Cybersecurity Maturity Model Certification FAQ’s
What exactly is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity requirement introduced by the US Department of Defense (DoD) which organizations with federal contracts or subcontracts will need to understand.
CMMC is designed to protect Controlled Unclassified Information (CUI) utilized by commercial organizations which perform contracts related to the US’ defense, often referred to as the Defense Industrial Base (DIB), both within the US and globally. The CMMC utilizes the National Institute of Standards and Technology (NIST) cybersecurity standards and maps these practices and processes to establish five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems.
The five levels are tiered and build upon increasingly robust technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of incremental processes to implement specific cybersecurity-based practices. These 5 levels will be explained in part 2 of our CMMC series. The CMMC’s objective is to provide the DoD with assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk that DoD believes it holds for the US. These requirements also flow down to subcontractors in a multi-tier supply chain. Previously, DoD suppliers could self-certify regarding compliance with DoD requirements. This will no longer suffice. With CMMC, it will be necessary to obtain an independent audit attesting to the adequacy of controls prior to contract award
What does all this mean to your company?
If your company intends to continue to bid/work on DoD contracts, it will be necessary to be certified at a CMMC level specified within the specific DoD contract opportunity on which you are proposing.
Unless you already have thorough controls in place this will not be a simple undertaking. If you fail the initial independent certification, you will need to undertake remediation efforts. That could very well slow down your ability to receive a contract, which in turn, could negatively affect the future of your business.
The DoD has stated that it will not be sufficient to certify after award. It must be in place before award. This could dramatically affect your revenue potential in coming years. Implementing the various controls will take time and effort. Getting a start in 2020 will be very important in supporting your contracting and, therefore, your revenue goals.
Why do I need to pay attention to the CMMC?
If your organization provides products, information, or services that ultimately wind up in a US Department of Defense (DoD) product or application, you need to be informed about the CMMC – even if your company is a subcontractor. This new program requires contractors and subcontractors to implement stringent security controls if they utilize or deal with CUI. The CMMC requirement will affect all federal contractors and subcontractors which handle CUI for DoD customers.
The CMMC is divided into five (5) levels and respective contracts will indicate to which Level your organization must certify its Information Technology (IT) operations and corporate processes.
Why is the CMMC important to me?
The DoD is in the process of implementing the requirements contractors and subcontractors will need to adhere to before being able to conduct future DoD business. Prime contractors, and their subcontractors, will be required to meet one of the five CMMC trust levels, and demonstrate that cybersecurity has been sufficiently implemented through the completion of an independent audit. Initial awards, and eventually continuance, of a DoD contract will be dependent upon CMMC compliance. Companies may NOT self-certify; an audited certification must be in place before a contract can be awarded.
I have plenty of time – what’s the hurry?
While CMMC will not be fully implemented until 2026, the first set of contract Requests for Information (RFI) are currently being prepared and will be issued the summer of 2020. Actual Requests for Proposal (RFP) are expected early fall of 2020 with other contracts following as they come up for renewal or bid. If one of these earlier contracts is one that your organization is interested in bidding upon, you will not be able to obtain an award until you have passed the specific type of security audit, now in the preparation stages.
So, while 2026 is the anticipated final date of implementation, DoD will be rolling out requisite deadlines throughout 2020 and beyond. Ensuring that your organization’s current security controls will be able to pass the audit may require extensive planning and implementation. Establishing adequate controls takes time, requiring integration into your existing practices. This process also often requires a culture change – which is typically complicated and time consuming.
Further, the government estimates there are over 300,000 federal contractors and subcontractors requiring certification. This is expected to cause extensive delays once the audit process begins. Therefore, getting ready early so that the audit process can be passed the first time will be very important. Additionally, there are only a handful of companies who thoroughly understand the CMMC process and can assist in aligning or remediating your controls for a successful audit.
For the audit itself, only specific government registered organizations will be able to perform the audits and they will be in increasingly higher demand as the 2026 date gets closer, thus potentially raising the price. Please note there are no auditors able to conduct audits today. 2020 is the year to begin assessing and getting your security practices in place to prepare for your audit.
In addition, developing and changing technical and business processes takes time. Considering the size of the contractor base (over 300,000) that may need improved controls and consulting assistance, you should be starting now.
What are the 18 Domains?
The domains (security controls) cover the broad scope of all cybersecurity processes throughout the information technology/data components of your enterprise and include:
> Access Control
> Identification and Authentication
> Asset Management
> Incident Response
> Risk Assessment,
> Awareness and Training
> Security Assessment
> Audit and Accountability
> Media Protection
> Situational Awareness
> Configuration Management
> Personal Security
> System and Communications Protection
> Physical Protection
> System and Information Integrity
What are Levels 1 through 5?
Within each domain, there are specific security controls that comprise each of the levels within that domain. Level 1 is the first level of security control acceptable for government contracts/subcontracts. DoD government contracts will specify the level to which organizations will require to certification. Each Level adds additional sets of controls which equate to stronger security processes, in order to protect increasingly sensitive government information.
CMMC Level 1 (Basic) contains 18 individual security controls within the various domains. Level 1 measures the focus on basic cyber hygiene and is the foundation for the entire model. Every contract will have Federal Contract Information, and will likely need at least, a Level 1 certification, if not higher.
CMMC Level 2, (Intermediate Cyber Hygiene) Level 1 with an additional 46 security controls and introduces ‘Process’ maturity to the model. At Level 2 an organization is expected to also meet all the requirements of Level 1 as well as establish and document standard operating procedures, policies, and strategic plans to guide the implementation of its cyber security program.
CMMC Level 3, (Good Cyber) adds another 47 security controls to those of Levels 1 and 2, an organization will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of the National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 and that the organization can protect and sustain its assets and Controlled Unclassified Information (“CUI”). A Level 3 organization is expected to resource activities appropriately and adequately and regularly review adherence to policy and procedures, demonstrating management of practice implementation.
CMMC Level 4 (Proactive) The organization has a substantial and proactive cyber security program and adheres to the controls in Levels 1 – 3 as well as 26 additional security controls. The organization can adapt its protection and sustainment activities to address the changing tactics, techniques, and procedures (“TTPs”) in use by advanced persistent threats (“APTs”). For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues.
CMMC Level 5 (Advanced/Progressive) The Enterprise has an advanced or progressive cyber security program with a demonstrated ability to optimize its cyber security capabilities and adheres to another 4 controls, in addition to those of Levels 1 – 4. The organization can optimize its cyber security capabilities to recognize TTPs and repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that its process implementation has been standardized across the organization.
What is the CMMC Schedule for Implementation?
In 2020, contracts will start to be issued requiring CMMC certification by the Fall, with full implementation in all contracts by 2026. It may take a long period of time to get your controls in place; therefore, starting sooner, rather than later, is important to ensuring that you can control the costs associated with the process.
How long will a certification last?
A certification will be good for 3 years.
Should my company undertake this by itself?
Preparing for the CMMC audit which leads to certification is not a simple process and it will not be achieved in a short amount of time. Unless you have cyber security experts on staff and they have considerable time available to focus on each of the required controls so that you can undergo a successful audit/assessment successfully, this is not something that the typical company will be able to tackle by itself. The entire process requires expertise in both technical cyber security as well as each of the levels of controls that are required by the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 revision 1. These form the base of what the CMMC will require for the types of security practices that will be needed by your organization.
What does CMMC cost?
Cost will vary depending on the strength of your current security environment and to which of the 5 CMMC levels you will need to certify. Regardless of the current state, you will need to have an independent audit/assessment performed that will then need to be accepted by the US government’s Accreditation Body (that has been established precisely for this purpose).
If you require work to be done to strengthen your controls and you don’t have knowledgeable experts on staff, before you request an audit, you should work with a security vendor to make sure your controls can pass the assessment leading to certification. The selected vendor should perform an initial assessment and provide a gap analysis so that you understand the required actions needed to undertake before you will be ready for certification. Following that activity, you will need to begin putting the various controls in place, with your vendor guiding you.
What are the specific things we will need to accomplish?
As part of the audit/assessment process, you will need to complete the following:
> An Assessment and Gap Analysis
> Plan for Remediation
> Remediation Activities
> Monitoring and Reporting Processes (for use after certification as part of your controls)
> System Security Plan (SSP)
What is the System Security Plan (SSP)?
The SSP is a document that explains how each of the security controls will be implemented in your environment. It is specific to you and details each control that is defined in the federal standards as defined by NIST and what you need to do to establish, monitor, and report on that controls. The SSP contains all the controls in detail, as defined by NIST and implemented by your organization.
When does my company need to act?
Now. Most DoD subcontractors have already been working on this initiative for almost a year and for many, this is their main security focus for the next year to be sure they are ready to obtain contracts. New contracts will begin to require certification in 2020 (with full implementation expected to be required for all contracts by 2026).
How do I find an auditor?
As of July 2020, you can’t. The process for licensing third party auditors is not yet finalized. Nor have any been trained. This is the time for you to align your cybersecurity operations with the requirements DoD is laying out so that you can apply for certification quickly when auditors are trained.
Who performs the certifications?
Independent organizations/persons can apply to become third-party inspectors (not yet active). They will be trained by the US DoD’s Accreditation Body (training is currently being designed) and licensed to perform certification audits/assessments.
What happens if we fail the assessment?
Companies will be required to remediate all the weaknesses that are associated with the level of certification you are seeking, then apply for another independent certification audit/assessment. This is very likely to slow down your progress to be certified to be awarded a contract with either a prime contractor or directly with the DoD.
JANUS Associates is a highly experienced cyber security company that has been performing assessments in alignment with NIST controls for decades. We have engaged with numerous federal agencies including the DoD, and we understand how they think, and what it takes to satisfy their requirements. Our subject matter experts understand how to develop the documentation you will need and are prepared to advise you on how to transform or augment your processes to meet these new requirements.