The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity standard put in place by the United States Department of Defense (DoD) to regulate the Defense Industrial Base (DIB). To be eligible for DoD contracts, a prime contractor and its subcontractors must demonstrate the required level of compliance for that particular contract.
Drivers Behind the CMMC
Mandating that the DIB maintain a certain level of cybersecurity is nothing new for the DoD. DFARS Clause 252.204-7012 mandated that defense contractors with access to sensitive but unclassified information be compliant with NIST SP 800-171, which mandated that certain cybersecurity controls be put in place.
The problem with this rule is that no mechanism for enforcement existed. Defense contractors were able to self-certify compliance with the regulation. However, a study of defense contractors found that the average organization only implemented 39% of the required security controls. Of the 50 contractors examined, none were fully compliant with the regulation despite there being strong incentives.
Without the proper security controls in place, defense contractors were vulnerable to advanced cyber threat actors seeking government secrets. The CMMC is designed to address this problem by requiring defense contractors to pass a third-party compliance assessment prior to bidding on defense contracts.
Achieving CMMC Compliance
The CMMC is structured to have five different certification levels. All contractors within the DoD’s supply chain are required to achieve and maintain Level 1 compliance to participate in defense contracts. Depending upon the details of a specific contract, higher levels of compliance may be required.
The requirements for each level of CMMC compliance are largely based upon published and drafted federal cybersecurity publications. However, each level 2 and above includes some additional compliance requirements as shown in the table below.
|
Level |
Added Processes |
Required Practices |
Additional Compliance Requirements |
|
1 |
Select processes documented where required | 17 | Full compliance with Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 |
|
2 |
Each practice is documented, including Level 1 practices A policy exists that includes all activities |
72 |
A select subset of 48 practices from the NIST SP 800-171 r1
An additional 7 practices to support intermediate cyber hygiene |
|
3 |
A plan exists, is maintained, and resourced that includes all activities |
130 |
Full NIST SP 800-171 r1 compliance An additional 20 practices to support good cyber hygiene |
|
4 |
Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management) |
156 |
A select subset of 11 practices from Draft NIST SP 800-171B An additional 15 practices to demonstrate a proactive cybersecurity program |
| 5 | There is a standardized, documented approach across all applicable organizational units | 171 |
A select subset of 4 practices from Draft NIST SP 800-171B An additional 11 practices to demonstrate an advanced cybersecurity program |
To achieve compliance with the CMMC, an organization must undergo a third-party assessment by a certified CMMC Assessor. At this time, however, CMMC Assessor training has yet to exist, and no organizations have been certified to perform CMMC assessments.
How MorganFranklin Can Help
While the processes for undergoing a CMMC assessment are not yet finalized, getting a head start can help an organization rapidly gain certification and eligibility for defense contracts once the processes are in place.
While MorganFranklin is not a certified CMMC assessor, its advisors have extensive experience in federal regulations such as NIST 800-171, and the implementation of required security controls within an organization’s environment. Performing a compliance self-assessment, identifying compliance gaps, and making a plan for remediation are important first steps in the process of achieving CMMC compliance.
