What is the Cybersecurity Maturity Model Certification (CMMC)?

What is the Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.

The DoD implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through the release of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 in October 2016.  The DFARS directed DoD Contractors to self-attest that adequate security controls were implemented within contractor systems to ensure that CDI confidentiality was maintained. The security controls required to be implemented by the DFARS are defined within National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started the process of creating the CMMC in March 2019, with the finalization of the CMMC v1.0 expected in January 2020.

CMMC in the Near-Term

CMMC will not be required for all contractors immediately and will be phased in for certain DoD-identified contractors beginning in September 2020. When fully operational, the CMMC will be mandatory for all entities doing business with the DoD at any level. Prime contractors, and their subcontractors, will be required to meet one of the five CMMC trust levels, and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. Initial Award, or continuance, of a DoD contract will be dependent upon CMMC compliance. No contractor organizations will be permitted to receive or share DoD information related to programs and projects without having completed the CMMC process. At the time that a contractor’s contract is up for renewal, they must be CMMC compliant.

In January 2020 the CMMC will release a checklist for contractors which will allow them to identify how well they currently comply with the framework, and to assist with planning and implementing security maturity tasks. The CMMC will be included as a component of Requests for Information (RFIs) in mid-2020 and is expected to be included in Requests for Proposal (RFPs) by late 2020. The required CMMC compliance level will be contained in sections L & M of RFPs, making cybersecurity an “allowable cost” in DoD contracts.

CMMC will combine elements of various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for CUI cybersecurity.

CMMC Timeline

  • May 2019: Version 0.1
  • July 2019: Version 0.2 identified and reviewed
  • September 2019: Version 0.4 released
  • October 2019: CMMC implemented requirements released
  • November 2019: Version 0.6 to be released for public review
  • January 2020: Version 1.0 finalization expected; compliance checklist released
  • June 2020: CMMC will begin appearing in RFIs
  • September 2020: CMMC Will Begin Appearing in RFPs

Details of The CMMC Framework

There will be five cumulative Certification levels to the CMMC:

  • Level 1 – Basic Cyber Hygiene: Includes basic cybersecurity appropriate for small companies utilizing a subset of universally accepted common practices. The processes at this level would include some performed practices, at least in an ad hoc manner. This level has 35 security controls that must be successfully implemented.
  • Level 2 – Intermediate Cyber Hygiene: Includes universally accepted cybersecurity best practices. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 115 security controls beyond that of Level 1.
  • Level 3 – Good Cyber Hygiene: Includes coverage of all NIST SP 800-171 Rev. 1 controls and additional practices beyond the scope of current CUI protection. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. This level requires an additional 91 security controls beyond those covered in Levels 1 and 2.
  • Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, properly resourced, and are improved regularly across the enterprise. In addition, the defensive responses operate at machine speed and there is a comprehensive knowledge of all cyber assets. This level has an additional 95 controls beyond the first three Levels.
  • Level 5 – Advanced / Progressive: Includes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 34 controls.

CMMC vs NIST 800-171

It is important that organizations understand that the CMMC will require a CMMC 3rd Party Assessment Organization (C3PAO) to perform an annual independent assessment of their CMMC implementation for the security controls protecting CUI data. This would be in place of NIST 800-171 compliance through self-attestation.

In a recent audit of 10 DoD contractors servicing contracts with a value in excess of $1 million, who self-attested to compliance with NIST SP 800-171, eight were deemed deficient in implementing basic cybersecurity controls. Upon further analysis, it was determined that deficiencies were due to NIST SP 800-171 requiring compliance without regard to strength or maturity of the controls as implemented, and deficiencies in the process of ensuring ongoing, consistent control execution.

Process institutionalization (policies, plans, processes and procedures to manage the environment where the CUI resides) will be a big differentiator in CMMC because it provides assurances that the practices are being implemented effectively and in a sustainable manner.

CMMC Domains will also include four additional controls that are not currently covered under NIST 800-171:

  1. Asset Management
  2. Cybersecurity Governance
  3. Recovery
  4. Situational Awareness

Still have questions? You can find answers to many of your CMMC questions here.

How A-LIGN Can Help

A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN is an accredited FedRAMP 3PAO with the ability to work with any organization from small businesses to the largest of global enterprises. With our extensive experience in the NST Risk Management Framework (RMF), NIST SP 800-53, CSF, FISMA/RMF, DFARS, NIST 800-171 and cybersecurity, we can ensure your organization demonstrates the appropriate maturity level in capabilities based on your company’s specific business requirements.