What the CMMC standard means for your organization

Christopher Wilkinson and Peter Cockshott
| 6/8/2021
What the CMMC standard means for your organization

The Cybersecurity Maturity Model Certification (CMMC) standard is complex, but for many organizations, learning the ins and outs is crucial.

High-level national security measures are necessary in maintaining U.S. interests at home and abroad. Organizations wishing to do business with the federal government must adhere to strict regulations, including the new CMMC standard. As such, organizations must understand the CMMC’s specifications and learn how to achieve compliance with the standard. While details about the CMMC standard are still forthcoming, organizations should perform self-assessments now, in advance of new opportunities.

Background and overview of the CMMC standard

The U.S. Department of Defense (DoD) relies on a vast network of organizations to provide support and critical services to achieve strategic initiatives. This network of organizations is known as the Defense Industrial Base (DIB), and it includes more than 300,000 entities. Attackers who seek to compromise the U.S. supply chain in order to gain intelligence, disrupt operations, or otherwise interfere with U.S. interests view DIB entities as valuable, vulnerable targets. In fact, cybertheft operations performed by foreign adversaries are estimated to cost the U.S. tens to hundreds of billions of dollars annually.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

The frequent targeting of federal suppliers provided the impetus for the creation of the CMMC standard, which the DoD implemented on Jan. 31, 2020. It requires organizations that handle or process controlled unclassified information (CUI) and federal contract information (FCI) to become certified by demonstrating a specified level of maturity regarding the information security program and associated controls.

Certification is performed by an accredited CMMC Third Party Assessor Organization (C3PAO) on a pass-fail basis. These C3PAOs are accredited by the CMMC Accreditation Body (CMMC-AB) to ensure that the professionals conducting CMMC assessments have the appropriate training and knowledge to evaluate an organization’s compliance against CMMC criteria. The enforcement of the CMMC is carried out through the request for proposal (RFP) and request for information (RFI) processes, which require certification at a designated level in order to submit a response to specific RFPs and RFIs.

Maturity in the CMMC model

The CMMC framework includes five levels of maturity, and each increasing level incorporates all previous levels’ controls within the framework. While the required level of maturity has not yet been defined, speculation is that organizations handling FCI will require Level 1 or 2 certification, while those handling CUI will be required to achieve at least a Level 3.

The maturity levels and associated requirements are informed by the Federal Acquisition Regulation (FAR), the National Institute of Standards and Technology (NIST), and other organizations’ frameworks, including:

The following table lists the major controls and frameworks for each maturity level:

CMMC maturity and controls

CMMC maturity and controls

Organizations should keep in mind some important considerations when examining these various frameworks. For example, while the majority of the controls from Levels 1 through 3 are taken straight from NIST 800-171 Rev. 2, compliance with the CMMC does not inherently mean compliance with NIST SP 800-171, as many organizations incorrectly assume.

Although Level 3 does contain all CUI controls within NIST SP 800-171, the CMMC does not contain the 63 nonfederal organization (NFO) controls listed within Appendix E of NIST SP 800-171. However, compliance with all controls (including those NFO controls in Appendix E) in NIST SP 800-171 is required of DoD contractors; otherwise, they can be subject to penalties under the False Claims Act.

A closer look at CMMC standard controls

The CMMC model has 17 domains, and each domain has a set of controls and capabilities that is attributable across the five maturity levels. Currently, Level 5 criteria include more than 170 controls across these 17 domains. The domains are listed here:

  • Access control
  • Asset management
  • Awareness and training
  • Audit and accountability
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personnel security
  • Physical protection
  • Recovery
  • Risk assessment
  • Security assessment
  • Situational awareness
  • System and communications protection
  • System and information integrity

Achieving CMMC standard compliance

Organizations that seek to achieve CMMC compliance typically follow a phased approach, which includes:

  • Understanding the scope. The first step in a CMMC compliance journey begins with understanding the type of CUI and FCI the organization is handling, as well as all of the locations, assets (systems), and personnel that contain or access CUI/FCI data that would be considered in scope for a certification.
  • Considering CMMC architecture and strategy. If access to CUI/FCI data is not a pervasive requirement within the organization, the organization can create a strategy to segregate the CMMC-related data in order to minimize the scope for the review and certification process.
  • Performing a self-assessment. Many organizations prefer to perform a precertification gap analysis, particularly if they are targeting Level 3 maturity or higher. This self-assessment can provide an understanding of the gaps that will need to be remediated in order to achieve the desired level of certification.
  • Closing the gaps. Depending on the number and complexity of the gaps noted in the initial assessment, organizations should develop a plan of action to address the identified gaps prior to pursuing certification. Timelines for remediation will vary depending on the nature of the gaps identified as well as on resources available to assist.
  • Taking the official test. Once all gaps are remediated, the organization is ready for the certification assessment. The CMMC-AB Marketplace includes an inventory of the firms that are approved to perform a CMMC certification assessment.

The future of the CMMC standard

Currently, details regarding the CMMC standard are still being finalized, including the designation of registered provider organizations and C3PAOs in the CMMC-AB Marketplace. Reportedly, the DoD is planning to issue only 15 contracts this year that will require any level of CMMC certification.

The DIB consists of hundreds of thousands of organizations that will require some of level of certification over the next five years. Some of those institutions might end up needing multiple certifications for different networks, systems, or segments. As such, many more accredited assessors that are capable of evaluating organizational practices related to the CMMC standards will be needed.

It’s unclear if and when the CMMC will expand to additional entities, but certified assessors who can assist with the CMMC program are in high demand. While these details are being finalized, it’s important that organizations that will need to be CMMC compliant in the future take the opportunity now to perform assessments in order to be prepared for certification.

 

Is there a topic you’d like to read about?

Let us know.