The U.S. Department of Defense (DoD) recommends prime contractors and subcontractors in the Defense Industrial Base (DIB) prepare for Cybersecurity Maturity Model Certification (CMMC) requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments.
|In a recent survey of CMMC prime contractors and subcontractors, two-thirds of the participants indicated that moving quickly to demonstrate CMMC compliance will create a competitive advantage, and nearly 50% indicated they expect to see business growth opportunities linked to achieving CMMC readiness and certification.|
CMMC Background and Current Status
In January 2020, the U.S. government released the first version of its CMMC program, followed quickly with version 1.02 in March of that year.
CMMC is a set of standards organizations must meet to renew existing contracts or bid on new contracts to do business with the DoD. By 2025, all DoD suppliers are expected to be CMMC certified.
CMMC certification is essentially an extension of existing DoD’s Controlled Unclassified Information (CUI) program, which guides how contractors and other service providers handle protected and sensitive government information that is not specifically classified.
For new contracts or renewals, contractors must become CMMC certified at one of five certification levels. Which level a contractor needs to be at depends on the type of contract at bid.
To become CMMC certified, organizations must complete a formal assessment from a certified CMMC assessor. The CMMC Accreditation Body (CMMC-AB), which was established in 2020, oversees Certified Assessors (CAs) and Certified Third-Party Assessment Organizations (C3PAOs) who can conduct certification assessments.
Early in 2020, the assumption was that accredited assessors and organizations would likely be trained and available before end of year, but as of early 2021, there are still no accredited companies to offer contractors these assessments.
The newest estimates say it will likely be early summer 2021 before the first companies complete their accreditation processes and are available to conduct formal CMMC certification assessments.
The delay in availability of certified assessors has also slowed DoD’s push to include CMMC certifications in new contracts.
In 2021, CMMC requirements will be included in handful of pilot contracts, where numbers have ranged from seven potential contracts up to 15. These pilot contracts may be related to projects for the U.S. Navy, Air Force, and the Missile Defense Agency.
Contractors who bid on any of the pilot contracts are likely to be moved to the front of the list for CMMC certification assessments once the CMMC-AB has the first group of certified assessors ready. Each of these pilot contracts are broad in scope, inclusive of many prime contractors and many more subcontractors affected by flow-downs.
As the assessor accreditation process continues and DoD begins to rollout CMMC requirements in contracts, you shouldn’t slow or stall your CMMC certification process. In the interim, it’s a good idea to prepare for your formal assessment by completing a self-assessment.
Before we take a closer look at self-assessments, let’s do a quick recap on CMMC certification levels and requirements.
Understanding CMMC Certification Levels
There are five certification levels for CMMC covering basic cyber hygiene to more mature advanced and progressive security practices. These levels are cumulative, beginning at level 1 and increase in maturity through level 5.
To achieve these levels, your organization must successfully implement and show efficiencies in 17 core CMMC domains:
1. Access Control
2. Asset Management
3. Audit and Accountability
4. Awareness and Training
5. Configuration Management
6. Identification and Authentication
7. Incident Response
9. Media Protection
10. Personnel Security
11. Physical Security
13. Risk Management
14. Security Assessment
15. Situational Awareness
16. Systems and Communications Protection
17. System and Information Integrity
Each domain, or control family, includes a set of processes and capabilities that span all five certification levels, with a total of 43 CMMC capabilities and 171 practices. Here’s what they look like across the certification levels:
CMMC Certification Level 1: Perform
- Covers basic cyber hygiene and introduces 17 practices
CMMC Certification Level 2: Document
- Covers immediate cyber hygiene and introduces 55 practices
CMMC Certification Level 3: Manage
- Covers good cyber hygiene introduces 58 practices
CMMC Certification Level 4: Review
- Covers proactive cyber hygiene and introduces 26 practices
CMMC Certification Level 5: Optimize
- Covers advanced/progressive cyber hygiene and introduces 15 practices
CMMC domains include standards related to the Federal Information Processing Standards (FIPS) 200, NIST 800-171 security requirements, asset management, recovery, and situational awareness. For a closer look at each level and domain, check out our CMMC fundamentals page, which includes everything you need to know about CMMC requirements.
The NIST 800-171 Connection
Most contractors who work with DoD aren’t unfamiliar with self-assessments. That’s because since 2018, DoD has expected contractors and subcontractors to comply with NIST 800-171 compliance standards.
NIST 800-171 is a set of standards the National Institute of Standards and Technology developed for non-federal agencies to help them protect CUI. These standards are required for all non-federal agencies that process, store, or transmit CUI.
The challenge, however, with the NIST 800-171 requirement is that there hasn’t been a common accountability framework to determine how contractors and subcontractors successfully implement NIST 800-171 protocols. Instead, these organizations had a range of self-attestation methods that varied from one organization to another.
A higher degree of compliance with NIST 800-171 may be a leading indicator of a more streamlined process of assessing and preparing for CMMC, but while NIST 800-171 and CMMC have significant overlap in their focus on controls, the approach is different.
NIST 800-171 provides a static snapshot in time. CMMC assesses the maturity and effectiveness of controls as demonstrated over time and on an ongoing basis. As such, a high-degree of self-assessed compliance with NIST 800-171 is not a guarantee of a high-degree of maturity as assessed using the CMMC framework. To learn how a DoD contractor started with NIST 800-171 as its foundation for CMMC preparation, read this case study.
“With the NIST 800-171 and CMMC frameworks harmonized, our cybersecurity team was pleased to see that we were already at 57% of full compliance with CMMC based on our NIST 800-171 status.” - Ed Myers, Cape Henry Associates Compliance Director
Preparing for the Assessment
To streamline accountability, DoD announced CMMC certifications requirements, which build off of the 110 security requirements from NIST 800-171, as well as other standards. The goal here is to establish a verification method for compliance that can then be used to compete for requests for information (RFIs) and Requests for Proposals (RFPs).
Preparation for your CMMC assessment varies based on a range of factors, including which certification level you want to achieve. Many contractors will only need certification at level 1, but you can find out which specific level you’ll need to achieve by reviewing RFPs and RFIs.
Expect an increasing amount of RFPs and RFIs to include required certification levels in the next few years, with the expectation it will be included in all of them by 2025.
To begin, you may find it helpful to review all of the CMMC levels and what’s expected for each, as well as your past DoD contracts for perspective. Even though many contracts will likely be at certification level 1, you can generally assume the more complex the project—and the more CUI and other sensitive data you’ll engage with—the higher the certification level expectation may be.
Once you’ve determined your certification level, you should evaluate your existing security practices against each level’s requirements. Identify where you have gaps meeting those specified controls, and then make a plan to fix those issues and decrease your security gaps.
Once you’ve remediated your issues and feel as though you’re on target to meet the specifications of your required certification level, conduct a self-assessment to determine your level of compliance for CMMC.
Previously, for NIST 800-171 for example, self-attestation processes varied, but this changed in 2020 when DoD adopted a new assessment methodology for NIST 800-171 requirements.
As CMMC roll-out moved along slowly, in September 2020, DoD announced an interim Defense Federal Acquisition Regulation Supplement (DFARS) rule to support existing DFARs requirements to protect CUI. It went into effect on Dec. 1, 2020, and includes this new assessment methodology.
What was once a pass-or-fail scenario is now a methodology that includes scoring based on the 110 security requirements outlined in NIST 800-171. A contractor who meets all 100 security requirements can earn the highest score of 110. For every unmet control, points are subtracted from that 110 total.
All contractors who don’t score 110 will need to create a Plan of Action and Milestones that outlines what your organization will do to do address all of the unmet requirements.
For this self-assessment approach, there are three levels—basic, medium, and high–used to determine the level of confidence in assessment methods. The lowest level, basic, is achieved from a self-assessment only. Whereas the medium level also includes an assessment from DoD, and high includes a government on-site or virtual assessment and is the highest level of confidence.
Remember, when you identify gaps in your self-assessment, you’ll want to continue to work on your remediation roadmap (with documentation) about all the areas where you fall short so you can close those gaps before your formal CMMC assessment.
CMMC has certified consultants and certified organizations that can assist you with CMMC certification preparation. You may find it beneficial to engage with a Registered Practitioner (RP), who can help you with a readiness assessment and other needs related to your CMMC certification journey, or a Registered Provider Organization (RPO) who can provide consultancy for a readiness assessment or certification prep. All RPOs must have at least one RP on staff to assist you. Need assistance with CMMC preparation? Check out the CMMC Marketplace.
If your organization still uses spreadsheets, word processing documents, or GRC tools to track and manage your NIST 800-171 and CMMC compliance, you may be creating blind spots in your organization’s performance because it’s incredibly hard to see how controls align across frameworks and measure your performance.
To simplify this process, you may want to consider adopting a cybersecurity framework management tool that gives you insight into all of your controls—across all your frameworks, in an easy-to-understand framework.
Apptega, for example, can help you crosswalk (or map) your NIST 800-171 controls to your CMMC controls so you can get instant insight into where you already are on this journey and were you need to focus more effort to remediate gaps and move you closer to CMMC compliance.
Need help preparing for your CMMC certification? Check out this on-demand webinar to learn more about CMMC processes and how you can prepare your team to simplify and complete your upcoming CMMC audit for certification.