The Cybersecurity Maturity Model Certification (CMMC) measures the cybersecurity capabilities of contractors to the United States Department of Defense. The CMMC is designed to improve the security of federal contract information (FCI) and controlled unclassified information (CUI). Although the CMMC program combines aspects of other cybersecurity standards such as NIST, FAR, and DFARS, the DoD decided on a maturity model as the framework for standardization.
Why Use a Maturity Model?
Why did the DoD decide on a maturity model? Most compliance standards approach security as a full-compliance mandate, meaning that all criteria must be met by a given deadline. The DoD opted for the maturity model because the department knows the significant time and resources required to develop a comprehensive cybersecurity plan.
With a maturity model, businesses can move from the initial phase to full compliance over time. It allows organizations to build robust security without negative impacts on the bottom line. The DoD felt that was important, especially for small businesses lacking the resources to immediately implement a comprehensive security program.
What Is the CMMC Framework?
A cybersecurity framework outlines the best practices to reduce a company’s exposure to cybersecurity vulnerabilities. Version 2.0 of the CMMC framework is documented in the Cybersecurity Maturity Model Certification. The framework has four components and three certification levels. The four components are listed as:
- Domains. Seventeen areas of cybersecurity, such as maintenance and authentication.
- Capabilities. Forty-three functions are divided among the 17 domains. These functions include access control capabilities that have internal and remote access.
- Processes. Process levels that reflect the level of institutionalization of cybersecurity policies.
- Practices. Identifies the depth of cybersecurity processes to ensure all domains and capabilities are secure.
Each level of certification has different standards for the four components. Companies must eventually certify all levels. Ongoing certifications will be required once all certification levels are met.
Level one practices indicate a basic cybersecurity level. For example, a level one process safeguards information while a top-level must protect and mitigate advanced persistent threats (APTs). To achieve a top-level rating for practices, contractors must standardize and optimize cybersecurity policies using sophisticated technologies that counter APTs.
Why Is CMMC Important?
Some of the most significant cybersecurity attacks began by compromising a supply chain. The Solar Wind compromise allowed cybercriminals to infiltrate the company’s customers. A known vulnerability in Microsoft’s Exchange Server allowed hackers to penetrate multiple instances, including government agencies. To mitigate the ongoing risk, the DoD established the CMMC process.
In January 2020, the DoD announced it would begin issuing requests for proposals or information in September 2020 that included the CMMC requirement. Organizations wanting to do business with the DoD must meet the CMMC requirements listed in their contract. At a minimum, all contractors must be certified at level one. If companies are unable to prove compliance, they will become ineligible for DoD contracts. Full implementation is expected in 2026.
The DoD’s budget for the fiscal year 2022 is $715 billion. Of that budget, 23% goes to small businesses. In 2020, 45% of the DoD’s small business contractors went to disadvantaged and women-owned firms. No matter the size, companies wanting to contract with the DoD must ensure that they meet the CMMC requirements.
How to Become Certified
Companies must first determine their level of compliance. The compliance level determines what standards must be met to achieve certification. The DoD provides a self-assessment tool to help companies prepare for an audit. Organizations must contact an accredited CMMC Third-Party Assessment Organization (C3PAO) to schedule certification time. The C3PAO conducts an assessment and identifies any gaps in compliance. Businesses have 90 days to rectify the deficiencies to achieve certification. Cask is an authorized C3PAO company and is ready to support your organization.
Understanding the CMMC requirements can be overwhelming, even for companies with dedicated IT personnel. Given the scope of the CMMC, internal resources will need time to come up to speed — time that organizations may not have. Rather than wait for internal resources, consider talking to Cask Government Services. We were the third organization to receive C3PAO accreditation and have trained staff to help with pre-assessments as well as formal assessments. Now is the time to start preparing for CMMC compliance if your organization plans to begin or continue to work as a defense contractor. Contact us for any questions at firstname.lastname@example.org