Any organization wanting to do business with the United States Department of Defense (DoD) must comply with the DoD’s Cybersecurity Maturity Model (CMMC). At a minimum, companies must have a Level 1 certification as determined by an accredited third-party assessment organization (C3PAO). For companies wanting to do business with the DoD, NetTech Consultants of Jacksonville, Florida, is now a certified auditor and can help your prepare for your C3PAO certification with a readiness assessment.
Who Needs CMMC Certification?
Any organization wanting to do business with the DoD must be certified at Level 1 of the Cybersecurity Maturity Model. This requirement went into effect in 2021. In some instances, the DoD may stipulate a higher level of certification. Without proof of compliance, businesses cannot be awarded a contract or receive any part of the DoD’s $733 billion budget. Additionally, given that 54% of DoD’s budget goes to small businesses, certification is worth the effort for companies of all sizes.
What is CMMC?
The DoD designed the Cybersecurity Maturity Model Certification to strengthen its cybersecurity defenses. As Chris Golden, a former member of the CMMC accreditation body stated,
“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain.”
The goal is to secure controlled unclassified information (CUI) as well as federal contract information (FCI) in a contractor’s possession. The CMMC integrates parts of existing standards such as NIST, FAR, as well as DFARS into a single cybersecurity framework that focuses on participants in the DoD’s supply chain.
Supply chains are a critical component of DoD operations. Its supply chain includes raw materials, various components, as well as finished goods. Consulting and project management services are considered part of its supply chain. In fact, the most recent attack on SolarWinds is a prime example of why supply chain security is needed.
The DoD chose a maturity model over a full-compliance approach because of the time as well as the resources needed to implement a full-compliance model. With a compliance model, all requirements must be in place before an entity can be certified. A maturity model moves an organization from a basic security program to a comprehensive cybersecurity program over time.
In addition, the model helps companies build robust security programs while minimizing the financial impact. Small businesses makeup over half of the DoD’s supply chain and often lack the resources to comply with a comprehensive program overnight. At the same time, prime contractors may already have established cybersecurity defenses of their own. To establish a department-side standard as well as mitigate the impact on smaller companies, DoD designed a maturity model that outlines the best practices at all certification levels.
What is the CMMC?
A cybersecurity framework is designed to reduce exposure to vulnerabilities that can be exploited by cybercriminals. It is also a series of documents that represent the best practices that enterprises should follow to minimize their cybersecurity risks. The current CMMC framework is defined in the Cybersecurity Maturity Model Certification, Version 1.02.
The framework consists of four components as well as five certification levels. Each level has different standards for certification in the following four component areas:
- Domains. Domains are subareas of cybersecurity, such as risk management or access control.
- Capabilities. Capabilities refer to the functionality that must be available under each domain.
- Processes. Processes indicate the level at which the security controls are integrated into a company’s operations. Level 1 processes are performed but not documented, and Level 5 processes are documented as well as optimized.
- Practices. Practices represent the degree to which an organization maintains appropriate cybersecurity hygiene.
Additionally, each certification level has different standards that must be met for each component. Compliance certification continues even after Level 5 certification is achieved.
Domains and Capabilities
The CMMC framework lists 43 capabilities divided over 17 cybersecurity domains. The value in parentheses indicates the number of capabilities for that domain.
- Access Control (AC). Limits the number of authorized users (4).
- Asset Management (AM). Identify, document, as well as manage inventory (2).
- Audit and Accountability (AU). Perform audits and create, protect, and retain audit logs (4).
- Awareness and Training (AT). Advise as well as train employees on security risks (2).
- Configuration Management (CM). Perform change management processes (2).
- Identification and Authentication (IA). Grant access only to authenticated entities (1).
- Incident Response. Establish incident response protocols for cybersecurity incidents (5).
- Maintenance (MA). Manage and perform maintenance.
- Media Protection (MP). Protect, control, as well as sanitize media (4).
- Personnel Security (PS). Screen personnel and protect CUI (2).
- Physical Protection (PE). Limit physical access (1).
- Recovery (RE). Manage backups and information/business continuity (2).
- Risk Management (RM). Assess and manage risk in the supply chain (3).
- Security Assessment (CA). Evaluate as well as manage security controls and perform code reviews, where appropriate (3).
- Situational Awareness (SA). Implement threat monitoring (1).
- Systems and Communications Protection (SC). Define and control security requirements for systems and communications (2).
- System and Information Integrity (SI). Perform network and system monitoring for infrastructure flaws and vulnerabilities (4).
In addition, Level 5 certification is not required for all domains. In some areas, the processes as well as practices must be certified as performed and managed.
Processes and Practices
Processes and practices provide a mechanism for aligning the two requirements against best practices for protecting information.
- Level 1. Safeguard FCI.
- Level 2. Transition to include CUI.
- Level 3. Protect CUI.
- Levels 4 and 5. Protect and Mitigate Risk of Advanced Persistent Threats against CUI
It’s also possible for a business to certify at different levels. For example, an organization may certify a process at Level 1 and practice at Level 2.
Level 1: Performed
Level 1 certification indicates the contractor is performing the designated capabilities at a basic cybersecurity level. The focus is on protecting FCI information according to established regulations.
Level 2: Documented
Passing Level 2 certification requires that processes are documented, performed, as well as replicated. Level 2 transitions companies from Level 1 to Level 3.
Level 3: Managed
At Level 3 certification, organizations must have and maintain a plan for demonstrating the management of capabilities while certifying practice compliance. Level 3 focuses on protecting CUI and includes requirements found in NIST SP 800-171 as well as DFARS clause 252.204-7012.
Level 4: Reviewed
Contractors at Level 4 have the ability to review and measure practice effectiveness as well as take corrective action when needed. Level 4 practices should focus on protecting CUI from advanced persistent threats.
Level 5: Optimizing
This requires enterprises to standardize and optimize process implementation throughout the organization. Level 5 practices move toward more sophisticated technologies to protect CUI.
How to Become Certified
Certification means meeting the requirements for the capabilities of the 17 domains using the processes as well as practices outlined for each level of certification. Domains and capabilities identify what needs to be done. Processes and practices stipulate at what level they must be executed.
In addition, accredited C3PAOs determine certification levels after a review of a company’s cybersecurity efforts. Organizations repeat the certification process as they bring operations into compliance until they achieve Level 5 certification.
Working with the DoD means a life-long commitment to strengthening the country’s cybersecurity throughout its supply chain. It also requires continuous improvement to ensure protection against a growing threat.
The CMMC requirements can be overwhelming, even for companies with dedicated cybersecurity personnel. Just deciding on a place to start can seem impossible. Consider speaking with NetTech Consultants, who are specialists in CMMC processes. As an accredited auditor, NetTech can help you understand the requirements as well as develop a plan for achieving certification. They can work with you to clarify guidelines as well as suggest best practices that can bring you into compliance.
As a long-standing provider in the Jacksonville area, NetTech can help you transverse the CMMC path from beginning to full compliance, no matter how long the process takes. When preparing to get certified by a C3PAO, you need to look for a partner that can help you improve your cybersecurity to ensure an ongoing relationship with the federal government. NetTech is also committed to supporting its Jacksonville clients in their efforts to strengthen supply chain cybersecurity. For CMMC assistance, contact us to ensure your company is ready for its next DoD contract.