Just like any other organization, the cybersecurity of the US Department Of Defense (DOD) is only as strong as its weakest link – currently, many of the contractors and subcontractors providing the products and services to the US DoD are not subject to its strict cybersecurity requirements. These smaller companies are often targets for cyber-attacks because they don’t have the same levels of cybersecurity larger organizations have and therefore they can serve as an entry point for attackers to move up the DoD supply chain.
Because of the alarming increase and continual threat of supply chain attacks from both nation-states and cybercriminals alike, and the high cost of government data loss from even its smallest contractor, the US Government has decided to implement a Cybersecurity Maturity Model Certification (CMMC) across its entire Defense Industrial Base (DIB) supply chain of contractors and subcontractors.
If you are one of the hundreds of thousands of organizations contracted directly to the United States DOD, or working as a subcontractor to prime contractors, you form part of their DIB supply chain. This means you’re required to achieve a CMMC certification level, prior to bidding on contracts. And it means you’ll need a CMMC certification level to maintain the contracts you currently hold.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The CMMC framework implements cybersecurity best practices by standardising existing data protections and practices across multiple US departments and agencies. These new unified cybersecurity standards ensure the security of government data on its DIB networks, replacing the previous Defense Federal Acquisition Regulation (DFAR) requirements.
There are two types of unclassified information DIB contractors and subcontractors handle – Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) – but the CMMC has been mainly implemented to protect CUI.
Although CUI is not classified information it still requires some level of protection from unauthorized access and release due to privacy, law enforcement, contractual protections and other reasons.
How Does CMMC Impact Your Organization?
Previously, DIB organizations could self-certify their security compliance, and DIB’s were responsible for the implementation, monitoring and certification of the security of their information technology systems, as well as any sensitive DoD information stored on or transmitted by those systems.
As a part of CMMC’s introduction, DIB organizations contracting and subcontracting to the US DoD can no longer self-certify their compliance. Instead they are now required to attain CMMC certification by completing an assessment of all their CMMC-related practices, which is then independently assessed.
Preparation for the assessment requires identifying the current gaps in processes and policies, followed by remediation. Ideally, this work is performed by security practitioners with the level of expertise required to efficiently work towards developing a roadmap for an organization. These same organisations – CMMC Registered Practitioner Organizations (CMMC RPOs) – then help contractors and subcontractors prepare for assessment by a CMMC third-party assessment organization, or C3PAO, which leads to CMMC certification.
All of this means that before your DIB organization can work on US DoD contracts, you will need to ensure that all CMMC requirements are implemented for the level you are applying to contract at. With this compliance needing to be assessed and approved by a C3PAO.
One such approach is from eFortresses who offer a CMMC Scorecard that provides a roadmap that is prepared by qualified security practitioners. The roadmap is based on the following workstreams:
- Validate – your current cybersecurity level to objectively assess, provide industry benchmarks and an effective roadmap for your journey towards CMMC Level 3
- Remediate – your gaps in current cybersecurity controls that could potentially present a roadblock in your journey towards CMMC Level 3
- Certify – your cybersecurity program using an Accredited Certified Third-Party Assessment Organization
What is the Difference between CMMC and DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) was implemented by the US DoD in 2016 to protect sensitive government data from cybersecurity attacks. However, as the US Government comes under increasing threat of cyberattack, it has decided to launch the Cybersecurity Maturity Model Certification framework to enhance its cybersecurity defense along its supply chain.
CMMC and DFARS have a lot of similarities and they both target how your DIB organization uses security controls to protect CUI, but the biggest difference between the two is CMMC’s maturity levels.
Let’s take a closer look at the CMMC Model Framework.
How is the Cybersecurity Maturity Model Certification Model Framework Structured?
The CMMC model framework organizes processes, capabilities and cybersecurity best practices within a set of 17 capability domains.
It contains 171 cybersecurity best practices that progress across five cybersecurity maturity levels.
Instituting cybersecurity processes into the CMMC framework ensures all DIB cybersecurity activities to be consistent, repeatable, and of high quality.
Cybersecurity Maturity Model Certification Capability Domains and Levels
CMMC Maturity Process Progression Across Five Levels of Certification
The CMMC standard is assessed across five levels of maturity, with Maturity Level 1 requiring the most basic cyber security and Maturity Level 5 requiring the most advanced.
Cybersecurity Maturity Model Certification Levels
Requirements are cumulative, so requirements at Maturity Level 1 are also required at Maturity Level 2, requirements at Maturity Level 1 and 2 are also required at Maturity Level 3, and so on.
To become certified at any of the CMMC levels, you must demonstrate both the technical practices and maturity processes defined in that level, as well as those in the preceding, lower levels. For example, if you demonstrate practice implementation at Level 3, but only have maturity level implemented at Level 2, you can only receive a Level 2 certification.
What Level of CMMC Does Your Organization Need to Achieve?
The Maturity Level you need to achieve will depend on whether you need to protect only FCI or CUI as well.
- Maturity Levels 1 and 2 are basic and intermediate cybersecurity that allow you to protect FCI but not CUI.
- Maturity Level 3 is Good Cyber Hygiene and the lowest level at which you can receive CUI in any domain.
- Maturity Level 4 is Proactive, focusing on activities your organization can take to detect, protect and respond to changing tactics used by advanced persistent threats (APT)s.
- Maturity Level 5 is Advanced/Progressive requiring process implementation and enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
What Actions Should Your DIB Organization Take Now?
If you’re a DoD contractor or subcontractor, having a full understanding of the CMMC’s technical requirements will prepare your DIB organization for certification, as well as cementing your long-term cybersecurity agility.
If you start now to evaluate your cybersecurity hygiene practices, procedures and gaps when the details are finalized will be well-positioned to navigate the process and meet the mandatory CMMC contract requirements for your upcoming projects.
Cocoon Data works with DIB organizations worldwide to navigate government compliance regulations. So, we know how challenging it can be for defense contractors to keep up with regularly evolving compliance requirements. Our organization is fully certified to ISO 27001 and we undertake regular external audits to ensure we meet strict, documented standards.