Around $600 billion is lost annually to cyber theft, which accounts for 1% of the US GDP. The Under Secretary of Defense, Ellen M. Lord, declared that “Cybersecurity threatens the defense industry and national security of both U.S. government and [its] allies and partners.”

The Cybersecurity Maturity Model Certification Framework (CMMC) is the Department of Defense’s (DoD) response to growing threats. It’s a combination of multiple standards, and its objective is to enhance the protection of Controlled Unclassified Information (CUI) through enacting controls throughout its supply base. CMMC is designed so that it is not a one-size-fits-all standard. Instead, it is highly customizable and cost-effective to implement at lower levels for SMB.

The upgraded framework builds off of current DoD requirements for CMMC under DFARs 252.204-7012, which became a requirement in 2016. It will require suppliers who come into contact with CUI to be certified by a third-party organization (3PAO) to demonstrate compliance with 1 of 5 levels. The level of maturity in CMMC corresponds to DFARs as a level 3, for example.

CMMC Model Version 1.0 was on January 31st, 2020. All charts and images are from this official publication.

What is CMMC compliance?

Breaking down the framework

The CMMC model framework in the figure below organizes these processes and practices into a set of domains and maps them across 5 maturity levels. In addition, the framework aligns practices into a set of capabilities within each of the domains to provide extra structure. As per the framework, certified 3PAOs will evaluate contractors and subcontractors’ documented practices; the more practices, capabilities, and processes a contractor achieves or aims to achieve, the higher their level upon certification.

CMMC Levels

Each of the 5 maturity levels consists of a set of processes and practices, characterized in the chart below. The processes range from “Performed” at level 1 to “Optimizing” at level 5, and the practices range from “Basic Cyber Hygiene” at Level 1 to “Advanced/Progressive” at Level 5.

The levels are cumulative, set in order so to achieve a certain CMMC level, a contractor has to demonstrate achievement of the preceding, lower levels. Moreover, the organization must demonstrate both the achievement of processes and practices. In the case that an organization shows the achievement of two different levels, they will be certified at the lower of the two.

Level 1: Basic (17 practices)

Processes: Performed

According to the CMMC Version 1.0 publication, level 1 requires that an organization performs basic practices. They may only be able to perform practices ad-hoc, and may not rely on documentation, so maturity is not assessed.

Practices: Basic Cyber Hygiene

Level 1 focuses on the protection of Federal Contract Information (FCI) and consists of practices that correspond to the basic safeguards outlined in 48 CFR 52.204-21.

Level 2: Intermediate ( 72 practices)

Processes: Documented

Level 2 requires that the organization establishes and documents practices to guide the implementation of its CMMC efforts. The documentation enables individuals to perform them repeatedly and reliably. Organizations develop mature capabilities through documentation.

Practices: Intermediate Cyber Hygiene

Level 2 serves as a progression from Level 1 to 3 and consists of a subset of requirements from NIST SP 800-171 and others. A subset of practices reference protecting CUI.

Level 3: Good (Recommended, 130 practices)

Processes: Managed

Level 3 requires that the organization establishes, maintains, and resources a plan that demonstrates the management of activities for implementing practices. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

Practices: Good Cyber Hygiene

Practices introduced in Level 3 focus on the protection of CUI and encompass all of the security requirements specified in NIST SP 800-171, plus some practices from other standards and references to mitigate threats.

Level 4: Proactive (156 practices)

Processes: Reviewed

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level can take corrective action and inform higher-level management of status or issues regularly.

Practices: Proactive

Level 4 practices focus on the protection of CUI from APTs and encompass a subset of the enhanced security requirements from Draft NIST SP 800-171. These practices enhance detection and response capabilities to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

Level 5: Progressive (171 practices)

Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

Practices: Advanced/Proactive

Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

Does CMMC apply to my company?

CMMC applies to your company if it comes into contact with CUI, shares CUI, or works with contractors that come into contact with or share CUI. That’s because all companies conducting business with the DoD must be certified, even if they’re subcontractors. The level of certification required will depend upon the amount of CUI a company handles or processes.

CUI is information that the U.S. government creates or possesses, or that an entity creates or possesses on behalf of the U.S. government, that a law, regulation, or government-wide policy requires or permits an agency to handle.

Still not sure if your organization handles CUI? There’s a detailed CUI registry and archive of categories and subcategories in the National Archives, and it includes the following organizational index groupings:

Critical Infrastructure Defense Export Control Financial
Immigration Intelligence International Agreements Law Enforcement
Legal Natural and Cultural Resources NATO Nuclear
Privacy Procurement and Acquisition Proprietary Business Information Provisional
Statistical Tax

What are the different CMMC deadlines?

CMMC won’t be in full force until 2026, giving DoD suppliers and subcontractors 5 years to develop and implement their plans and achieve certification. Starting in 2026, all new DoD contracts will contain CMMC requirements.

The main upcoming goals for this year are to develop full assessment guides and release them in two phases to the CMMC Accreditation Body (CMMC AB), to establish criteria for CMMC 3PAOs and individual assessors and to select the 3PAOs, on top of meeting the deadlines below:

  • September 2019: First draft of CMMC released, which contained 2,000 comments.
  • January 2020: CMMC Model Version 1.0 is released, the CMMC AB is created, and the CMMC-AB Website is launched.
  • June 2020: Initial Requests for Information (RFIs) with CMMC Requirements. CMMC training starts around June with Defense Acquisition University (DAU).
  • July 2020: Initial Beta Testing Begins.
  • September 2020: This is the goal of completing the Rulemaking Process.
  • October 2020: Initial Requests for Proposals (RFPs) with CMMC Requirements.

You can keep up to date by following CMMC developments at the CMMC website, or by subscribing to our newsletter.

How much will it cost to become CMMC compliant?

The short answer is that no one knows the cost.

The DoD hasn’t yet released information on an estimated cost of achieving CMMC certification because the process, 3PAOs, and certification training have not yet been finalized as of February 2020. However, precedence for CMMC was stated that “Security is foundational and should not be traded for cost, schedule, or performance moving forward.” It has also stated that suppliers will be allowed non-prohibitive reimbursements for costs associated with receiving CMMC certification.

The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP), making cybersecurity an “allowable cost” in DoD contracts.

How do I comply with CMMC?

To demonstrate compliance, your organization must have a 3PAO perform an audit and certify you at one of 5 levels, ranging from Basic Hygiene at 1 to Advanced/Proactive Hygiene at 5. While there is currently no standardized certification process, we recommend that your organization stays up to date with developments and updates to CMMC going forward.

For an idea of what CMMC’s certification process will likely resemble, compare it to an existing process, like ISO, which has a handful of standardized steps, and translate the practices and types of info to include CUI:

  • Understand what you need. Stay up to date and choose your certifying 3PAO.
  • Executive buy-in/green light. Once you have the go-ahead, the 3PAO will find CUI in your existing practices, processes, and capabilities and map them for you.
  • Reduce the scope. Now that you know where CUI is, you’ll know exactly what kind of practices, process, and capabilities you need to document and, more importantly, how to get to the level you want.
  • Assess. Now’s the time to run gap assessments through your 3PAO  and see where you have opportunities to strengthen your systems.
  • Remediate. Once you’ve found your weak points, tighten up practices, processes, and capabilities where necessary. Implement new ones to replace the outdated or broken processes. Rinse and repeat until you’re at the level you want.
  • Achieve certification. Once you meet all of the requirements for the level you want, the 3PAO will award you with certification.

What are the CMMC controls?

CUI mapping gets complicated when done through 17 capability domains, listed above (and outlined in more detail in CMMC Model Version 1.0. For example, the recommended Level 3 certification requires that the 3PAO can find and document 130 cumulative practices and a well-managed written resource plan on top of a developed policy.

Because many of the practices draw from existing sources and references (like NIST SP 800-171 and FAR Clause 52.204-21), there’s a chance that your organization already uses several of the practices and processes outlined in the CMMC Framework.

When looking for a certifying 3PAO, identify one that can help you map and organize your processes to strengthen your program and aim for a higher level with re-architecting and impact minimization. NCC Group, for example, on top of CMMC requirement gap assessments and compliance roadmap building, data mapping, and inventory, will conduct CUI data mapping and engineering process analyses to define existing impacts on corporate systems, contract analyses to assist in the determination of CMMC Maturity Level (ML).

If you prefer to be more hands-on in the process, ask your 3PAO about workbooks for system security plans, policy and procedure documentation, system security architectures, risk assessments, and Plans of Action and Milestones (POA&M). Post-certification and once CMMC policy is completely outlined, you may consider incident reporting requirement plans for DFAR 252.204-7012(c).

By Justin Orcutt

*Content Originally posted on NCC Group’s website as a Whitepaper *