Part 1 of a 2-part blog series on CMMC
As a DoD Contractor here’s WHY it is critical to be CMMC Certified
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism. The CMMC is designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks. Companies that work with the US Department of Defense will soon be required to obtain a CMMC Certification, in order to bid on contracts. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC Certification requirements will be verified through Third Party Assessments.
The DoD is in the process of creating minimum certification requirements in Requests for Information (RFI) and in select Requests for Proposals (RFPs). According to the DoD, a given contract could involve differing certification requirements for Prime Contractors and Subcontractors, and introduce implementation challenges throughout the supply chain.
By 2025, all Department of Defense suppliers will require CMMC Certification. It is recommended that companies begin preparation for CMMC Certification. DoD Contractors should begin evaluating the CMMC’s technical requirements and prepare not only for certification, but long-term cybersecurity agility.
The CMMC Framework in Detail
The CMMC establishes five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure. These levels are intended to safeguard sensitive government information on Contractors’ Information Systems.
Each level requires compliance with the lower-level requirements and includes additional processes to implement specific cybersecurity-based practices.
Below is an overview of the relevant processes and practices of each DoD CMMC certification level:
Level 1: Basic Cyber Hygiene:
A company must perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” FCI does not include public information or certain transactional information.
Level 2: Intermediate Cyber Hygiene:
A company must document certain “intermediate cyber hygiene” practices to begin to protect any Controlled Unclassified Information (CUI). CUI is “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.” CUI is not classified information. Some of the National Institute of Standards and Technology’s (NIST’s) security requirements are utilized. Processes are documented.
Level 3: Intermediate Cyber Hygiene:
A company must have an institutionalized management plan to implement “good cyber hygiene” practices to safeguard CUI, including all the NIST 800-171 security requirements as well as additional CMMC components. Processes are managed.
Level 4: Proactive:
A company must have implemented processes for reviewing and measuring the effectiveness of practices, as well as established additional enhanced practices to detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is a sophisticated, sustained cyber-attack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. This level focuses on the protection of CUI from Advanced Persistent Threats (APTs) and includes a subset of enhanced requirements, in addition to other cybersecurity best practices. Processes are reviewed.
Level 5: Advanced/Progressive:
A company must have highly advanced cybersecurity practices and cybersecurity standards. Similar to Level 4, Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
What Actions Should DoD Contractors Take Now?
In order to bid on DoD contracts, a required Maturity Level must be obtained. The CMMC certification allows your organization to bid on DoD contracts, up to the identified maturity level.
DoD Contractors should begin taking immediate steps to:
- Clearly document practices and procedures that comply with CMMC requirements.
- Plan for and implement further procedures and practices to obtain the highest certification level possible.
- Prime Contractors also should begin (or continue) working with Subcontractors throughout the supply chain to assist in developing compliance programs, where necessary, or reviewing programs already in place.
- Prepare for changes. CMMC certification will soon be a minimum requirement to be eligible for DoD contract awards. Contractors should not view their cyber-compliance as “complete” once certification is achieved. The DoD has emphasized that the CMMC is a starting point for transforming Contractors’ internal cybersecurity culture, and that the industry must focus on preparing for evolving threats, not simply achieving CMMC certification.
How Long is CMMC Certification Valid?
CMMC Certification is valid for 3 years.
By 2025, all DoD Contractors and Subcontractors are required to obtain CMMC Certification, in order to bid on DoD contracts. The DoD released CMMC Version 1.0 on January 31, 2020, so this certification process is already being implemented. The DoD has indicated that minimum certification requirements in RFIs and RFPs will be included, beginning in September 2020.
Vestige Digital Investigations is currently working with companies, helping them obtain CMMC Certification – be sure and check out our 3-Phase Process to Compliance.