CMMC Overview
The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance cybersecurity practices across the Defense Industrial Base (DIB). It applies to any organization within the supply chain (receiving specific DFARS flow-down) that works on contracts with the Department of Defense (DoD), ensuring these companies can safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
In November 2021, in response to industry feedback, CMMC 2.0 was introduced to simplify the original model, making compliance more achievable while maintaining strong security standards. This updated framework reduces the original five certification levels down to three:
Level 1: Basic cyber hygiene practices, primarily protecting FCI. Organizations must implement 17 practices aligned with Federal Acquisition Regulation (FAR) 52.204-21.
Level 2: Aligned with NIST SP 800-171 Rev 2, this level applies to companies that handle CUI. It includes 110 security controls required by NIST 800-171, emphasizing areas such as access control, incident response, and system security.
Level 3: Designed for companies with the highest cybersecurity requirements, Level 3 incorporates advanced practices beyond NIST SP 800-171 and will be aligned with a subset of controls from NIST SP 800-172, focusing on defending against advanced persistent threats (APTs).
NIST 800-171 Rev 2: The Foundation of CMMC 2.0:
At the heart of CMMC Level 2 is NIST Special Publication 800-171 Revision 2, which outlines security requirements for protecting CUI in non-federal systems. Organizations must meet the 14 families of security requirements, which include:
Access Control (AC) Ensures that only authorized users have access to the information systems and CUI. Example: Role-based access control (RBAC).
Awareness and Training (AT) Ensures that users are trained and aware of security risks and organizational policies. Example: Regular cybersecurity training sessions.
Audit and Accountability (AU) Provides mechanisms to audit the system's activities and ensure users are accountable for their actions. Example: Logging of all user activities for tracking and investigation.
Configuration Management (CM) Involves managing security configurations of systems to reduce vulnerabilities. Example: Ensuring systems have up-to-date security patches.
Identification and Authentication (IA) Verifies user identities and provides mechanisms for authentication. Example: Multi-factor authentication (MFA).
Incident Response (IR) Prepares for, detects, and responds to security incidents. Example: Incident reporting and remediation processes.
Maintenance (MA) Provides procedures for system maintenance that protect the security of CUI during routine and emergency repairs. Example: Remote maintenance procedures with authentication controls.
Media Protection (MP) Ensures that physical and digital media containing CUI are protected from unauthorized access or loss. Example: Encryption of removable storage devices.
Personnel Security (PS) Ensures that personnel are properly vetted and that access to CUI is limited based on individual trustworthiness. Example: Background checks for employees handling CUI.
Physical Protection (PE) Restricts physical access to information systems, equipment, and operating environments. Example: Secure data centers with controlled entry points.
Risk Assessment (RA) Involves the identification and analysis of potential risks to information systems and CUI. Example: Regular vulnerability scans and risk assessments.
Security Assessment (CA) Regularly assesses and tests security controls to ensure they are effective. Example: Third-party security audits.
System and Communications Protection (SC) Ensures that communications between systems are secure and protected from unauthorized access. Example: Encryption of data in transit and at rest.
System and Information Integrity (SI) Protects systems and data by identifying and mitigating flaws and vulnerabilities. Example: Continuous monitoring and timely application of security patches.
Meeting NIST 800-171 Rev 2 is crucial for achieving CMMC Level 2 certification and is mandatory for contractors handling CUI.
Self-Assessment and Certification:
Under CMMC 2.0, organizations handling only FCI at Level 1 can conduct annual self-assessments. For Level 2, companies handling critical CUI must undergo third-party assessments or self-attest depending on the criticality of the contract. Level 3 requires comprehensive third-party assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Why CMMC is Important
The DoD created CMMC to ensure that companies in the DIB have adequate protections in place to secure sensitive information and defend against cyber threats. Compliance with CMMC 2.0 helps protect national security, secure supply chains, and build trust between the DoD and its contractors.
For organizations in the defense supply chain, preparing for CMMC 2.0 requires:
- Implementing controls based on NIST 800-171 Rev 2 (for Level 2),
- Engaging in continuous monitoring and security improvements,
- And obtaining certification through third-party or self-assessments, depending on the level of compliance required.