The Department of Defense (DoD) released version 1.0 of the much-anticipated Cybersecurity Maturity Model Certification (CMMC) on January 31, 2020. This innovative framework and model apply to Defense Industrial Base (DIB) contractors and was designed to protect sensitive government information.
It is common for contractors to use and store sensitive government data to develop and deliver their goods and services. For many years, the U.S. government provided contractors with cybersecurity guidance to help protect confidential data; however, this practice was not failproof.
Today, the CMMC gives government agencies more confidence that their sensitive information is protected by requiring DIB contractors to implement adequate measures to protect the information they handle on their own networks. With the standard nearing finalization, DoD contracts are likely to require CMMC certification by 2025.
Here is a closer look at the CMMC process and how to prepare for a CMMC audit.
Choose The Appropriate CMMC Maturity Level
In November 2021, the DoD released CMMC version 2.0, a more streamlined version of the maturity model. CMMC 2.0 differs from the first version in several ways, including a reduction of levels from five to three. Version 2.0 also dropped 20 security requirements to align with the 110 security controls of NIST SP 800-171. With previous requirements, Plans of Actions and Milestones (POAMs) were not allowed in version 1.0 but limited use is permitted in 2.0.
The new CMMC 2.0 levels are broken down to reflect the type of information that a DIB company can handle. These levels include:
- Level 1 (Foundational) – The first CMMC level only applies to companies that focus on the protection of federal contract information (FCI). Level 1 is based on the 17 controls outlined in FAR 52.204-21.
- Level 2 (Advanced) – The second level of the CMMC model is for companies that work with controlled unclassified information (CUI). These advanced requirements align with NIST SP 800-171 and include 14 levels and 110 security controls developed by NIST.
- Level 3 (Expert) – The third and final CMMC level focuses on reducing the risk of advanced persistent threats (APTs). It is geared towards companies that work with CUI on the DoD’s highest priority programs.
Complete The NIST 800-171 Self-Assessment
The DoD requires contractors who handle or store CUI to develop a System Security Plan (SSP) and complete a NIST 800-171 self-assessment. There are several steps involved in this process, including:
1. Obtain a CAGE Code
Throughout the NIST 800-171 assessment process, a commercial and government entity (CAGE) code will be needed. A CAGE code is a five-digit alphanumeric number used to identify a particular government or commercial entity. A CAGE code can be accessed from the Defense Logistics Agency (DLA).
2. Receive an ECA Certificate
An external certification authority (ECA) certificate is required if a contractor does not have a common access card (CAC). An ECA certificate is a digital credential used to confirm an individual’s identity and affiliation to a company.
3. Conduct an Assessment
Security controls are grouped into 14 categories, known as CUI Security Requirement Families. Focus on one family at a time to ensure that the review is performed thoroughly. Go through each objective to validate that there are no potential security gaps or risks.
4. Establish an SPRS Access Workstation
The next step involves accessing the Supplier Performance Risk System (SPRS) via the Procurement Integrated Enterprise Environment (PIEE). The workstation used to access PIEE must adhere to strict software and hardware requirements.
5. Report the Score Through SPRS
After determining the self-assessment score, report the score to the DoD through the SPRS. Enter the assessment score into the SPRS with guidance from the NIST SP 800-171 Quick Entry Guide.
Work With A CMMC Consultant
With the rollout of CMMC, new security regulations will soon be a requirement for most DIB contractors. To ensure a smooth process, companies that work under government contracts should start preparing now. One of the best ways to ensure that a CMMC self-assessment is accurately fulfilled is to work alongside a reputable CMMC consultant.
A CMMC consultant can provide a variety of services and solutions to help DIB contractors prepare for an upcoming CMMC audit. An experienced cybersecurity consultant can help contractors determine the best solutions for their company with the least amount of impact on business processes.
A CMMC consultant can also provide NIST-171 compliance solutions that enable contractors to quickly and cost-effectively implement and document complete NIST-171 controls. CMMC consultants can even conduct gap assessments to help better understand where security gaps remain.
Contact the Experts at SeaGlass Technology
Becoming CMMC compliant can help businesses form better partnerships, improve customer relations and avoid hefty fines. The team of IT-managed service providers at SeaGlass Technology has the experience needed to help contractors meet complex compliance requirements. To learn more about how to prepare for a CMMC audit or to schedule a consultation with a CMMC consultant, contact SeaGlass Technology.