Working as a contractor for the Department of Defense (DoD) can be a rewarding and lucrative path. However, in order to reap these rewards, you will have to first comply with the Cybersecurity Model Maturity Certification (CMMC) framework, which is overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S). Achieving CMMC compliance is no easy feat. It requires strict adherence to several layers of requirements, all of which are analyzed by an official CMMC assessment performed by an accredited CMMC Third Party Assessment Organizations (C3PAOs).
In this guide to CMMC compliance, we’ll be walking you through the highlights of CMMC and the many traps contractors can fall into during the assessment process.
What Does It Mean To Be CMMC Compliant?
Intellectual property and sensitive data theft are national security issues that cost the U.S. economy billions of dollars every year. Many of these attacks that result in loss of profit happen throughout the Defense Industrial Base (DIB) supplier base. In an effort to counter this, the DoD has established many security measures and frameworks throughout the years, which act as a set of guidelines that apply not only those wishing to work with the DoD, but to the suppliers of those organizations working with the DoD. CMMC is the most recent of these frameworks – established in January 2020. The CMMC framework attempts to protect two kinds of data:
- Federal Contract Information (FCI): Information not intended for public consumption or release, that is generated by or for the Government under contract.
- Controlled Unclassified Information (CUI): Information that, in accordance with laws and regulations, must be safeguarded from unauthorized disclosure. A key example of this data is International Traffic in Arms Regulations (ITAR) data, which is able to be stored in the cloud as long as no foreign entities can access it and is cryptographically secured.
CMMC compliance aids in proper protection of your CUI by meeting the rigorous compliance requirements across 14 different domains and containing different scopes of controls. We’ll dive into these domains and controls later on. Being CMMC compliant is one of the many tools that you need to be deemed a preferred contractor for not only the DoD, but to become a supplier for any branch of the government. It also brings added benefits to your organization, like the ability to take advantage of Safe Harbor legislation in your state – meaning that certified entities are protected from breach penalties and required audits. It is highly recommended that companies seeking CMMC compliance perform a self-assessment before bringing in an authorized assessor. This internal evaluation allows you to gauge your company’s policies and practices and how they compare to the individual certification levels and domains described within the CMMC. We’ll dive into these details shortly. Self-assessment is a great tool for gauging the amount and type of work needed for full CMMC compliance.
Next steps: Understanding the CMMS Framework
While an incredibly valuable tool, the self-assessment by no means guarantees to pass your CMMC compliance check. Gaining a deeper understanding of the CMMC framework is the greatest tool your team can have. We’re going to lay the most important groundwork for you here.
The CMMC framework is made up of levels, domains, and capabilities: 17 domains with several targeted capabilities (43 total) across 171 total controls implemented gradually across five maturity levels.
Maturity Levels
Maturity levels are the five steps for wide-scale adoption of CMMC compliance. Each level measures how integrated a given standard is across a company. While not all levels need to be achieved, certain supply chain tasks must comply with the corresponding level of cyber hygiene – the DoD will often indicate what level you must be certified within. The CMMC states that contractors can “achieve a specific level for its entire enterprise network or for particular segments where the information to be protected is handled and stored.”
- Level 1: Safeguard Federal Contract Information (FCI) with 17 Practices for “basic cyber hygiene” and a Process Maturity goal of performance
- Level 2: Serve as the transition step in cybersecurity maturity progression to protect CUI with 55 new Practices for “intermediate cyber hygiene” and Process Maturity requiring documentation
- Level 3: Protect Controlled Unclassified Information (CUI); full implementation of NIST SP 800-171, with 58 new Practices for “good cyber hygiene” and Process Maturity requiring management
- Level 4: Protecting against Advanced Persistent Threats (APTs), with 26 new Practices that are “proactive” and Process Maturity requiring regular review
- Level 5: Most complex FCI and APT protections, with 15 new “Advanced” or “Progressive” Practices and a Process Maturity goal of ongoing “optimizing”
Domains of the CMMC
CMMC consists of 17 domains, which are a distinct set or group of security practices established and standardized to safeguard FCI and CUI. Each domain has layers of capabilities assigned, resulting in 43 total capabilities.
These domains originate from Federal Information Processing Standards (FIPS) 200 and NIST SP 800-171. The CMMC takes these original 14 domains and adds three: Asset Management, Recovery, and Situational Awareness. It is crucial to fully understand the depth of each of these capabilities, as these are the building blocks for full CMMC qualification. Here are the primary focuses for each:
- Access and Control (AC): Proper limitations on who, when, and how data is accessed
- Asset Management (AM): Management and identification of assets
- Audit and Accountability (AU): Data within information systems must be regularly monitored and are fully traceable
- Awareness and Training (AT): Cybersecurity training and policy awareness across all personnel
- Configuration Management (CM): Organizational info systems must maintain a standard for judging the efficiency
- Identification and Authentication (IA): Proper role and access to information
- Incident Response (IR): A system for reporting incidents that are funneled to the appropriate officials
- Maintenance (MA): Perform timely maintenance for all information systems
- Media Protection (MP): Proper protection and, when necessary, destruction of media in both print and digital formats
- Personnel Security (PS): The hiring and training of reliable personnel, as well as data protection policies and procedures for termination and resignation
- Physical Protection (PE): Limit physical access to information systems and equipment
- Recovery (RE): Continuous management of backups
- Risk Management (RM): Regular risk assessment of assets, personnel, transmission, and storage
- Security Assessment (CA): Routine evaluation of security effectiveness
- Situational Awareness (SA): Implement threat monitoring
- Systems and Communications Protection (SC): Monitor organization-wide communications and the security policies surrounding data
- System and Information Integrity (SI): Timely identification, reporting, and correction of information shortcomings
Put Processes and Practices in Place
There are so many layers when it comes to CMMC compliance. It’s important to recognize that the process can be broken down in a synergy of processes and practices that go hand in hand with CMMC maturity levels.
The CMMC processes to keep in mind are: Performed, documented, managed, reviewed, and optimizing. The practices that fit respectively with these processes are basic cyber hygiene, immediate cyber hygiene, good cyber hygiene, proactive, and advanced/progressive. As each of these layers of processes and practices are implemented, a new CMMC level is achieved.
- Level 1: Processes are performed, practices achieve Basic Cyber Hygiene
- Level 2: Processes are documented, practices achieve Intermediate Cyber Hygiene
- Level 3: Processes are managed, practices achieve Good Cyber Hygiene
- Level 4: Processes are reviewed, practices achieve Proactive status
- Level 5: Processes are being optimized, practices achieve Progressive status
Potential Pitfalls of CMMC Compliance Assessment
Passing the CMMC is no easy task. While preparing for your assessment, there are many mistakes that can be made. Whether it be because the standards differ from NIST 800-171 certification or even a minor loophole in your cybersecurity policies, so many factors can lead to a failed CMMC. Here are the most common ones:
Open items on a plan of action and milestones (PoAMs)
A Plan of Action and Milestones (PoAM) is a document that identifies remediation plans for security gaps in an effort to standardize risk mitigation. Unlike regulations under NIST 800-171 and DFARS, CMMC does not allow PoAMs as a strategy in which to do business with the DoD.
The PoAM itself is not against CMMC guidelines. Open items within your PoAM, however, are not accepted throughout the CMMC compliance certification process. A major source of confusion stems from the allowance of open PoAM items throughout the NIST 800-171 certification process. Before having a C3PAO come in for assessment, be sure to close out all open items on your PoAM, as these can cause a major red flag for your assessor.
Overshooting your Target Level
A common mistake in trying to achieve CMMC compliance is not knowing what level of security to aim for certification in. As we discussed earlier, there are 5 levels – each more demanding to be certified in than the next. If you’re responding to a specific request for proposal (RFP), be sure to keep an eye out for level specifications, as there will usually be that level of detail from the DoD. Unless you are at the absolute bottom of the supply chain, a good rule of thumb when starting your CMMC assessment is to assume you will need level 3 certification. This puts your company in compliance with all NIST SP 800-171 guidelines and puts you in good cyber hygiene standing.
Cloud Confusion
“Cloud” is the term for any storage location that is accessed remotely. While most IT professionals are familiar with this, it’s important to ensure that all members of your team do too. Especially in a time where remote work and a reliance on personal devices is so strong, implementing knowledge-based training to your entire company before, during, and after CMMC is crucial.
During your CMMC compliance assessment, there must be a clear matrix of cloud policies and procedures in place. In particular, the avoidance of cloud confusion is vital for level 3 clearance. As a reminder, level 3 entails protection of Controlled Unclassified Information (CUI) and full implementation of NIST SP 800-171, with 58 new practices for “good cyber hygiene” and Process Maturity requiring management.
Incomplete or draft policies and procedures
Whether it’s your security plan or general policies and procedures, it is important to avoid any incomplete documentation. After your self-assessment, be sure to have a team dedicated to cleaning up all policies and procedures. Many companies have overlapping policies that build off of one another. It is imperative to triple check that all policies are consistent within your company and contain no placeholder language. These are both major red flags to a CMMC assessor.
Not only is having complete and fully implemented data security policies in place necessary for CMMC compliance, but it’s also a critical element of good cybersecurity within a company. Of course, these policies should be updated frequently but they should never be left incomplete.
Self-assessment is an invaluable and highly recommended tool. However, segmenting and protecting data in a way that achieves CMMC compliance is no easy feat. Anchor is a CMMC and NIST SP 800-171 compliance security solutions that can make this intensive process all that much easier. Learn more today on how Anchor can help with successful CMMC compliance.