The Department of Defense (DoD) has been working on a new universal standard called the Cybersecurity Maturity Model Certification (CMMC). This model is being developed because of slow adoption of its predecessor – the Defense Acquisition Federal Regulation Supplement (commonly referred to as ‘DFARS’). There’s been wide-spread recognition that the one-size fits all prescriptions in DFARS wasn’t working and was leading DoD contractors to falsely claim compliance to the prescriptions it contained when in fact they were not compliant. This recognition has led to the formation of a five-level cybersecurity maturity scale upon which DoD contractors can assess themselves and be certified against. This is known as the CMMC standard.
What areas are covered in the CMMC?
You can take a look at draft v0.7 of the CMMC, available here CMMC website. This document shows how businesses will be evaluated on the NIST-based maturity rating scale of 1-5, where 1 demonstrates basic cyber security hygiene, and 5 demonstrates an advanced and progressive cybersecurity program that marries policies, processes, repeatability, and effectiveness in proactively protecting against cyber threats. The CMMC focuses on your traditional NIST 8700-171 controls while adding in a few “Other” controls to augment this DoD specific program. Standard areas of control measures include:
- Access Control
- Awareness and Training of Employees
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response Detection and Planning
- System Maintenance and Patching
- Media Protection
- Personnel Security
- Physical Security
- Risk Assessments: Identify, Evaluate, and Manage Risk
- Security Assessments
- Defined Security Requirements for Systems and Communications Protection
- System and Information Integrity
What will be in the CMMC Maturity Levels?
While the CMMC is still a work in progress, early drafts show that organizations will be able to certify as compliant to one of 5 levels as described below. The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. Here’s what we currently know about the CMMC levels and their respective requirements:
- Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
- Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
- Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14 new “Other” controls.
- Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls
- Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11 new “Other” controls.
What is yet to be established is what level any DoD contractor much be certified against to handle Controlled Unclassified Information (CUI) in their work supporting the defense industry. More will follow on this as information is developed and made available by this new legislative initiative and standard. There is recognition that based upon the CUI data a defense contractor, Sub, or Prime has access to, will dictate the level of compliance that will be required of that vendor.
Primes, subs won’t face the same CMMC security requirements on all contracts: Source: FedScoop.com
What are the important dates to keep in mind in 2020?
- January 2020: The official CMMC Levels and requirements will be released along with training materials for the independent CMMC Accreditation Board (CMMC AB) to use for training auditors and C3PAO’s.
- February-May 2020: The initial round of assessors will be trained
- June-September 2020: Initial round of audits will begin for a select number of DoD Programs/RFI’s with the required CMMC Levels identified and contractors wishing to bid on those Programs will need to be certified to the required Level in order to receive the RFP.
- October 2020 and beyond: DoD contractors will need to get certified by an accredited Assessor/C3PAO in order to bid on new work.
The COVID19 Pandemic has led to delays in many CMMC compliance schedules as published in this article. New information will be published as it becomes available.
What should I start doing now?
First, assess your operations for compliance to the NIST 800-171 standard which is what CMMC is being built upon (with some added controls).
Using the 14 control domains listed above, assess yourself directly or by hiring a cybersecurity consultant. Measure and report on your compliance within each of the 14 control domains.
Second, create a System Security Plan in which you outline your current protections in place as required by the NIST 800-171 requirements.
This document allows you to begin to write down all your protective measures in place protecting your Controlled Unclassified Information (CUI).
Thirdly, document your remediation plans to address areas you are not compliant in under the NIST 800-171.
This is often done in the form of a Risk Registry with a prioritized listing of gaps based upon criticality, impact, and materiality to your organization.
Fourthly, begin to execute on your remediation plans and address the GAPS identified in your 3rd step above.
Working with a consulting organization or Managed Services Provider can often provide you some of the most rapid and efficient ways to address the shortcomings in your cybersecurity program. This is because the MSP is measured upon deliverables. Trying to do this internally with all the other demands on your staff can lead to burn-out and in this economy with unemployment so low, staff turn-over. So be careful when trying to address this new standard with your own internal resources.
Finally, make sure you document your processes with artifacts that can be used to prove you do what you say you do.
Too often, during audits, the process is complete, but there’s no way or evidence collected to easily prove the process was followed. Design your compliance program to maintain artifacts or evidence of the process being completed. For example, create a termination process with a record for each employee who has left your employment.
CyberHoot was Designed from the Ground Up to help with CMMC Audits:
CyberHoot was built to capture compliance from all your employees by reminding, tracking, and escalating to management who is and is not compliant to your policies, processes, and cybersecurity training. It fully automates this process so you don’t have to chase paperwork, perform individual HR file audits, or any of that. The ease and simplicity of CyberHoot is evidenced in this quote from a Client who said:
“I got more done in a single days use of CyberHoot than a year of trying with our old product!”. — Daniel Rickman, J&L Cable
Visit CyberHoot.com for a free trial and get started preparing for CMMC audits and certifications.
Neoscope is the Ideal Partner to Help you Assess your Compliance, Identify and Remediate your Gaps, and document your processes to meet CMMC Compliance.
Neoscope, has been in operation for 12 years helping clients around New England and across the US monitor, manage, and fix their Information Technology infrastructure. We do so in ways that provide an audit trail with processes that stand up to scrutiny. Reach out to Neoscope today to discuss your CMMC preparation needs. Your proactive approach today could eliminate the loss of critical government contracts down the road to CMMC certification failures.