By Joe Donohue | Senior Information Security Consultant at LRQA Nettitude
For many defense suppliers, CMMC is another compliance headache. So, being asked to adopt a new set of practices is a tall order, especially for those organizations that recently put in a tremendous effort to meet the requirements of the NIST 800-171 framework. Fortunately, rather than being a massive change in direction, CMMC is the next logical step in the United States Department of Defense's (DoD’s) drive to secure its supply chain. So, with the proper approach, your organization can gracefully meet this new challenge and benefit by becoming more secure and resilient in the process.
What is Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) was created to assess and strengthen the cybersecurity posture of Department of Defense (DoD) suppliers who handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
It is comprised of 17 security domains (e.g. Asset Management, Incident Response, Media Protection, etc.). Each domain is itself comprised of capabilities. For instance, the capabilities listed within the Incident Response domain include Planning, Detection & Reporting, Responding, etc. Each capability is further broken down into separate control practices. Those already familiar with NIST 800-171 will recognize a high degree of overlap between the CMMC body of control practices and NIST 800-171 security requirements. This overlap often prompts the question, “How is CMMC different from NIST 800-171?”
How is CMMC different from NIST?
The CMMC differs from NIST 800-171 in two basic ways. First, CMMC also incorporates control practices from NIST 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2, amongst others. Second, CMMC goes beyond a self-assessment approach to assurance and requires certification by an accredited Third-Party Assessor.
The latter requirement is an indicator of the evolution of expectations the DoD has of its suppliers. It represents a solidification of ideas on what constitutes a strong security posture, which in effect are firmer barriers to entry into the US DoD supplier market. So, current organizations need to begin measuring themselves against CMMC to ready themselves for the eventual 3rd party assessments.
What are the CMMC maturity levels?
First, it’s important to understand the CMMC’s maturity levels model. The CMMC establishes five maturity levels where Level 1 is the least and 5 is the most mature. On top of levels 2 through 5, sit maturity processes that range from documenting policies and practices for each CMMC domain to standardizing and optimizing required domain practices across the organization. These levels are defined as follows:
As organizations familiarize themselves with the five CMMC maturity levels, the inevitable question becomes, “What is the appropriate level we should align our practices with?” The definitive answer to that question will be provided by the DoD in their Requests for Information (RFIs) and Requests for Proposals (RFPs). In the absence of active RFIs and RFPs, consider the nature of the data your organization intends to handle in its engagements with the DoD. If your organization only plans to handle FCI, Level 1 certification is sufficient, since that level is designed to meet 48 CFR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems. To handle CUI an organization will need to achieve Level 3 certification at a minimum. What differentiates Level 3 maturity from Levels 4 and 5 is that these higher maturity levels have proactive, robust defenses against Advanced Persistent Threats (APTs), while organizations at Level 3 are still in a reactive posture against APTs. As such, Level 3 organizations would not qualify for higher-risk engagements.
After identifying the targeted maturity level, you need to assess the complexity of your organization to gauge the level of effort required to be certified at that level. Aspects of your organization that you should consider include the size of your workforce, the number of locations, your organizational structure (e.g. single entity or parent/subsidiaries), the design of the infrastructure where the CUI is to be processed and the use of third parties. Some organizations are so complex that it may be easier to spin off a separate line of business dedicated to DoD work where more stringent information security practices are implemented, rather than try to elevate the practices of the entire organization.
Creating a plan of action for CMMC compliance
Given the comprehensiveness of the CMMC standard, establishing a CMMC compliance program can feel overwhelming. By taking a methodical approach that breaks down the exercise into milestones, this burden can be reduced.
The first milestone has to be identifying the maturity level your organization will target. Once you have this, review the required practices of each domain for that level and begin an assessment of your organization’s current practice against these requirements. Start with assessing the design of your current controls against CMMC specifications by reviewing your existing policies and procedures. If your organization has already aligned its practices to NIST 800-171, leverage the output of prior audits against that framework. Identify gaps in this documentation, update where needed and notify appropriate parties of relevant changes to policies and procedures. After implementing changes to fill gaps, conduct an internal audit to assess the efficacy of your controls in meeting CMMC requirements. Capture findings, update policies and procedures, and then re-assess.
Like any effective risk management program, this is a regime of continuous improvement. That being said, don’t allow yourself to be delayed by speculation that the COVID pandemic will set back any CMMC deadlines. Even if that turns out to be the case, by implementing CMMC recommendations you will be making your organization more secure. The CMMC domains (Access Management, Incident Response, Asset Management, etc.) are the signature elements of an information security program. By measuring your current practices against the capabilities comprising those domains, you’ll get a clear understanding of your organization’s current maturity level. The CMMC lays it all out for you. By getting out ahead of this initiative, you can position your organization at the front of the queue for CMMC accreditation, giving you a huge competitive advantage.
Ready to get started? Get in touch with the team here.
