In the News

March 31, 2021   •   4 minute read

What Is Cybersecurity Maturity Model Certification (CMMC)?

The U.S. Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) as a unifying standard for cybersecurity implementation within the Defense Industrial Base (DIB). Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is of critical importance, and rests at the core of this initiative. For verification, the framework includes a certification element to assess the implementation of processes and practices necessary for the required maturity level.

The phased rollout of CMMC is presently underway, with some requests for proposal (RFPs) issued, including the qualification. For now, some contracts require adherence to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, but this will shift over time until CMMC is standard in 2025. Businesses should start preparing for certification now, by enhancing their security posture through continuous monitoring.

Building on NIST 800-171

Passed in 2003, NIST 800-171 sets security standards to protect Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. This information is potentially sensitive but not as strictly regulated as classified documents. Before the implementation of NIST 800-171, agencies set their own standards, which posed security concerns for sharing information with those under different guidelines.

The DoD, General Services Administration (GSA), National Aeronautics and Space Administration (NASA), and other government agencies require contractors to comply with NIST 800-171 in 14 key areas: access control; audit and accountability; awareness and training; configuration management; identification and authentication; incident response; maintenance; media protection; personnel security; physical and environmental protection; risk assessment; security assessment; system and communications protection; and system and information integrity.

NIST 800-171 compliance requires self-certification using a designated handbook. CMMC builds on this by incorporating similar requirements but implementing a professional assessment through Third-Party Assessment Organizations (C3PAOs). For CMMC, potential contractors must also demonstrate they can handle evolving cyber threats. 

Certification Levels

CMMC has five tiers. Each level builds on the requirements of that before it and represents an increasingly mature posture. A contract may call for any of these tiers, depending on the function the contractor will perform.

Level 1

This most primary level covers basic safeguarding essential to cyber hygiene. To meet this qualification, organizations must perform the same processes outlined in 48 CFR 52.204-21, including limiting information system access, updating malicious code protection mechanisms, and more. 

Level 2

Considered intermediate cyber hygiene, this level includes additional protections that begin to safeguard CUI. Organizations must also document policies and practices to ensure they are repeatable. 

Level 3

Businesses that will either generate or require access to CUI should aim for this level, at a bare minimum. Level 3 denotes good cyber hygiene with controls that meet the standards set forth by NIST SP 800-171, as well as additional threat mitigation practices. Organizations must also have a plan that demonstrates the management of practice implementation. Defense Federal Acquisition Regulation System (DFARS) clause 252.204-7012 applies to some organizations, adding more requirements, such as incident reporting. 

Level 4

This level reflects a proactive cybersecurity program capable of adapting protections to address evolving tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs). Organizations should review activities for effectiveness, document their findings, and report issues to high-level management.

Level 5

As the highest level, this distinction is marked by advanced and progressive practices with demonstrated optimization capabilities. Process implementation should be standardized and optimized across the organization. 

Don’t Just Focus on Certification  

If you only strive for compliance, you may leave security gaps and not achieve a strong security program. However, if you aim to develop a strong cybersecurity posture, compliance should be relatively easy. 

Working with a managed detection and response (MDR) or extended detection and response (XDR) partner that continuously monitors your network, cloud, and endpoints not only helps safeguard your system against potential attacks, but also puts you in a better position to meet CMMC standards.

Protect Yourself Now

The shift to CMMC has already begun, and soon anyone hoping to land contracts or maintain current contracts with the DoD will need this qualification. Rather than waiting until the last minute to make the changes necessary to earn certification, businesses should start as quickly as possible to protect their systems and simplify the certification process.  

Implementing the appropriate security measures to achieve compliance may take time, so it’s better to act now to prevent your business from missing out on potential contract opportunities down the road. Plus, safeguarding your systems immediately may enable you to reap the benefits of strong defenses before these new compliance requirements take full effect. After all, it’s not just about checking a box; it’s about being secure.

Enlist Cybersafe Solutions

Cybersafe Solutions offers a robust suite of security solutions to enhance your posture. We can supply the appropriate security measures necessary to position your business to meet the requirements for Level 3 compliance and above. Threat 360 is an XDR service providing full visibility into and telemetry of your network, cloud, and endpoints to detect and mitigate potential threats more quickly, thereby improving your chances of achieving CMMC compliance. Not only does Cybersafe provide 24/7/365 monitoring with expert analysts, but it is also more affordable than hiring an in-house staff member to fill your cybersecurity needs.