The Cybersecurity Maturity Model Certification (CMMC) (Web Resource) is a program being developed to help ensure that specific types of unclassified data that exist outside of government systems remain adequately protected against cyber-attacks.
The CMMC applies to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-government systems.
This certification program is intended to replace the process of self-attestation to NIST SP 800-171 that many defense contractors and subcontractors performed over recent years.
This program will significantly impact how a large portion of future defense contracts are awarded. The program requires external audits to be conducted by external
parties such as Critical Path Security. Failure to comply and can lead to serious penalties. Therefore, many organizations in the Defense Industrial Base (DIB) are actively working to understand what the CMMC means for them.
To alleviate some of the ongoing concerns, we are providing a short list of items.
The program is being rolled out slowly
15 large contracts (and all associated subcontracts) will require CMMC certification in 2021. More contracts will require CMMC certifications each year until 2026, where all new contracts will require contractors and subcontractors to have the appropriate CMMC certification.
Certification Schedule
In the past, self-assessments were annual. The CMMC certification requires recertification each three years.
Expect multiple partners involvement to achieve compliance
The CMMC program is built to ensure that no conflicts of interest occur between contractors, subcontractors, CMMC consultants, and CMMC auditors. Due to this structure, consultants that advise contractors on how to comply with the CMMC cannot perform that contractor’s or subcontractor's assessment, and the CMMC Certification Assessor is prohibited from providing any advice on how to achieve compliance.
POA&Ms are no longer permitted
Unlike other regulatory compliance frameworks, the CMMC is a pass-or-fail audit, and uncertified organizations cannot be awarded contracts with CMMC requirements at any level.
A major change for organizations is Plans of Action and/or Mitigation (POA&Ms) will not allow non-compliant organizations to participate in contracts with CMMC requirements. Organizations can still bid on contracts with POA&Ms in place, but they cannot begin work until a full certification is received.
CMMC is not "One-Size Fits All"
CMMC has five (5) different certification levels. Level 1 has the least stringent requirements while Level 5 has the most stringent requirements. The level required for an organization will be determined by the contract in which they bid.
Level 1 certification is required to create and store Federal Contract Information. Level 1 requires adherence to 17 controls. Similarly, Level 3 is required to create and/or store Controlled Unclassified Information Level 3 required adherence to 130 controls. This level also requires requires a documentation to confirm that these controls are consistently executed, staffed, and maintained.
If organizations are still unsure, new contracts with CMMC requirements will specify which data should be treated as Federal Contract Information and Controlled Unclassified Information, but existing data in your environment should be secured to the appropriate level.
Separate CMMC Data and Processes
Similar to PCI and other data-driven certifications, one of the most effective paths toward achieving and maintaining compliance is to isolate the sensitive data and processes. While this may require organizational process adjustments, it is often the most cost-effective means to reduce scope and the associated risk.
You don't have to protect what you don't have
Creating policies to prevent unnecessary sensitive data from being stored reduces the efforts required to achieve and maintain regulatory compliance. It also makes it easier to control what data leaves the organization as there is less sensitive data to track.
Closing Thoughts
This is going to be a long process, but it is a very involved process. Dig into the CMMC workbooks and appendices that are available and begin the process of work through each control that the organization anticipates requiring.
If you need any additional assistance or have concerns, please reach out to Critical Path Security. We can help!