CMMC – Guide for Federal Contractors
Companies that maintain contracts with Federal Government leverage both confidential and non-confidential data to complete jobs. In 2020, new regulations were introduced to ensure that this data is protected and these contractors must prove that they have the appropriate checks and balances in place to comply.
CMMC (Cybersecurity Maturity Model Certification) was developed to help ensure that specific unclassified data, existing outside of government systems, will have standards in place to protect it. CMMC specifically applies to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-government systems such as contractor’s networks. This certification program will replace the process of self-attestation to NIST SP 800-171 that are currently in use today by contractors.
The plan to roll out CMMC is a multi-year process that will start in 2021 and complete in 2026. The first phase, completed late 2021, will impact 1,500 prime and sub-contractors. The rest of the contractors will be rolled out over the next 5 years, completing in 2026. If businesses withing these defined timelines are not compliant, they will not be able to be granted contracts.
How to Comply
Like all compliance standards, there is a defined framework that must be followed by the contractor. There are 5 levels of class designation that companies must fit into. Each one reflects specific maturity levels and reliability from a cybersecurity and network infrastructure perspective.
Level 1: Performed (17 Practices)
This is where a company must live up to basic standards like using an antivirus product of enforcing password policy. These practices help protect Federal Contract Information (FCI), which is never intended for public viewing.
Level 2: Documented (+55 Practices)
In this model, the company must document specific intermediate cyber hygiene in order to protect Controlled Unclassified Information (CUI). This follows the outlines already in practice from the NIST 800-171 Revision 2 requirements. The overall concept here is that all government data must have defined controls in place.
Level 3: Managed (+58 Practices)
This is when a company must have an overall IT governance plan, defined by management, to implement a strong Cyber Security posture. This plan’s intent is to protect CUI and it has to include all the NIST 800-171 R2 requirements and standards.
Level 4: Reviewed (+26 Practices)
A Contractor must implement specific processes for measuring and reviewing the actual effectiveness of the policies. There must be tools that can detect and respond to an outside persistent threat. This means there has to be something in place that can generate logs, identify threats, and remediate in real time.
Level 5: Optimizing (+15 Practices)
Contractors must have standardized and optimized processes implemented across the entire company. This combines the defined structure of the operation and mixes the documented controls with the tools for monitoring, and remediation.
Who must Comply with CMMC?
Any defense company that does business with the DOD will need to become complaint at one of the 5 Levels. This is not specific to prime contractors, but any subs that are working underneath them. If they being given data, they will be subject to regulation.
The specific that you have with the Government will actually specify what level of compliance you must adhere to. Note, some parts of a contract might have different requirements than other parts, the contractor is always expected to go with the higher designation.
CMMC vs NIST
The Level 3 version of CMMC is built on the NIST 800-171 mandate that defines a list of 110 specific controls that have to be defined. The new CMMC checklist has been expanded with 20 additional requirements for Level 3. Level 4 adds another 16 and Level 5 adds another 15. The biggest change, however, is the shift from a legacy self-assessment to a model that must be conducted by a third party (C3PAO). In the past, non-compliance with DoD cyber mandates was acceptable as long as companies prepared specific plans of action. With CMMC, that will no longer be the case.
Audits:
Businesses that must comply with CMMC will have to get an audit to achieve certification. The objective of the audit is to formally asses the organization’s cyber security maturity. It is a pre-requisite process to demonstrate compliance with the CMMC. The costs associated with the certification process is reimbursable and will be valid for 3 years. It is recommended that participants have everything highly organized before engaging with an auditor to ensure that the audit is fulfilled. Companies without formal documentation may want to perform a readiness assessment before beginning the audit.