Starting on September 1, 2020, Department of Defense (DoD) contractors will be required to comply with the new Cybersecurity Maturity Model Certification (CMMC), a new cybersecurity framework designed to enhance security defenses.
This new standard draws upon NIST 800-171 Rev 2, ISO 27001 and other security frameworks to create one unified standard for implementing cybersecurity across the entire defense industrial base (IDB). It’s estimated that over 300,000 suppliers, contractors and subcontractors will need to comply with the CMMC or risk being unable to bid with the DoD.
The Cybersecurity Maturity Model Certification (CMMC) version 1.0 was released on January 31, 2020 after collective input from University Affiliated Research Institutions, Federally funded Research and Development Centers, and industry professionals.
What are the different levels?
The CMMC outlines five maturity levels, 1 being the least secure and 5 being the most secure, and the maturity levels are cumulative. Once enacted in September, potential bidders will need to meet the maturity levels assigned by the DoD in order to bid on any solicitations. This level is determined based on the amount of sensitive data, Controlled Unclassified Information (CUI), and unclassified data that needs to be protected in order to work in the DoD supply chain.
Level 1 is considered basic cyber hygiene, built upon common cybersecurity best practices and is achievable for relatively smaller organizations. This level is similar to the Basic CIS Controls. Level 2 is seen as intermediate cyber hygiene and draws upon universally accepted cybersecurity best practices. Achieving this level will allow companies to be resilient against unskilled threat actors and requires all practices to be documented. Level 3 is considered good cyber hygiene addresses all of the requirements outlined in NIST 800-171. This level allows companies to be moderately resilient against malicious actors and requires them to have an institutionalized management plan implemented. Level 4 is seen as proactive and mandates that companies implement processes for reviewing and measuring the effectiveness of their security practices. In this level, companies must implement enhanced detection capabilities to defend against advanced persistent threats (APTs). The final level, Level 5, is built upon all of the requirements outlined in Levels 1-4 and is made up of highly advanced cybersecurity best practices.
Having a higher maturity level will allow your company to bid on more contracts with the DoD, so having a maturity Level of 1 or 2 could significantly impact your business opportunities. It’s recommended to work as best you can to achieve Level 5 security.
What are the compliance requirements?
Organizations will be required to address 17 security domains within each level of the CMMC; here’s a breakdown of the security controls that bidders must address in order to continue working with the Federal government:
- Access Control – establish system access requirements, control internal and remote system access, and limit data access to only authorized users and processes.
- Asset Management – identify and document assets as well as manage asset inventory.
- Audit and Accountability – define audit requirements, perform auditing, identify and protect audit information, and regularly review and manage audit logs.
- Awareness and Training – conduct training and security awareness activities.
- Configuration Management – establish secure configuration baselines as well as perform change and configuration management.
- Identification and Authentication – grant access to only authenticated entities.
- Incident Response- plan incident response, detect and report security events, create and implement a response to an incident, perform post incident reviews, and test incident response plan.
- Maintenance – manage maintenance.
- Media Protection – identify and document media, protect and control media, sanitize media, and protect media during transport.
- Personnel Security – screen personnel and protect CUI during personnel actions.
- Physical Security - limit physical access.
- Recovery – manage backups and manage information security continuity
- Risk Management – identify, manage, and evaluate risk and supply chain risk.
- Security Assessment – develop and manage a system security plan, define and manage security controls, and perform code reviews.
- Situational Awareness – implement threat monitoring.
- Systems and Communications Protection – define security requirement for all systems and communications and control communications at system boundaries.
- System and Information Integrity – identify and manage information system flaws, identify malicious content, perform network and system monitoring, and implement advanced email protection capabilities.
How do I get started?
Given the approaching deadline, companies need to start preparing now in order to comply with the CMMC requirements, practices and processes. They must be proactive in their efforts and start to lay the groundwork now for complying with this new security standard.
We at NNT recommend you start off with by using asset discovery to gain full visibility into your systems. Then, with an up to date inventory of all hardware and software that is connected to your network(s), adopt a solution that can assess those systems against the essential CIS Controls, including critical protections like file integrity monitoring, configuration management, vulnerability management, and log management. While the details on the CMMC assessments are anticipated to be released soon, organization should be ready to work with third-party assessors to prove compliance with the mandatory practices and processes and compete for DoD contracts.
Start by removing all known vulnerabilities from your IT environment by downloading a free Greenbone OpenVAS Vulnerability Scanner.
Share this post