What is CMMC?
Wait, What, another cybersecurity standard to implement?!? Yes, amongst all the available choices from NIST, FIPS, ISO, COBIT, ISACA, PCI, and many others, a new standard has been developed. This one is slightly different than the others and is targeted towards organizations charged with protecting sensitive, albeit unclassified information, that is created, processed, transmitted, and accessed while providing goods and services to the US Department of Defense. This blog post will introduce the CMMC standard to you and hopefully answer some of your questions.
What is the CMMC exactly?
To answer that question, I will need to provide a bit of a history lesson. In 2015, the US Department of Defense published a DFARS (stands for Defense Federal Acquisition Regulation Supplement) which required private companies providing goods and services to the Department of Defense (DoD) to adopt cybersecurity standards. The standard that organizations had to adhere to at the time was the NIST Special Publication 800-171. This standard is titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” you can download the standard directly from NIST (https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final). The NIST SP800-171 standard consists of 110 security controls and processes, arranged in 14 control families; it focused primarily on protecting the confidentiality of sensitive unclassified information used within DoD’s supply chain.
After several high-profile data breaches, this new DFARS was a refreshed effort to protect the US Defense supply chain from foreign and domestic cyber threats. The NIST SP800-171 is a confidentiality standard, and although recommends very prudent measures to prevent unauthorized access to sensitive information it is not a one-size fits all type of standard. Due to slow adoption and in some cases false claims regarding contractor’s compliance with 800-171, the DoD developed the Cybersecurity Maturity Model Certification (CMMC). The goal of the CMMC is to ensure appropriate levels of cybersecurity controls and processes are in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI); while not subjecting all private organizations to the same set of requirements. FCI is information provided by or generated for the Government under contract not intended for public release. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies; CUI can be viewed as intellectual property that if leaked to the wrong audience could jeopardize DoD’s mission of securing America. Ensuring these appropriate levels of controls are in place is handled by CMMC’s multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. In addition to being compliant to a certain level, contractors will soon be required to be audited to prove their compliance. CMMC audits must be performed by an unbiased 3rd party. This a drastically different requirement than the previous self-attestation of compliance that the DFARS called for.
The CMMC model consists of maturity processes and cybersecurity best practices sourced from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community. The model encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the information security requirements for protecting CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. What this means is that organizations suppling goods and services to the DoD will be required to be compliant with the level of cybersecurity controls needed to adequately protect the data needed to provide the contracted services. For example, if your organization provides lawn care services to a DoD facility you will likely only need to implement level 1 controls, which is considered basic. Whereas, if you provide research and development services or components that find their way into a defense system, you will likely need to be compliant with level 3 (or higher) controls. If you only provide commercial off the shelf products to the DoD, you will not need to be compliant to the CMMC.
What are the different levels?
- Level 1: Designed for organizations required to safeguard Federal Contract Information (FCI). This level is consistent with basic cyber hygiene and requires the implementation of 17 controls. All 17 controls are sourced from the NIST SP800-171 standard. This is the level with which most contractors will need to be compliant.
- Level 2: Designed to serve as transition step in cybersecurity maturity progression to protect CUI, organizations likely will not pursue certification at this level. This level is consistent with Intermediate cyber hygiene. To be compliant it requires 55 controls to be implemented. 48 of those 55 controls are sourced from the NIST SP800-171 standard. The remaining 7 are new. Level 2, albeit not a maturity level believed to be required for any DoD contracts, is meant to allow organizations progress to level 3 over time. This would be an ideal level for DoD suppliers to work towards that do not process CUI to provide their contracted services.
- Level 3: Designed for organizations that are creating, processing, receiving, or transmitting Controlled Unclassified Information (CUI). This level is consistent with good cyber hygiene. To be compliant organizations must implement all 110 NIST SP800-171 controls and an additional 20 new requirements.
- Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs). These levels will be reserved for highly sensitive projects, products, or services. It is believed that only a small number of DoD contractors will need to be compliant to level 4 or 5 requirements.
The CMMC model consists of 17 domains. Most of these domains originate from the security-related areas in Federal Information Processing Standards (FIPS) Publication 200 (https://csrc.nist.gov/publications/detail/fips/200/final) and the related security requirement families from NIST SP 800-171. The CMMC model also includes the three additional domains of Asset Management (AM), Recovery (RE), and Situational Awareness (SA).
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Who maintains the CMMC?
The CMMC model was originally created Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC. Based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center and under Contract No. HQ0034-13-D-0003 and Contract No. N00024-13-D-6400 with The Johns Hopkins University Applied Physics Laboratory LLC, a University Affiliated Research Center. The day-to-day execution of the CMMC program is being handled by the CMMC Accreditation Body, a not-for-profit non-government agency. Per the CMMC-AB web site, “The CMMC Accreditation Body is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community, or other communities that may adopt the CMMC”. You can learn more about the CMMC-AB on their website - https://cmmcab.org/.
What should I do now about CMMC?
The DoD supply chain consists of approximately 300,000 contractors. It is believed that only about 20% will need to be compliant to level 3 (or higher) controls. All DoD contractors will need to be compliant with CMMC Level 1 controls. Knowing what information and its sensitivity level you receive or create to provide your goods and services to the DoD is important in planning your CMMC journey. If you are unsure if you handle or receive CUI, it is recommended to reach out to your DoD partners or prime contractors for which you provide service to and confirm the desired level you need to be compliant to.
At a minimum, all organization within the DoD supply chain should do the following:
- Review your DoD contracts, does it include a DFARS Clause 252.204-7012? They almost certainly will; this means you already attest to be being fully compliant to the NIST SP800-171 standard.
- Conduct a self-assessment (or get help from at partner organization) of the NIST SP800-171 standard, since this is likely a requirement in your current contracts you need to be aware of what gaps you might have in your current cybersecurity practices.
- Create system security plan and plan of action/milestones documentation. A system security plan is essentially the document that explains how you are meeting the 110 NIST controls or how you plan to meet those controls if they are current gaps. A plan of action and milestones is a running ledger of all the gaps you identified in your self-assessment of the 110 NIST controls, with applicable owners, due dates, and progress notes. You can find templates for these documents on NIST’s website - https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/archive/2018-02-20.
- As of November 2020, organizations must provide their NIST SP800-171 assessment score to the Supplier Performance Risk System (SPRS) to be eligible for new contracts. Once you have completed your self-assessment of the NIST SP800-171 standard, you need to log into >https://www.sprs.csd.disa.mil/ and submit your score, and the date in which you believe you will have a perfect score (e.g., fully compliant) with the 110 security controls). Your SPRS score will range from -203 to 110. It is a negative scoring system. If you are compliant with all 110 controls of the 800-171 standard, then you receive a perfect score of 110. Different controls are weighted differently, gaps in controls will cost you from 5, 3, or 1 point. You can find a scoring template in DoD’s NIST SP800-171 Assessment Methodology Document v1.2.
- To fulfill the DFARS 252.204-7012 incident notification requirement, organizations need to procure a medium assurance certificate. This contractual obligation states that if you experience a cyber incident impacting CUI you must notify the DoD within 72 hours. In order to prove your identity to the notification system (DIBNet), you must have this certificate. It takes about a week to acquire one, so having it ahead of time is the only way to ensure you can meet the notification requirements. You can learn more about getting this certificate from https://public.cyber.mil/eca/.
How do I get help with CMMC?
At the time of writing this blog post, there are no organizations certified by the CMMC-AB to conduct official CMMC audits. The CMMC-AB is working hard to get assessing organizations, referred to as C3PAOs (certified 3rd party assessing organizations), and certified assessors (e.g., the trained professionals to conduct the assessments) trained and certified. Also, there has only been a small number of contracts identified that will absolutely require an audit and certification to a particular CMMC level at this time. DoD is phasing in the CMMC requirements in contracts starting in late 2020 through 2025. Until the workforce is built out to support your certification process, it is recommended to conduct a self-assessment to determine your CMMC readiness. The CMMC-AB maintains a marketplace on their website (https://cmmcab.org/marketplace/) where you can search for vendors conducting CMMC work in our area.
Can Purdue cyberTAP help with CMMC?
Absolutely, cyberTAP can assist you with conducting a CMMC readiness assessment. This can be conducted remotely or onsite depending on your location, COVID-19 requirements, and the type of network infrastructure you maintain. CMMC is composed of primarily administrative (e.g., policies, procedural), and technical (e.g., application, system, network) controls, but there are a few requirements to assess the physical security of information technology assets, facilities, and media storing CUI. If you are a manufacturing organization, please reach out to Eugene Jones (firstname.lastname@example.org) If you are a non-manufacturing organization please reach out to George Bailey (email@example.com) for more information.
About the author
Assistant Director, Cyber Services