What do you Need to Know About CMMC?
There are different CMMC “levels” with regulations that vary based on the sensitivity of the information. This article will discuss the key points you need to know to understand how CMMC certification works about CMMC - what it is, its importance and its exact requirements.
In today’s increasingly high-tech and interconnected world, cybersecurity risk poses an enormous national security threat. The Cybersecurity Maturity Model Certification (CMMC) program was developed by the United States Department of Defense (DoD) to vet the cybersecurity practices of business, academic and governmental entities. Companies that work with the DoD, and form part of the defense industrial base (DIB), are now required. to obtain a CMMC and follow stringent regulations. There are different CMMC “levels” with regulations that vary based on the sensitivity of the information they work with. Obtaining a CMMC can be a lengthy process. However, once a CMMC framework is established and CMMC best practices are in place, companies can do business with the DoD. This article will discuss the key points you need to know to understand how CMMC certification works about CMMC - what it is, its importance and its exact requirements.
The CMMC was established in 2019 by the DoD. The purpose of the new certification was to transition the verification of cybersecurity practices of DIB organizations from “self-assessing” to a system of third-party verification through an external audit - similar to ISO standard procedures - or by direct government verification. CMMC assessments can only be conducted by a C3PAO, which is a service provider accredited by the CMMC Accreditation Body (CMMC-AB).
CMMC is used to evaluate contractors based on the requirements established in various existing standards (such as NIST SP 800-171 Rev 2) and to characterize how mature, or robust, a company’s cybersecurity practices are. By requiring this certification, the DoD can determine whether a company has the capability to not only safeguard its digital operations but also to optimize its cybersecurity system to make it more efficient. Additionally, CMMC-AB evaluates the speed and completeness of an organization's response to cybersecurity threats. There are five clearance levels that indicate the maturity of an organization's cybersecurity protocols - with level 1 being the lowest and level 5 the highest. Level 4-5 certification only applies to companies that manage data that may be targeted by foreign nation-states. As CMMC levels increase, a company’s cybersecurity practices are expected to become more comprehensive, efficient, and effective.
While the origin of CMMC dates back to 1986 when the Capability Maturity Model (CMM) was established, the standards in the CMMC program have become intertwined with other cybersecurity protocols. CMMC became more robust over time to accommodate new cybersecurity threats from foreign adversaries.
About 300,000 private companies, universities, and contractors comprise the DIB. This vast, globally interconnected web of entities is critical to national security and forms a significant portion of the US economy through research, development, engineering, manufacturing, and services. Each organization within the DIB has sensitive government data and information necessary for the manufacture and delivery of critical goods and services. A cyberattack against the DIB supply chain could have catastrophic effects on national security due to losses of intellectual property and classified information. In 2020, it was estimated that the cost of cybercrime globally was around $1 trillion - more than 1% of the GDP of the world. As a result, the DoD has taken several steps to ensure data security and minimize the occurrence of data breaches. One such step is requiring all DoD contractors to obtain a CMMC certification that is audited and verified by a third party.
Any organization that contracts with the DoD and has access to sensitive or classified information must comply. While some organizations only have access to non-classified information and require only a Level 1 clearance, organizations with more sensitive information may need a Level 2 clearance or higher.
Most CMMC certifications are not eligible for self-certification. Thus, most organizations retain a third-party auditor to guide them through the certification process. The target certification level determines the requirements that an organization must fulfill. The certification tiers build on the requirements of the preceding level. For Level 1 clearance, self-assessment is acceptable. For Level 2 and Level 3, third-party certification is required. The current version of the CMMC is the CMMC Model 2.0. Each level from 1-3 is described below:
Level 1 requirements deal with basic cyber hygiene and the safeguarding of federal contract information (FCI). FCI is information that is not intended for the public but is provided to certain government suppliers of products and services.These requirements are established in DoD's 48 CFR 52.204-21. The requirements for this level are generally related to:
- Limiting information access (including knowledge, transactions, and data) to only authorized users - both in-person and online
- Destroying FCI on documents and files
- Monitoring, logging, and auditing of sensitive information access, among other things. The protection of information requires cybersecurity practices such as encryption, firewalls, and controlled access. Organizations can be certified at Level 1 clearance through self-assessment.
Level 2 certification is required for organizations with access to controlled, unclassified information (CUI). The requirements for Level 2 certification are based on those established in NIST SP 800-171, which itself contains requirements established by the DoD through Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulation Supplements (DFAR).
The requirements for Level 2 are more specific than those for Level 1. In Level 2, many of the safeguards established in Level 1 (encryption, firewall, controlled access) must be verified by a third party rather than by self-assessment. Compliance is to be documented by a company-developed System Security Plan (SSP) and a self-assessment score submitted to the Supplier Performance Risk System (SPRS).
Level 3 builds on Level 2, and is based on NIST SP 800-172 - which itself is based on NIST SP 800-171. Essentially Level 3 and SP 800-172 are enhanced versions of CMMC Level 2 and SP 800-171, respectively. Level 3 also establishes the requirements related to safeguarding CUI. Level 3 requirements are generally related to:
- Emphasized Protection against advanced persistent threats (APT).
- Stricter requirements on access to CUI
- Comprehensive requirements for training of staff on elements of cybersecurity;
- Strengthening of identification and authentication controls
- The establishment of a centralized Security Operations Center (SOC) that monitors and defends cyber networks.
Perhaps the biggest benefit to obtaining a CMMC certification is that it allows organizations to have peace of mind knowing that sensitive and classified information is safeguarded. Effective cybersecurity practices are a minimum hurdle that must be met to work with government defense agencies. Aside from that, other benefits of CMMC certification include:
- CMMC certification allows organizations to establish comprehensive cybersecurity practices, from basic cyber hygiene to advanced practices such as secure coding and encrypted keylogging.
- CMMC allows businesses and organizations to prepare for and prevent cyberattacks.
- CMMC allows organizations to contribute to the resilience of the cybersecurity structure of the DoD and DIB.
- CMMC certification allows organizations to have the resources necessary to recover from cyber attacks without serious financial repercussions.
Effective cybersecurity is paramount to ensuring that sensitive information remains safe. Any organization looking to work with the federal government and DoD must obtain the CMMC for the required level. For more information on CMMC and how to become certified, contact a Xometry sales representative today.