Cybersecurity Maturity Model Certification (CMMC) is a new framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) for all contractors or subcontractors of the United States Department of Defense (DoD). An estimated 300,000 companies that do business within the Defense Industrial Base (DIB) supply chain will need to comply with the new regulation.
With the first version of CMMC requirements released in January 2020, CMMC certification became a requirement for DoD Requests for Information (RFIs) as of June 2020. This means that, in order for a company to be eligible to bid on, win or participate on a DoD contract, they must have a valid CMMC certification or they will be barred from the contract.
CMMC was developed after DoD contractors suffered a string of data breaches, despite the rolling out of NIST 800-171 compliance on 1 January 2018. However, under NIST 800-171, DoD contractors had the option of self-certifying and, as long as any security gaps were identified and listed in the Plan of Actions and Milestones, contractors were allowed to continue providing products and services without achieving compliance with all the NIST 800-171 security controls.
With CMMC, both self-certification and Plans of Actions and Milestones have been eliminated. Companies will need to address their security weaknesses before they can achieve compliance and certification. The CMMC Advisory Board was formed to certify auditors who will then be responsible for third-party CMMC compliance assessment of DoD contractors.
CMMC Maturity Levels
CMMC has five certification levels which will assess a company’s maturity and cybersecurity preparedness to ensure that sensitive defense information is protected on contractors’ information systems. Each level is built upon the last, meaning that a company must be compliant with Level 1 before they can comply with Level 2. The level needed for a particular project will be listed in RFIs and will largely depend on the CUI involved in the contract. However, all contracts will require at least a Level 1 certification from now on.
The five levels are as follows:
Level 1: Basic Cyber Hygiene
The first level is made up of 17 basic cybersecurity controls such as the use of antivirus software and regular password changes. Level 1 focuses on the protection of Federal Contract Information (FCI), defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Most companies are likely to already be compliant with this level, but will still need a certification that attests to it.
Level 2: Intermediate Cyber Hygiene
This level has 72 controls and introduces a new type of data, Controlled Unclassified Information (CUI) that is defined as any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls. Under Level 2, companies are required to establish and document practices and policies to guide the implementation of their CMMC efforts. They must also have certain intermediate cyber hygiene practices in place to protect CUI. These are largely based on NIST 800-171 controls and companies compliant with it should have no problems receiving the CMMC certification.
Level 3: Good Cyber Hygiene
This level includes 130 controls and requires organizations to establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders. To mitigate threats, all NIST 800-171 controls are included in Level 3 along with additional practices from other standards and references. Starting from this level, NIST 800-171 compliance is no longer enough for CMMC certification.
Level 4: Proactive
Made up of 156 controls, this level requires organizations to review their established plans, policies, and procedures on a recurring basis and take a proactive approach in measuring, detecting and defeating threats. Organizations must also be able to respond to the changing tactics, processes, and capabilities of advanced persistent threats (APTs). Level 4 is likely to be the minimum level required for prime contractors working with CUI and companies must be able to show that these practices are well-established within their organizations to attain certification.
Level 5: Advanced/Proactive
The highest CMMC level consists of 171 controls and adds a layer of requirements that refers to organizations’ capacity to respond to the changing threat landscape through auditing and managerial processes. The additional controls specifically focus on the protection of CUI from APTs, increasing the depth and sophistication of cybersecurity capabilities.
CMMC Compliance and NIST 800-171
While CMMC includes requirements from several existing cybersecurity standards and frameworks like NIST 800-171, NIST 800-53, NIST CSF, ISO 27002, CIS Controls, etc., it’s worth noting that they do not completely overlap. If a company is CMMC compliant for example, they are not NIST 800-171 compliant because although CMMC Level 3 compliance and up covers all the NIST 800-171 CUI controls, it does not address the 63 Non-Federal Organization (NFO) controls also included in NIST 800-171.
From Level 3 onwards, NIST 800-171 compliance is also not enough for CMMC compliance. At this level an additional 20 controls exist that exceed the requirements of NIST 800-171, with the highest level, 5, having 61 controls more. That being said, NIST 800-171 which covers all CMMC controls up to level 2 and 110 of the maximum 171 controls at Level 5, is a very good start for CMMC compliance.
With CMMC, DoD has shown its commitment to strong cybersecurity practices based on the latest standards and an ever-evolving threat landscape. Companies wishing to bid on their contracts will have no choice but to comply with the strict new requirements. However, CMMC compliance is likely to support organizations not only in protecting their sensitive data but also in their compliance efforts with the new wave of data protection legislation sweeping the globe.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.