Cybersecurity Maturity Model Certification (CMMC)

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DOD) certification process that measures a Defense Industrial Base (DIB) sector company’s ability to protect sensitive data. Designed as a requirement for all companies that have access to the DOD in any form, the effort shows how the department plans to address cybersecurity risk throughout the defense supply chain to protect defense systems and sensitive data. CMMC development has been led by Ellen Lord (Undersecretary of Defense for Acquisition and Sustainment (A&S)) and Katie Arrington (Chief Information Security Officer for Acquisition). The release of the final edition of CMMC Version 1.0 was announced January 31, 2020. Documentation can be found at https://www.acq.osd.mil/cmmc/draft.html

CMMC is designed as a methodology and framework that will constantly evolve as technology changes. Developers intend the certification to be a tool for organizations to improve their cybersecurity practices, but the DOD doesn’t want it to become just another compliance checklist. The defense industry is a regular target of state and rogue threat actors attempting to obtain sensitive security data. CMMC is meant to help reduce risk resulting from these cyber threats.

One of the goals of CMMC is to create a unified DOD cybersecurity standard. The certification will build on and replace current National Institute of Standards and Technology (NIST) standards for cybersecurity, such as NIST SP 800-171 requirements for controlled unclassified information (CUI). Practices outlined in CMMC are based on existing standards and requirements: NIST SP 800-171, NIST SP 800-53 and AIA NAS9933, as well as input from the private sector and academia.

The CMMC model has 17 domains, including Access Control, Asset Management, and Awareness and Training. Many of the domains are based on the NIST SP 800-171 control families, and each contains capabilities that need to be met.

There will be five levels of certification within CMMC, each with defined practices and processes. At Level 1, basic cyber hygiene practices should be in place, but process maturity is not yet required. At Level 2, however, the process maturity requirement is introduced and processes should be formally documented in policies and procedures. Meanwhile, at Level 5, practices should be advanced and processes optimized across the company.

CMMC processes and practices are cumulative and carry into each subsequent level. For example, to achieve Level 3, an organization must meet the practices and processes for CMMC Level 1, 2 and 3.

Who Does CMMC affect?

Starting in 2020, all companies that conduct business with the DOD and suppliers across the DIB will need to acquire some level of CMMC certification. This means that every prime contractor and subcontractor of the DOD will have to be audited and certified under the CMMC framework. The department expects CMMC to take five years to fully roll out and not really get going until 2021. This will affect more than 300,000 organizations, including entities in the U.S and their international partners. The level of certification (1-5) that each company needs to attain will depend on the amount of sensitive data or CUI it processes. Unless a higher level is specified, all contractors and subcontractors must meet a minimum of CMMC Level 1. The government and DOD will determine the appropriate tier requirement for contracts they administer. The required CMMC level will be documented within the appropriate Request for Proposal (RFP).

How to Get Certified?

Unlike previous standards and guidance (e.g., NIST SP 800-171), CMMC does not allow self-assessment. CMMC will be replacing the self-attestation model and is moving toward third-party certification.

Independent assessments of CMMC will be completed by Certified Third-Party Assessment Organizations (C3PAOs). The CMMC accreditation body, a recently created not-for-profit independent group of stakeholders, is charged with training and certifying the third-party assessors. C3PAOs will evaluate organizations to determine if appropriate capabilities and organizational maturity, as well as proper controls and processes, are in place to reduce the risk of specific cyber threats.

Once a program has been developed and assessors are trained, DIB organizations will coordinate with the accreditation board to schedule a CMMC review with a C3PAO. When requesting an assessment, an organization will need to specify its intended level of certification, which will be based on its specific business requirements. Once a company has demonstrated to the C3PAO that they have the appropriate controls and maturity in capabilities and processes, the company will be awarded CMMC certification at the appropriate level.

To learn more about the potential costs and how your organization can prepare for CMMC, download our Cybersecurity Maturity Model Certification (CMMC) Guide.

How Can Schneider Downs Help?

Schneider Downs intends to become a C3PAO. In the meantime, until such requirements are made public, we can help your organization prepare for CMMC by performing an assessment against the NIST 800-171 framework. For more information, visit www.schneiderdowns.com/cmmc.