The DoD’s Cybersecurity Certification Model
Cybersecurity Maturity Model Certification, often called CMMC, is a program designed by the Department of Defense. It is a standard and certification model for defense contractors handling sensitive agency information.
Before launch, DoD developed many iterations of the program to ensure contractors follow a unifying approach to protect sensitive defense information. Additionally, the standards cover how contractors must handle controlled unclassified data.
CMMC impacts national security and the defense industrial base. The model sets cybersecurity benchmarks and integrates them into the contracting process to ensure resilience against threats. As cyber threats become more sophisticated and pervasive, such a certification model helps safeguard extremely sensitive defense-related information.
Recently, the transition to CMMC 2.0 was announced. CMMC 2.0 reflects an evolution of the standards to enhance defense and protection measures. At the same time, CMMC 2.0 also simplifies the original framework by reducing certification levels and refocusing on more sensitive information.
IMPORTANCE OF CYBERSECURITY MATURITY MODEL CERTIFICATION
Cybercrimes threaten the Defense Industrial Base, a network of organizations, universities, and companies that do business with the Department of Defense. Each entity may have a role in designing and producing military weapons systems.
Companies suffer trillions of dollars in losses in the private sector due to cybercrime. The DoD is also susceptible to cybercrime with a breach being particularly threatening to national security due to the data access of each entity.
Cybercriminals and state-sponsored actors are nonstop in cyber warfare activities aimed at breaching security measures. Therefore, all contractors must meet a basic level of cybersecurity measures.
With CMMC, the department can ensure all contractors keep information secure by following the same requirements as regular government staff.
Being a certified contractor gives your organization a competitive advantage over hundreds of thousands of suppliers. In addition, for multi-year contracts, you are better positioned to secure a contract after responding to an RFP.
Proactively seeking certification strengthens your position in other ways beyond contracts and revenue. For example, achieving certification status means your organization is prepared to fight cybersecurity attacks and minimize damages caused by data breaches.
You are protecting your organization’s reputation outside of working for the Defense Department.
The CMMC 2.0 Framework
A measure of whether defense contractors adequately protect sensitive information is performed using the CMMC framework. In particular, contractors must implement a set of framework components to meet a basic level of certification:
Processes — not included in CMMC 2.0
Domains — a group of similar cybersecurity practices relevant to a specified CMMC level
Practices — a specific technical security control required to achieve certification at a defined CMMC level
Capabilities — not included in CMMC 2.0
Ensuring this occurs requires following a maturity model. Compliance solutions must be comprehensive and scalable in demonstrating security measures. Furthermore, achieving each maturity level depends on the verifiable implementation of the vital components.
Advancement occurs when defense contractors complete certification requirements applicable to the domains at each level.
CMMC Domains
The model structure that guides CMMC for organizations should improve cybersecurity measures. Currently, CMMC uses 14 domains that provide the technical capabilities to help you achieve and maintain certification status.
- System Information Integrity: identification and management of flaws within an information system, identification of malicious content, system and network monitoring, and advanced email protections.
- Access Control: system access requirements, control remote and internal system access, limited authorized users, and protocols to accessing data
- Awareness and Training: conduct security awareness training and activities
- Audit and Accountability: audit requirements, perform regular audits, protect audit information, regular review, and management of audit logs
- Configuration Management: establish configuration baselines, configuration, and change management
- Identification and Authentication: authenticate entities with access to sensitive data
- Incident Response: plan response for security incidents after detection, test response to incidents, track reports of events, development and implementation of response after an incident, and post-incident review
- Maintenance: manage maintenance
- Media Protection: identify, mark, protect and control media, sanitization process before disposing of media, media protection during transport from one location to another
- Personnel Security: screen employees and protect controlled unclassified information during employee actions
- Physical Protection: limit physical access to where sensitive information is kept
- Risk Assessment: identify, evaluate and manage vulnerabilities, and manage risk within the supply chain
- Security Assessment: development and management of a system security plan, definition and management of security controls, and perform code reviews
- System Communications Protection: definition of security requirements communications and systems, system boundaries to control communication flow
CMMC LEVELS
IThe National Institute of Standards and Technology, NIST, is the former framework for managing the risks of cyber attacks. The Cybersecurity Maturity Model Certification replaces parts of NIST with a streamlined 3-level approach. Requirements of every level must be attained before moving on to successive levels.
CMMC 2.0 refines this approach by focusing specifically on protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Each of the three levels of CMMC 2.0 aligns closely with specific NIST standards to ensure robust protection.
CMMC 2.0 LEVEL 1 (FOUNDATIONAL)
Also called basic cyber hygiene, 15 practices outlined in Federal Acquisition Regular (FAR) clause 52.204–21 practices lay the foundation for contractors who process, store, or transmit federal contract information (FCI).
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
If your organization wants to meet these requirements, it will not need a third-party certification. Instead, the agency will require you to specify the technology, facility, employees, and any external providers with access to the information.
In essence, you must self-certify yearly under a defense contract that the basic safeguarding requirements are being met.
CMMC 2.0 LEVEL 2 (ADVANCED)
Receiving certification at this advanced stage means organizations are documenting cybersecurity measures. Mirroring NIST Special Publication 800-171 requirements, these measures align with the 110 practices and 14 domains to protect controlled unclassified information.
Some considerations for having a solid cybersecurity approach include but are not limited to:
- DNS filtering
- Data backup and restoration
- Real-time monitoring
- Ongoing risk assessments
- Audit log management
- Spam protection
To achieve this, you must first identify any gaps that could hinder compliance. For example, you may need to assess existing practices and speak with employees who will work with unclassified information.
Documenting what is needed can help to guide your efforts to ensure CMMC 2.0 readiness. Additionally, third-party assessments by accredited entities may be required every three years to maintain certification. This requirement depends on the level of controlled unclassified information (CUI) being stored, processed, or transmitted.
- For those working with unprioritized CUI, the contractor can self-attest to meeting NIST Special Publication 800-171 requirements.
- Contractors handling prioritized CUI will require third-party validation by a CMMC third–party assessor organization (C3PAO)
As detailed in DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021, the contract dictates what will happen.
CMMC 2.0 LEVEL 3 (EXPERT)
In addition to following NIST 800-171, your organization is responsible for creating and maintaining a plan for safeguarding government information. This expert approach is for defense contractors that work with controlled unclassified information on high-priority programs.
Comparable to the previous CMMC model, specific security requirements are still being developed. However, the Defense Department indicates requirements will cover the 110 practices in NIST 800-171 and a subset of 800-172. A DIBCAC audit is also necessary to achieve compliance.
These resources will help to inform goals, resources, training, and all stakeholders involved with the sensitive data. Having a solid infrastructure should not interfere with the service you will provide the agency.
CMMC 2.0 CERTIFICATION PROCESS
For companies without in-depth knowledge of the CMMC process, it may be beneficial to work with a Registered Provider Organization (RPO) that can deliver pre-gap reviews and strategies for remediation. The following eight steps can ensure that your organization achieves CMMC certification status as a defense contractor with DoD.
Receive CMMC Certification — If all goes as planned, your final step is receiving a certification decision as a defense contractor.The C3PAO will make the recommendation to the CMMC-AB for certification, and the CMMC-AB will distribute the certification based on that recommendation
Assessment of Current Security Processes — Follow NIST 800-171a standards to conduct an assessment of your security protocols. Then, develop and implement a security plan for managing your network and systems.
Make Necessary Improvements — Use the results from the assessment to create a plan of action. Include milestones and target dates to ensure your organization achieves the maximum score (110) for certification. Use the Supplier Performance Risk System to submit your organization’s score.
Identity Scope — Whether it is a single department, a specific program, or the entire organization, determine where and how the sensitive information will be used.
Obtain a Third-Party Assessment — It is recommended that you use an RPO for a preliminary gap assessment. A C3PAO will conduct a certifying assessment.
The Fix Gap Findings — Use the analysis from a third-party professional to implement necessary changes to ensure your organization meets certification standards.
Get a Compliance Audit — Once you identify and correct information security gaps, schedule a compliance audit before scheduling the CMMC assessment.
Complete Assessment — Be prepared for a four-phase CMMC assessment.
Plan and prepare the assessment: A request is made by the organization seeking certification (OSC) and planned for accordingly by the C3PAO.
Conduct the assessment: The C3PAO assessment team assesses the implementation of CMMC practices in the OSC.
Report recommended assessment results: The lead assessor will deliver the results of the CMMC assessment.
Perform plans of action and milestones and assessment: Conditions for approval are fully implemented to move forward with certification.
TIMELINE AND IMPLEMENTATION OF CMMC 2.0
The Department of Defense issued the proposed rule for Cybersecurity Maturity Model Certification 2.0 on December 26, 2023. The rollout of CMMC 2.0 is structured to occur in four strategic phases over two and a half years.
Contractors must stay informed about each phase and the evolving requirements. The DoD may adjust timelines and specific requirements, so contractors must remain vigilant to stay compliant and competitive.
MEET CMMC 2.0 REQUIREMENTS WITH CYBERSECURITY CONSULTING SERVICES
Satisfying the assessment requirements set by DoD is crucial to your organization’s success. In addition, you need to demonstrate that your cybersecurity protocols align with the importance of keeping sensitive government information safe and secure.
Meriplex offers consulting services to ensure you meet each level within the CMMC framework. With our certification preparation, you’ll be ready to comply with CMMC 2.0. Our security-first approach ensures that you’ll be fully ready to take all the steps you need to stay up to date on all CMMC 2.0 standards.