Cybersecurity Maturity Model Certification

DoD (Department of Defense) planned to move to a new framework to gauge and enhance the cybersecurity stance of the DIB (Defense Industrial Base). The CMMC has been created with the intention to serve as a verification mechanism. It helps ensure appropriate levels of cybersecurity practices and processes are in order. This is done to set the seal on proper cyber hygiene, and simultaneously protect the Controlled Unclassified Information (CUI) that resides with the department’s partners’ networks.

What is the CMMC?

The Cybersecurity Maturity Model Certification or CMMC is a program initiated by the United States Department of Defense (DoD). It is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB) that includes over 300,000 companies in its supply chain.

The basic intention is to secure the Defense Industrial Base to protect the defense information, and supplier information system. It also helped in impeding the United States adversaries from manipulating, destroying, or stealing defense information. It prevents compromising the US DoD through its supply chain.

Previously, the Defense Federal Acquisition Regulation allowed the DIB to self-certify compliance with the National Institute of Standards and Technology (NIST) 800-171 for the protection of Controlled Unclassified Information (CUI). Contractors were responsible for implementing, monitoring, and certifying the security of sensitive information stored and transmitted by those systems.

CMMC, on the other hand, is a multi-tiered maturity model, with multiple levels that require third-party certifications. Under the new model brought together by the CMMC for DoD contractors, they will be subjected to external security audits. They will still remain responsible for implementing cybersecurity requirements. However, their system will be inspected by a third-party source. These third-party assessments will ensure compliance with certain compulsory practices, procedures, and capabilities.

The Office of the Under Secretary of Defense for Acquisition and Sustainment currently directs the CMMC. The Department of Defense (DoD) finally released the much-anticipated Cybersecurity Maturity Model Certification version 1 on January 31st, 2020. The framework was drafted with significant inputs from University Affiliated Research Centers, Federally Funded Research and Development Centers, and by the industry.

Why is CMMC Compliance Significant?

There have been many cybersecurity agreement processes that the DoD contractors have been subjected to, among which, CMMC is the latest addition.

With the publication of Defense Acquisition Federal Regulation Supplements, more commonly known as DFARS, the compliance with NIST SP 800-171 cybersecurity framework is mandatory for the contractors. Since then, the contractors have constantly struggled to understand and implement the requirements of DFARS. While some firms are blessed with all the resources to make themselves compliant, others contracted their cybersecurity responsibilities to MSPs.

DoD tried providing incentives to smoothen the adoption of DFARS. This is done by making compliance with the framework a “competitive merit” in the tender process. However, companies are lagging behind with the implementation of the earlier framework. There have also been cases where companies have claimed to be “compliant” either through intentional fraud or ignorance. Anyway, later on, they were found to be non-compliant.

CMMC seeks to resolve this issue that the system has been facing for a long time now. It intends to ensure that an appropriate level of cybersecurity controls and processes are in place. It prioritizes the protection of Controlled Unclassified Information (CUI). It also provides a plan for the firms that are looking to enhance their security and provides contractors with an assessment to analyze their cybersecurity controls.

CMMC Compliance- A Requirement?

The CMMC compliance requirement will appear at two stages- one, during the request for information (RFI) process in June 2020, and another on the request for proposal (RFP) process in September 2020. The first full draft of the CMMC framework was published in January 2020. After several drafts came into existence over the past few years, CMMC came as a final document. However, it will take at least a couple of years to enforce the whole framework.

The DoD recommends its contractors to learn the technical requirements for CMMC before the compliance processes begin. Currently, there have been no details provided about how the CMMC assessment will be conducted, or about the precise requirements of the framework. Nevertheless, the Office of the Under Secretary of Defense for Acquisition and Sustainment maintains a CMMC FAQ constantly updates the latest information for the contractors.

At the moment, there are several important dates that DoD contractors should have in mind:

  • January 2020: The first full version of CMMC was released.
  • June 2020: The request for information (RFI) process will include the CMMC requirements for the contractors.
  • September 2020: The request for a proposal (RFP) process will include the CMMC requirements for the contractors.
  • October 2020 and further: The DoD contractors will have to get certified by an accredited Assessor/C3PAO to bid on new work.

In the meantime, it is still not clear since when all contractors will require full compliance with CMMC. However, it is still an expectation that within a few years the framework will be fully functional. This calls for the contractors to start preparing now.

Who is Required to Comply with CMMC?

All the contractors in the DoD chain, whether prime or subcontractor, will have to attain some kind of a CMMC certification in order to continue working on DoD contracts. This will include all the suppliers and firms at all levels of the supply chain, right from manufacturers of defense equipment to small companies that hold basic technical data.

The DoD also hinted that there may be different levels of compliances or maturity required for different types of organizations. Prime-level certification, as stated, may not be a necessity throughout the entire supply chain.

This may mean that the smaller companies and subcontractors will not have to achieve the highest level of compliance in order to work upon a distinct part of DoD projects. In contrast, having different levels of compliance certifications for different companies can raise complex integration issues.

With the progress in the full implementation of CMMC, the CMMC Accreditation Body (AB) will be coordinating with DoD to formulate procedures to certify independent Third-Party Assessment Organizations (CP3AOs), and assessors who are going to evaluate companies’ CMMC levels.

How to Get CMMC Certification?

CMMC Accreditation Body (AB) is a non-profit independent organization that will conduct the CMMC certification process. The body will give credit to all the Third-Party Assessment Organization as well as individual assessors. The full information has not been outlined in the compliance process yet. The CMMC AB will further upload the updates.

To make things easier, the CMMC AB is planning to establish a common CMMC marketplace where a list of all the accredited CP3AOs will be uploaded. The DIB companies can then easily select one of the approved CP3AO to schedule a CMMC assessment for the required levels.

The 5-Level CMMC Framework

The whole CMMC framework is a maturity model, where the assess the contractors based on five levels of cybersecurity preparation. The goal of each of these requirements is to ensure that sensitive defense information is safe from theft, hackers, and corporate infiltration.

All five levels follow a structure that has its base on their previous levels. Hence, it is important that level one is mandatory before moving onto level two. Although it is not mandatory for all organizations to achieve level five. They only need to achieve a certain minimum level to work on a particular project. The minimum level and how the process will work for the companies are yet to behave clear definitions.

Here are all the details about each of the five levels in the framework.

Level one: Basic Cyber Hygiene

The first level for every organization is to put “basic cyber hygiene” practices in order. The first level includes using advanced antivirus software and training staff to ensure that passwords and other authentication details are secure. The goal of this level is to protect Federal Corporation Information (FCI) which consists of confidential information. The government provides or generates such information under a contract to develop or deliver a product or service to it.

Generally, all organizations that have already been awarded by the DoD contracts will most likely have compliance with this level. It accounts for a very low bar for the contemporary firms, irrespective of which sector they work in. It also appears to be a procurator for emerging firms, who are just starting to look into their cybersecurity tools and their processes.

Level Two: Intermediate Cyber Hygiene

While level one had a very basic requirement, level two is where the actual assessment begins. This level introduces a new type of data, called Controlled Unclassified Information (CUI). The DoD defines CUI as any information that law, regulation, or government wide-policy requires to have safeguarding or disseminating controls, but does not include certain classified information.

The level two requirements include that the organizations record certain “intermediate cyber hygiene” practices for CUI protection. It is largely constructed upon a re-statement of the US Department of Commerce National Institute of Standards, and Technology’s special publication 800-171 Revision 2 security requirements. Thus, any firm that can show that they have achieved compliance with the framework earlier will be able to meet the requirements.

The level two of the CMMC compliance process or compliance with NIST 800-171 r2 requires the firm to have the following things in order:

  1. Access Control- Who has access and are they ought to?
  2. Awareness and Training- Were the staff trained about CUI?
  3. Audit and Accountability- Are you aware of who is accessing the CUI?
  4. Configuration Management- Are the RMF guidelines being followed for maintaining secure configuration and managing change?
  5. Identification and Authentication- Are the auditing access to CUI being managed?
  6. Incident Response- What will happen if there is a data breach?
  7. Maintenance- How are the processes maintained?
  8. Media Protection- How do you handle backup drives, external drives, and retired equipment?
  9. Physical Protection- Who can access the place where your CUI is stored?
  10. Personnel Security- How well is your staff trained to identify internal threats?
  11. Risk Assessment- Is the risk assessment done? Have you scheduled pen-testing exercises?
  12. Security Assessment- How do you establish that the security procedures are in place?
  13. System and Communications Protection- How secure are your communication channels?
  14. System and Information Integrity- How well are your processes defined to address new vulnerabilities and system down situations?

Level Three: Good Cyber Hygiene

Level three of the CMMC requirements are based on an extension of the NIST 800-171 standards. It takes the level two requirements further. Hence, to be fully compliant with this level, organizations need to have 47 security controls in place.

For the firms who are already working with CUI, achieving this level would not be so challenging. Nonetheless, it is important to recognize that to get your organization accredited, you’ll need to document the security procedures that are already in place. There is no self-certification in CMMC, the compliance procedure requires a third-party assessment.

The organizations will need to communicate with the accredited and independent third-party commercial certification organization to solicit and plan CMMC assessment. You can specify the level of your certification request depending on your organization’s specific business requirements.

Level Four: Proactive

An organization’s capacity to be proactive in measuring, detecting, and overcoming threats is what level four requirement is all about. In these audit processes, a company looks into all the historical details and data on the threat that they might have encountered, and how the organization reacted to it previously.

According to the CMMC guidelines, level four is the minimum level that the prime contractors need to achieve by working closely with CUI. It also copies some of the requirements set by the DFARs and has been put into the framework. They are drawn in such a manner that it is easier to work upon them.

Clearly, level four requirements are set to allow organizations to deal with the threats presented by government-funded hackers. Coping up with changing tactics, processes, capabilities, advanced persistent threats (APTs), and responding to them is also a requirement at this level.

An ATP is an opponent that posses an international level of expertise and important resources and instruments that makes way for them to create many opportunities to achieve their motive. They can do this by using multiple attack vectors and looks like a direct reference to the type of espionage used by China and Iran.

Level five: Advanced/Progressive

The final level of CMMC compliance encompasses all the state-of-art, sophisticated organizations in the cybersecurity industry. The CMMC includes thirty other security controls, for level four, which must be for the organization to achieve a level five certification.

Level five also depends largely on the organizations’ ability to adapt to the changing threat environment throughout the auditing and managerial processes, rather than added technical requirements.

However, it may or may not be a requirement for all DoD contractors. As of now, it must be very difficult for small and large firms to meet the requirement for the higher levels, as they simply lack the human resource to scan the threat.

The progressive level also contains a certain recommendation that may point to the future of defense cybersecurity. With the changing world, technology, and mind there would always be new threats, and people ready to counter them.

Five Tasks that the DoD Contractors can do now to Prepare for CMMC Compliance Audit

After all the information we have, it is more than enough for the organizations to start responding now. Even though the detailed report is still emerging, it is enough for them to prepare in advance.

These steps can be crucial for all the organizations where DoD contractors earn a significant percentage of revenue. Also, because CMMC requirements may also become a criterion for contract awards. Achieving the desired CMMC level is important or you run the risk of being unable to deal with the DoD, and extend your service for a long period of time. This makes it crucial for you to pass the certification process in the very first attempt.

Learning Technical Requirements

Understanding the technical requirements of the CMMC is the very first step. More than anything, technical glitches can cause a big problem in the cybersecurity system. Also, CMMC is divided into seventeen sections that are extremely crucial to the compliance-

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Security
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. Systems and Communications Protection
  17. System and Information Integrity

All these domains have been replicated from the previous frameworks, Federal Information processing standards (FIPS) 200 security-related points, and the NIST SP 800-171 control groups.

Deciding upon In-house vs Outsourcing

For some organizations, it may be easier to get CMMC compliance in-house, while others will need to outsource this process. Many organizations prefer to outsource their IT support through Amazon or Microsoft. In this case, the important thing to note is that the subcontractor is also CMMC compliant.

Once you have learned all the information regarding CMMC, you’ll need to make a decision. If you’re planning to work towards compliance in-house, you’ll need to ensure that you are compliant with the CMMC framework. NIST has also created a guide to help you with that- Self Assessment handbook. It is created by keeping the suppliers who are looking to direct their own certification initiative in mind.

The handbook also contains a detailed certification requirement of the NIST SP 800-171 r1 that aligns with the CMMC level 3.

Conducting Readiness Assessment and Gap Analysis

Conducting a detailed and all-encompassing readiness assessment and gap analysis should be done immediately. This analysis forms the basis to achieve the desired CMMC maturity.

The  NIST SP 800-171 framework should be the core foundation of this analysis that has outlined a number of areas that must be covered:

  • How is the data stored and how do you monitor access to the information?
  • Are the incident response plans currently in place and effective?
  • Is adequate training being given to the IT staff and other professionals?
  • How do you maintain and implement security protocols?

These gap analysis will help you identify and develop a remedy plan for your organization. This will hence ensure that you have a roadmap for the compliance process. The remediation plan must include:

  • Actions that are needed to address security issues, and other necessary steps to resolve them.
  • Allocating resources that are required to mitigate problems and close security gaps.
  • A projected timeline that is set by the organization for completion dates and milestones.
  • Insights as to how the security glitches and vulnerabilities are uncovered.
  • Gradation of risk levels, establishing priorities, and remediation costs.

Implementing Cybersecurity Monitoring

Reporting on cybersecurity incidents is a requirement for your organization for higher levels of CMMC compliance. These are also essential and needed to work on complex, high-value projects. Hence, it is crucial for your company to have a sophisticated system that can identify threats and isolate them. It should also collect information on the threat creators, and other types of attack that you’re facing.

Therefore, investing in a high-quality threat detecting system that can provide relevant information will become a necessity for many organizations to complete this step.

Developing SSP (System Security Plan)

All the earlier frameworks and the roadmap on which the CMMC plan requires all the organizations to have an SSP in place. System Security Plans should also are constantly evaluated and upgraded whenever the company makes a substantial change in its security profile and its processes. This plan should include a wide range of data, such as company policies, employee security responsibilities, network diagrams, and administration tasks.


For the CUI requirements and NIST 800-171, information about each system in a contractor’s landscape that stores or transmits CUI must have a document in the SSP. It will also detail the information between systems, as well as authentication and authorization processes. The CMMC process also includes a review of the contractors’ SSPs as part of the award process. If an organization lacks a valid, running SSP in place, the DoD may not award the contract to them.

Boost Your CMMC Practices

After all the aforementioned processes, there are a few other steps that can make your CMMC compliance processes much easier, and help you achieve your desired levels. Documentation is one of the most important things in this process, hence recording all the cybersecurity controls you already have in place can go a long way in helping you in this process.

Documenting Practices

A major development in proving your organization’s cybersecurity maturity is by providing comprehensive, detailed information on the cybersecurity tools, processes, and systems you have in place. Having this kind of preparation beforehand will result in a more efficient assessment and a positive impact.

Hence, the contractors should begin taking steps to document their processes and practices that already align with the CMMC requirement. The same is the case with subcontractors; they’ll need to closely work with their client to develop compliance programs and review programs that are already in place.

Communicate with Agencies

Whenever the requirements of the CMMC compliance starts appearing on RFIs and RFPs, the organizations need to thoroughly review the statements and then send it to the subcontractors. The need to ensure that they can meet these requirements. The DoD expects feedback from the RFI and RFP organizations during the early stages of the CMMC process, hoping that the response would be positive.

CMMC requirements can be a burden initially for the organizations and the DoD fully recognizes that. However, the advantage of this maturity model and requirements of CMMC is that it also permits the firms to work towards maturity in consultation with the DoD. This makes future deals for the contractors much easier.

Briskness and Perseverance

Achieving CMMC compliance is going to keep all the cybersecurity agencies busy in the country for the next few months. However, one should acknowledge that compliance with current standards is not the only thing.

The CMMC framework is not yet fully developed and is currently a work-in-progress. There may be a few significant changes in it in the next few years. On the other hand, organizations can take this as an opportunity to build their strength and agility. By complying with the requirement, they may as well become better protected against cybersecurity threats.

Fostering a culture of cybersecurity, durability, and flexibility within their organization will definitely go a long way in bagging the DoD contracts. The organizations will be in a much better position in the marketplace.