and anticipated resource requirements.
- Have you implemented a remediation plan? Completing the POA&M will go a long way toward ensuring compliance with NIST 800-171 and your existing contracts while also preparing for the full CMMC rollout.
- How do you plan to maintain compliance? Once you've achieved compliance, you'll need to create a plan to retain it. While often overlooked, maintaining compliance with the DoD's rigorous security standards may prove challenging and requires a documented strategy and near-daily execution.
As with any comprehensive security program, meeting the requirements of CMMC demands an integrated approach entailing several different solutions. Everything from compliance platforms, encrypted assets, and data backups to monitoring and management solutions must seamlessly work together to eliminate vulnerabilities and ensure CMMC certification.
Should You Outsource Your CMMC Program?
If you have the necessary resources and IT staff at your disposal, you may want to prepare for your desired CMMC cybersecurity certification in-house. The Self Assessment Handbook – NIST Handbook 162
is a great way to get you on the road to Level 3 CMMC compliance.
That said, don't take the decision to keep your CMMC program in-house lightly. If you don't pass the third-party CMMC audit on the first try, you'll need to correct any security shortcomings and contend with a potential backlog of audits before getting a second opportunity. Lengthy delays could be extremely costly if you rely on DoD contracts for a significant percentage of your revenue.
If you don't have the resources or internal expertise to take on the requirements of CMMC, outsourcing is a wise option. As the market leader in security operations, Arctic Wolf can guide you through the process, help you put an appropriate security plan in place, and save you time and money.