Everything You Need To Know About CMMC
Defense contractors need to get started on their CMMC and NIST compliance right away — a new interim rule has set a deadline for both compliance systems. Do you know where to begin?
The first official version of the DOD’s Cybersecurity Maturity Model Certification (CMMC) was released earlier this year.
These new requirements are a part of an ongoing effort to continually provide more accurate and more effective insight into modern cybersecurity best practices for organizations involved with DOD operations.
Do you know what CMMC is, and what it means for you?
If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework that comes into effect very soon.
Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).
For an overview, check out our latest webinar, featuring Shawn Duffy, CISSP and President & CEO of Duffy Compliance Services:
What Is CMMC?
CMMC is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and CUI shared within the supply chain.
This builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit CUI. These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.
As a U.S. DOD contractor who collects, stores, or transmits Covered Defense Information (CDI) or CUI you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance.
If you don’t, you can’t bid on DOD contracts, and you may lose the ones you have. CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.
Why Does CMMC Matter?
The DoD estimates that the total value of data lost to our adversaries is a staggering $60 billion per year. Contractors doing business with the DoD, NASA, GSA, and any other state or federal agencies are at a major risk, especially as cybercrime continues to evolve.
Our adversaries are well aware that contractors have access to a lot of sensitive, confidential data. Although NIST 800-171 and DFARS 252-204-7012 were created to help contractors better secure their information systems, they’re not fool-proof, and for many, they can be difficult to understand.
There tends to be a lot of confusion amongst those in the industry because there are various standards that are current. CMMC eliminates this confusion with one unified, mandatory framework.
How Is CMMC Different From NIST?
The main difference is that while NIST SP 800-171 originally allowed you to self-assess and certify, CMMC is a requirement. You will need to get certified by an approved third party. A number of the terms in use are also different, such as “families” for NIST and “domains” for CMMC.
Many of the controls found in CMMC are the same as NIST 800-171, however, CMMC brings together various compliance processes into one unified framework. You will find aspects of the following in CMMC:
- NIST 800-171
- NIST 800-53
- ISO 27001
- ISO 27032
- AIA NAS9933
Contractors will likely have to implement some new controls that they don’t already have in place. Not every contractor needs to attain the highest level of the five covered in CMMC. While some do, others may only need to attain level one or two certifications.
What Cybersecurity Requirement Levels Are Included In CMMC?
CMMC introduces 5 levels of security requirements:
The first level requires basic cybersecurity practices, including anti-virus software, strong passwords, and overall, fairly standard measures.
The second level is designed to protect controlled unclassified information, and as such, requires more complex measures:
- Access controls
- Awareness and training
- Identification and authentication
- Configuration management
- Audit and accountability
- Incident response
- Media protection
- Physical protection
- Personnel security
- Security assessment
- Risk assessment
- Systems and communications protections
- Systems and information integrity
The third level is based on an extension of the NIST 800-171 r2 standards. There are 47 security controls that must be in place to comply with this level.
The fourth level requires contractors to be proactive when it comes to measuring, detecting, and defending against threats. Some requirements are similar to DFARS while requiring contractors to be prepared to handle advanced persistent threats.
The fifth and final level includes 30 extra security controls above and beyond level four that must be put in place. They revolve around auditing and management processes as opposed to technical requirements.
What Happens If You’re Not Compliant?
The penalty for CMMC compliance is simple — if you’re not compliant, you can’t be awarded defense contracts. There are no fines or conventional penalties. You’re just unable to operate in the DoD contracting space any longer.
While complying with these new requirements will undoubtedly require a further investment of time and money beyond your standard compliance efforts, it’s important to note the silver lining — compliance will likely reduce your competition.
As it becomes more difficult to operate in the defense sector, smaller competitors will likely drop out. Becoming compliant with CMMC will require more resources, and not all current contractors will see the benefit of investing further, especially if they don’t have the capital to do so.
That makes the market less competitive for contractors that do make the effort to become compliant. And that’s not the only benefit — these new requirements aren’t arbitrary. Implementing them will have additional benefits as well, making your company more secure and of greater value to your clients.
What Can You Do Right Now To Start On Your CMMC Compliance?
Level 1 (Basic Safeguarding Of FCI)
Only Performed Maturity Process is required (that is, no documentation).
- Safeguards in the FAR 52.204-21:
- Limit Access to Authorized Users
- Limit Access to types of Transactions and functions that authorized users are permitted to execute
- Control and Limit access to external systems information posted (or processed on public systems
- Limit physical access to systems to authorized individuals
- Escort visitors and monitor the activity including audit log of physical access
- Malicious code protection mechanisms (AV, Anti-Malware, OSINT)
- Perform periodic scans
CMMC Level 2 (Transition Step To Protect CUI)
Documentation is required at this Maturity Level.
- 55 additional controls (with 72 total):
- Regularly perform and test backups
- Monitor remote access sessions
- Maintain system audit logs
- Security Roles and Responsibility training
- Control and monitor user-installed software
- Establish an Incident Response program
- Vulnerability Scans and Remediation in accordance with risk assessments
- Develop and maintain a System Security Plan (SSP)
- Develop and implement a Plan of Action to reduce system security deficiencies
CMMC Level 3 (Protecting CUI)
The Maturity: Managed level = Documentation.
- 58 additional controls(130 total):
- Continuous Monitoring and Logging
- Security Awareness Training
- MFA for remote access
- Incident Response Plan
- Configuration Management Plan
Don’t Forget! You Must Be NIST Compliant By Nov. 30, 2020
The Department of Defense (DoD) has issued their much-anticipated interim rule, which has put all contractors on the clock — by November 30, 2020, you will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology.
From that date on, your DoD contracts will contain DFARS clause 252.204-7012, requiring you to be fully NIST compliant. Are you ready?
Whereas NIST used to be a series of guidelines to help contractors like you maintain the security of CUI, it’s now becoming a requirement. If you haven’t been managing and strategizing your compliance so far, you’ve got a lot of work to do.
Need Expert Assistance Implementing CMMC & NIST Compliance?
Don’t drop out of the defense contracting sector just because it’s become more difficult to stay compliant.
If you’re looking for expert guidance, Intelice Solutions is here to help. We work with DOD contractors throughout the Washington and DC Metro area, and can assist in developing confident CMMC & NIST compliance.