In an effort to secure the Defense Industrial Base (DIB), the Department of Defense (DoD) is implementing the Cybersecurity Maturity Model Certification (CMMC). The DoD announced this next stage in DIB security in mid-2019 and has since publicly released several drafts, including 0.4, 0.6, 0.7, and CMMC 1.0.
The DIB is a valuable target for malicious cybercrimes. CMMC is a certification standard designed to improve cybersecurity protocols and reduce the risk of cyberattacks. Learn more about CMMC certification and how this program works.
What Is CMMC Certification?
The Cybersecurity Maturity Model Certification is a new certification used to verify that DoD contractors and subcontractors have sufficient controls in place to safeguard sensitive data, including Federal Contract Information and Confidential Unclassified Information (CUI). This consolidated cybersecurity standard is now mandatory for anyone that does business with the DoD and requires a third-party assessment from a certified auditor.
DIB contractors are responsible for storing and using sensitive government data to help create and deliver services and goods. CMMC helps ensure that this information remains secure and out of the prying eyes of cybercriminals. Although the U.S. government has provided contractors with cybersecurity guidance for many years, contractors were not obligated to prove the strength of their cybersecurity programs. The new set of certifications under CMMC require contractors to achieve certification before being awarded future government contracts.
With CMMC, the DoD aims to:
- Help contractors defend against cyberrisks
- Assure compliance by requiring third-party validation
- Verify that contractors have solid controls in place to protect DIB data
- Establish levels of compliance that align with varying amounts of risk
- Promote improved security at a manageable cost
CMMC Certification Levels
The CMMC model framework is made up of 17 domains. Within each domain, there are capabilities that span across five levels. Also, within these five levels are 171 practices, and each level includes the processes and practices of the levels below it. Cybersecurity processes are subject to CMMC audits at levels two through five. Here is a look at the five levels in more detail.
CMMC Level 1
Cybersecurity Maturity Level 1 is considered the “basic cyber hygiene” level. This level includes 17 practices that relate to the basic safeguarding requirements in 48 CFR 52.204-21. It also addresses six domains: system and information integrity, system and communication protection, physical protection, media protection, identification and authentication, and access control. No maturity processes are assessed at Level 1.
CMMC Level 2
CMMC Level 2 is known as the “intermediate cyber hygiene” level and is intended to act as a mid-level stage for contractors looking to progress to Level 3 certification. Level 2 includes all practices found under Level 1 and has an additional 48 practices derived from NIST SP 800-171. Businesses at this level have developed a cybersecurity posture that can guard against unskilled cyber threats.
CMMC Level 3
Any contractor that stores, creates, or receives CUI must meet CMMC Level 3 certification. Level 3 builds upon the practices found in Levels 1 and 2 and focuses on establishing good cyber hygiene to protect controlled unclassified information. Known as the “Good Cyber Hygiene” level, CMMC Level 3 includes 110 security requirements and an additional 20 practices.
CMMC Level 4
CMMC Level 4 is considered the “proactive” phase and requires enhanced cybersecurity practices able to withstand advanced persistent threats (APTs) or long-term malicious attacks to obtain sensitive information. Businesses that wish to meet CMMC Level 4 compliance must review and document activities for effectiveness and report any issues to upper management. Level 4 adds an extra 26 cyber hygiene practices for a total of 156 hygiene practices.
CMMC Level 5
The final CMMC level is the “advanced or progressive” level that focuses on the protection of CUI from APTs through the implementation of sophisticated cybersecurity capabilities. Level 5 organizations are expected to standardize process implementation throughout their enterprise. CMMC Level 5 includes 15 additional practices, totalling 171 cyber hygiene practices.
Tips For Becoming CMMC Certified
Organizations that wish to become CMMC certified must be audited by a certified third-party assessment organization (C3PAO). However, they must first prepare which requires extensive planning and the rollout of cybersecurity practices from the target CMMC level. These tips can help:
- Start early – Do not wait until the last minute to prepare for CMMC certification. It is important to gradually implement cybersecurity practices so that potential weaknesses can be discovered and resolved.
- Conduct a gap assessment – A gap or readiness assessment can determine the differences in the current cybersecurity plan and where the organization needs to be to reach the desired level of certification.
- Develop a remediation plan – Achieving the desired level of compliance requires applying a remediation plan that shows an actionable timeline to complete goals.
- Practice ongoing cybersecurity – Organizations are expected to practice ongoing cybersecurity, which involves continuously monitoring, detecting, and reporting cybersecurity incidents.
Speak With The NYC IT Experts
Interested in learning more about how CMMC certification works? Connect with our experienced, managed IT service providers at SeaGlass Technology. Reach out to us online or by calling us at 212.886.0790.