Cybersecurity Maturity Model Certification
Are you currently a contractor or subcontractor with the Department of Defense, or are you looking to be?
If so, you need the Cybersecurity Maturity Model Certification (CMMC).
In an effort to ensure that contractors are protecting sensitive defense information, the DoD released the CMMC framework in January 2020. The CMMC is a unified standard for cybersecurity across the defense industrial base which includes over 300,000 companies in its supply chain.
This DoD developed framework includes a certification and compliance process, which is required to bid on new work. In the past, contractors were responsible for implementing, monitoring and certifying the security of the Information Systems. Now a third-party audit and assessment (performed by an accredited CMMC Third Party Assessment Organizations – C3PAOs) is required to certify that a company is following mandatory practices and procedures.
Click below to get in touch with Mission Critical Systems to set up an appointment to help you navigate getting and staying CMMC certified.
5 Certification Levels
The CMMC encompasses 5 maturity levels that range from Basic Cybersecurity Hygiene to Advanced/Progressive, with each level building on the other’s requirements. The certification level required for a company will be based on the type of work and data they store for the DoD. Once certified the CMMC certificate should be valid for 3 years.
The 5 CMMC levels are:
Level 1 – Basic Cyber Hygiene – This includes 17 controls covering very basic security such as using antivirus software, regular employee password changes, and employee cyber security training. This level is intended to protect Federal Contract Information (FCI).
Level 2 – Intermediate Cyber Hygiene – Includes 72 controls covering basic and moderate security such as enabling audit trails, enforcing password complexity, routine maintenance for security patches and documentation of practices to start protecting Controlled Unclassified Information (CUI), meeting some NIST 800 171 r2 requirements.
Level 3 – Good Cyber Hygiene – Includes 130 controls covering basic through advanced security and proactive monitoring. A company must have an institutionalized management plan that includes all the security controls to protect CUIs and fully meet NIST 800 171 r2 requirements.
Level 4 – Proactive – Includes 156 controls covering basic through advanced security, proactive monitoring, and proactive security management. A company must be proactive in measuring, detecting and defeating threats. It requires that a company can respond to APTs (advanced persistent threats) including their changing tactics, processes and capabilities.
Level 5 – Advanced/Progressive – Includes 171 controls covering basic through advanced security, proactive monitoring, and advanced security management. A company must be advanced, progressive and state of the art in cybersecurity at this level. This includes additional security controls that allow a company to detect and respond to changing APTs.
How will you know which level of CMMC is required? The DoD will specify the required CMMC level in each RFI and RFP.
In January 2020, the first full version of CMMC was released. At this stage, much of the rest of the timeline is still developing. But as of now, this is where the timeline stands:
- June 2020 – the DoD will start posting CMMC requirements in RFIs
- Sept. 29 2020 – Interim Rule released for public comment
- Nov. 22, 2020 – Interim Rule comment period ends
- Nov. 30, 2020 – Interim Rule takes effect
- 2021 – Contractors will need to get certified by a C3PAO in order to bid on work
The interim rule states that full CMMC implementation will be completed in 2025, after which all DoD contracts will require a CMMC certification. While CMMC is being rolled out, contractors will need to run a self-assessment against the 110 controls in NIST 800-171 and upload their score to the Supplier Performance Risk System (SPRS) website. All contractors, regardless of their score, will need to maintain a System Security Plan (SSP) detailing their compliance information. Contractors who do not meet all 110 controls will also need to provide a date for achieving full compliance, as well as maintain a Plan of Action and Milestones (POA&M) detailing actions needed to fulfill compliance along with a timeline to achieve them. This is considered a Basic Assessment.
After November 30, new contracts and renewals will require submitting the SPRS score for bid consideration. After contract reward, the DoD may require additional verification of compliance and assign a Medium or High Assessment. Both levels have an assigned assessor that reviews the SSP and discusses items with the contractor’s primary security personnel at the Medium level, and at the High level, access and review the systems to ensure they match what the SSP documents.