Cybersecurity Maturity Model Certification (CMMC) implementation is on the fast track, and whether your company can continue to work with the Department of Defense (DoD) will be determined by whether it can achieve the appropriate CMMC maturity level for the contract you seek.
All DoD contractors, regardless of size, will need to comply with CMMC requirements. The good news is that Daston’s encrypted email and drive offerings support compliance with virtually all CMMC mandates related to the communication and storage of Controlled Unclassified Information (CUI).
The DoD’s enhanced “CMMC 2.0” program maintains the goal of:
- safeguarding private information
- simplifying the standard
- providing clarity on cybersecurity policy, regulatory, and contracting requirements
- focusing the most advanced third-party assessment requirements and cybersecurity standards on companies supporting the highest priority programs
- increasing oversight of ethical and professional standards in the assessment ecosystem.
The CMMC program includes cyber protection standards for organizations in the defense industrial base (DIB). Going forward, CMMC compliance will be required in DoD contracts, and defense companies must ensure both they and their subcontractors meet the right level of CMMC certification required at the time the contract is awarded.
CMMC measures an organization’s ability to protect Federal Contract Information (FCI) and CUI. FCI is information not intended for public release and is generated for or provided by the government under a contract to deliver or develop a product or service to the government. CUI is information that requires safeguarding or dissemination controls consistent with federal law, government-wide policies, and regulations. CMMC combines cybersecurity standards already in place, and it maps best practices to five maturity levels ranging from Level 1–basic cyber hygiene practices–to Level 5–highly advanced practices and processes.
CMMC Model Framework
The CMMC model framework categorizes cybersecurity best practices into 17 domains, such as “Access Control” and “Systems and Communications Protection.” Forty-three capabilities, such as “control remote system access” and “control communications at system boundaries,” are distributed across the 17 domains. Not all companies need to demonstrate all 43 capabilities–they apply depending on the maturity level sought.
Companies will demonstrate compliance with the required capabilities by showing that they adhere to a range of practices and processes. Practices are the technical activities required within a given capability requirement (173 practices are mapped across the five CMMC maturity levels). Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures (nine processes are mapped across the five CMMC maturity levels).
Finally, adherence to CMMC practices and processes is cumulative. Once a practice or process is introduced in a level, it becomes required for all levels above that as well.
What Does My Company Need to Do?
One of the most significant changes from previous practice is the shift from self-assessment to external cybersecurity compliance assessments, which will be conducted by Third Party Assessment Organizations (C3PAOs). Further, whereas in the past noncompliance with DoD security regulations was acceptable if companies prepared a Plan of Action and Milestones outlining plans to address deficiencies, that will no longer be the case under CMMC.
If you haven’t already, familiarize yourself with CMMC and stay abreast of developments. CMMC 1.02 and its helpful, detailed appendices were released in late March 2020 and are available on the DoD’s CMMC website. Further, the CMMC-Accreditation Body (now called Cyber-AB) is bearing much of the responsibility for implementation of the new framework, and their website is a definitive source on implementation of the initiative.
Next, determine the appropriate CMMC level for your organization. It appears most likely that companies that handle just FCI will need to achieve Levels 1 or 2. Any company that handles CUI will need to achieve at least Level 3. Higher Levels 4 and 5 will focus on reducing the risk of advanced persistent threats (APTs) and are intended to protect CUI associated with DoD critical programs and technologies.
Once you determine the CMMC level you want to achieve, examine the current state of your cybersecurity, and identify gaps between your organization’s capabilities and the requirements for the level you seek. This gap analysis could be based on previous self-assessments, such as the NIST SP 800-171 Self-Assessment. However, a more forward-looking approach would be to consult Appendix A of the CMMC 1.0 report. That appendix includes a summary of the process requirements for each of the five CMMC levels, as well as a matrix that lists each domain’s required capabilities and the corresponding practices for each level.
As your business considers how to address its cybersecurity deficiencies, keep in mind that with the adoption of CMMC, cybersecurity will be an allowable cost. This shift recognizes the critical nature of cybersecurity and serves as an incentive for vendors to quickly comply with CMMC. Begin building budgets for what it will take to upgrade your cybersecurity to the level you need, and figure out how those costs will affect your rates.
If your organization needs assistance with compliance, Daston can help. Our solutions integrate seamlessly with the email and file sharing tools you and your employees already use. Contact us today for a consultation, and let’s get you on the road to CMMC compliance!