Security

What Is the Cybersecurity Maturity Model Certification (CMMC) and How Can It Be Achieved?

What federal IT pros need to know about the CMMC and how it impacts cybersecurity.

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

For the past year and a half, the Defense Department has been working to set up a process to ensure that all defense industrial base (DIB) contractors meet cybersecurity requirements for handling controlled unclassified information.

That process, known as the Cybersecurity Maturity Model Certification, has undergone many evolutions since it was formally introduced in early 2020 and is, in fact, still evolving. However, at its core, CMMC is designed to ensure that defense contractors are all meeting at least a basic level of cybersecurity hygiene for protecting sensitive defense information.

CMMC is designed to subject all DOD contractors to third-party cybersecurity assessments. The CMMC Accreditation Body, a nonprofit separate from the DOD, is the body the Pentagon has set up to train and certify Certified Third-Party Assessor Organizations (C3PAOs), which will then assess contractors’ cybersecurity.

The overall CMMC program is currently under an internal Pentagon review, which the DOD has characterized as routine. However, the program remains incredibly consequential for the DOD and the wider government contracting community. So, it’s worth exploring what CMMC is, the different levels of the CMMC and how contractors can achieve and maintain certification.

What Is the Cybersecurity Maturity Model Certification?

CMMC’s ultimate aim is to ensure that defense contractors do not get hacked, resulting in the loss of sensitive defense information that could fall into the hands of U.S. adversaries. The White House Council of Economic Advisers estimated in 2018 that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.

“The aggregate loss of Controlled Unclassified Information (CUI) from the DIB sector increases risk to national economic security and in turn, national security,” the DOD says on its website. “In order to reduce this risk, the Department has continued to work with the DIB sector to enhance its protection of CUI in its unclassified networks.”

To counter this threat, the DOD developed the CMMC, which is designed to be a “unifying standard for the implementation of cybersecurity across” the DIB.

William “Tony” Bai, director and federal practice lead at A-LIGN, a cybersecurity and compliance firm, notes that prior to CMMC, contractors were following the National Institute of Standards and Technology’s 800-171 guide for protecting CUI. That document was essentially a self-attestation that an organization is meeting the standards for cybersecurity controls. Often, Bai notes, that self-assessment fell by the wayside, not through malice but because it became less of a priority.

CMMC reverses that and makes certification of cybersecurity controls a top priority. “We need to protect our intellectual property and everything else,” Bai says. “So, the intent is good, and I’ve always gone for a ‘trust but verify’ approach, which is what CMMC does.”

What Is the CMMC Framework?

The CMMC framework includes a “comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level,” according to the DOD.

According to the Pentagon, the framework is designed to ensure that defense contractors “can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.”

Michael Cardaci, CEO of FedHive, a Federal Risk and Authorization Management Program-certified cloud service offering that provides security compliance solutions, says the key to the CMMC is in the name, in that it follows a maturity model.

“The idea behind it is the embodiment of security, as opposed to just kind of checking off a list of things that you make sure you do, like change your password and that sort of thing,” he says. “I view it as more of an immersive kind of thing.”

According to a DOD document on the CMMC, the framework “aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats.” The model includes maturity processes and cybersecurity best practices from multiple cybersecurity standards and frameworks.

Ultimately, the DOD states, CMMC “adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.”

What Are the 5 CMMC levels?

Unlike NIST 800-171, the CMMC model has five levels. “The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels,” the DOD states.

Each level consists of a set of processes and practices, with the practices ranging from “basic cyber hygiene” at level 1 to advanced or progressive cybersecurity at level 5. The processes range from “performed” at level 1, through to “optimizing” at level 5.

Essentially, each level up indicates a higher degree of protection for sensitive information. In order for an organization to achieve a specific CMMC level, it must demonstrate achievement of all of the preceding lower levels. Additionally, organizations must show assessors that they demonstrate the institutionalization of both processes and practices, and in cases where an organization demonstrates differing levels for one or the other, the organization will be certified at the lower of the two levels.

CMMC levels can be categorized this way:

CMMC level 1: Safeguard federal contract information
CMMC level 2: Serve as a transition step in cybersecurity maturity progression to protection controlled unclassified information
CMMC level 3: Protect CUI
CMMC levels 4-5: Protect CUI and reduce the risk of advanced persistent threats

Bai notes that only a tiny percentage of the DIB is going to require a level 4 or 5 certification and will likely only apply to companies dealing with data that foreign nation-states are targeting.

The idea behind it is the embodiment of security, as opposed to just kind of checking off a list of things that you make sure you do.”

Michael Cardaci CEO, FedHive

Level 1 consists only of practices that correspond to basic safeguarding requirements of federal contracting information. Level 2 requires that organizations establish and document the practices and policies to guide their CMMC implementation efforts, according to the DOD.

Level 3 includes the 110 security requirements specified in NIST 800-171, as well as protections outlined in other standards, such as NIST 800-53, the Aerospace Industries Association National Aerospace Standard 9933: Critical Security Controls for Effective Capability in Cyber Defense, and the Computer Emergency Response Team Resilience Management Model. Level 3 requires organizations to establish, maintain and provide resources to support a plan to demonstrate the management of meeting these standards. The plan may include information on missions, goals, projects, plans, resourcing, training and the involvement of relevant stakeholders, according to the DOD.

With level 3, Cardaci says, organizations need to “have all of the security and technical infrastructure to not only host that CUI data, but also the government wants to make sure that you can still provide service too.”

Organizations want to be able to demonstrate to the DOD that they have the “security and infrastructure and operational status” to fulfill a DOD contract through its entire term.

“You’ve got more policies and procedures and you have to show that you’re executing on them,” he says. “So, you have artifacts associated with that.”

CMMC Compliance: How to Obtain Certification and Stay Compliant

Authorized and accredited C3PAOs are responsible for conducting the CMMC assessments of contractors’ unclassified networks and then issuing appropriate CMMC certificates based on the results of the assessments, according to the DOD.

However, the process of receiving accreditation through CMMC is likely to be a lengthy one, at least until the CMMC-AB certifies more C3PAO organizations. Currently, according to Cardaci, there are only two certified C3PAOs to, in theory, assess the cybersecurity credentials of more than 300,000 organizations in the defense industrial base. “So that makes it very, very difficult,” Cardaci says.

Cardaci recommends that contractors familiarize themselves with the requirements for the CMMC, starting at level 1 and working upward. He emphasizes that organizations should not think of the CMMC as a one-time check, since in order to maintain compliance, organizations will need to be thinking about cybersecurity “as part of your operational function going forward.”

In general, the DOD says a CMMC certification will be valid for three years.

“Compliance isn’t security,” Bai says, “but compliance is a way to document what you’ve done to secure things.”

Without documentation of institutional cybersecurity knowledge, if key personnel leave an organization, security can start to deteriorate and complacency can set in. Documentation can provide the justification for certain security practices in place, Bai says.

EXPLORE: How can agencies best handle IT supply chain cybersecurity threats?

Jeremy Christensen/Getty Images