As your organization works to ready itself for CMMC, chances are you are performing a lot of research. Here’s some information to get you started.
The DOD states, directly on their website, “To protect American ingenuity and national security information, the DOD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters.”
Communicating the need and urgency of initiatives like CMMC, Christopher Wray, FBI Director, had this to say while speaking at a security conference in Munich, “The cyber threat posed by the Chinese government is massive.” The time for improving your company’s cybersecurity posture is now.
Why implementing CMMC requirements makes sense
Since 2015, primes and subcontractors in the defense industrial base (DIB) have been required to implement the 110 controls of NIST 800-171 to meet the mandate of the original DFARS 7012 clause, which is in well over a million contracts today. Practically speaking, CMMC is the enforcement of what’s been required for almost a decade.
CMMC Level 2 is essentially the same 110 controls that have long been required to protect Controlled Unclassified Information (CUI) without verification. CMMC Level 2 is simply the independent, third-party validation of compliance with the requirements that have long been attested to by defense contractors.
CMMC 2.0 has three key features. It is a tiered model with each level serving as the building block for the next one; adds a third-party assessment requirement; and is implemented through contracts meaning moving forward defense contractors need to demonstrate compliance to win new work. To our knowledge, this is the first cybersecurity requirement in the world that is a pre-revenue requirement. That means that before you can recognize revenue from a DOD contract, you will be required to have this independent third-party verification of your compliance with CMMC.
Findings from the Defense Contracts Management Agency (DCMA)
There are three DFARS clauses that all companies with DOD contracts today must comply with: DFARS clause 7012, which is effectively CMMC Level 2; DFARS 7019; and DFARS 7020.
DCMA routinely performs audits of contractor compliance with the DFARS 7012 clause and has found, on average, contractors’ self-assessments of compliance are far more generous than the government audits. On average a DCMA audit scores contractors one hundred points or more lower than contractors are scoring themselves. The most egregious case was a self-assessing contractor that rated themselves as a perfect 110. When the DCMA did their audit, they rated that same contractor a negative -203. This significant gap highlights the risk of self-assessing compliance, as understanding and meeting the requirements are challenging.
The Three Levels of CMMC 2.0
Level 1: Foundational – Protection of Federal Contract Information (FCI)
This entry-level certification is required for all companies that handle FCI and focuses on safeguarding that information. It includes 17 cybersecurity practices drawn from the FAR 52.204-21 (Federal Acquisition Regulation) and NIST SP 800-171. Basic access controls, identity authentication, physical controls, and anti-malware are key components of Level 1 protections.
FCI is anything that’s not publicly releasable in your engagement or work with the federal government. It could be as simple as anything that you wouldn’t post on your public website, such as an email between you as a contractor and a federal point of contact. There are no labeling or marking requirements, but you are expected to protect this information with these 17 requirements.
Level 2: Advanced – Protection of FCI and CUI
Level 2 certification significantly extends beyond the foundational protections of Level 1, encompassing 110 security requirements across 14 control families as specified in NIST SP 800-171. While Level 1 covers basic controls for Federal Contract Information (FCI), Level 2 introduces a comprehensive framework for protecting Controlled Unclassified Information (CUI).
Key elements of Level 2 include:
- System Security Plan (SSP): Developing and maintaining a detailed plan that outlines how security controls are implemented, monitored, and updated to ensure their effectiveness.
- Advanced Access Control: Implementing refined access controls to ensure only authorized users can access CUI, including controls for both physical and logical access.
- Incident Response and Continuous Monitoring: Establishing procedures for identifying, reporting, and responding to security incidents, along with real-time monitoring of systems to detect potential threats.
- Configuration Management: Enforcing secure configurations and change management processes to reduce system vulnerabilities and maintain consistency across all environments.
- Audit and Accountability: Tracking access and system activity to detect unauthorized actions and ensure accountability across the organization.
- Media Protection and Secure Communication: Establishing controls for handling and sanitizing physical media containing CUI, and securing communications to prevent unauthorized access during data transmission.
These elements, among others, make Level 2 a robust, data-centric approach to cybersecurity, with practices that collectively ensure the secure handling, processing, and storage of CUI. The certification process requires a Cyber-AB certified assessor (C3PAO) to verify compliance, aligning closely with the requirements of DFARS 7012 to protect sensitive defense information.
Level 3: Expert – Protection of FCI and CUI
This is the highest level of CMMC certification, intended for companies that handle CUI in scenarios that the DOD may consider particularly sensitive. Level 3 builds upon the 110 security requirements from Level 2 with additional requirements likely to be derived from NIST SP 800-172, which provides further guidance on safeguarding CUI with enhanced security controls. These additional requirements are designed to strengthen an organization’s ability to detect, respond to, and recover from complex cybersecurity challenges. However, the specific criteria for determining which companies will need Level 3 certification, along with the final requirements, scoping, and assessment guides, have not yet been established.
In the next installment of this series, we will explore the challenges and estimated costs involved in implementing CMMC Level 1 controls within your organization. In the meantime, contact us with any questions you have about how to get your company started on the road to compliance. We are the CMMC experts—and we are here to help.