By now, most government contractors are aware of the upcoming Cybersecurity Maturity Model Certification (CMMC). We're providing this comprehensive guide to show you how to prepare, achieve and maintain CMMC - along with timely updates as new information arrives.
Table of Contents - Guide to CMMC 2.0
1. What is CMMC Compliance?
CMMC stands for Cybersecurity Maturity Model Certification and is the latest security framework mandated by the Department of Defense (DoD) for any contractor that sells into the DoD.
It specifies a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for RFPs and vendor selection.
IT security for government contractors has always been a hot topic, but this recent change from the DoD has made compliance to security regulations even more important.
Once rolled out, CMMC will mandate strict compliance by DoD providers, and contractors who do not meet CMMC standards may find themselves shut out of DoD business.
The initial version of the CMMC framework was rolled out in January 2020, while CMMC 2.0 rolled out in November 2021 and is published here on the DoD CMMC website.
A MOU between the DoD and the CMMC Accreditation body was signed, certification, licensing and training requirements for assessors and organizations were established; however, continued delays in the official program pilot phase and go live continue to bring changes to the program and its requirements.
The regulatory process to update the DFARS -7012 requirements is also pending so the plan for CMMC requirements in RFPs has been delayed to 2022 or beyond.
While some of the more than 300,000 DoD contractors will have the staff, resources, and expertise to meet their CMMC requirements in-house, many will not.
Fortunately for those in the latter camp, managed security service providers (MSSPs) such as Ntiva are developing specialized programs to help assess contractors’ current capabilities, create remediation plans where necessary, and conduct ongoing cybersecurity monitoring and reporting.
2. Who Needs To Be CMMC Certified?
The short answer is anyone in the defense contract supply chain. The DOD estimates the roll-out of CMMC standards will affect 300,000 companies.
According to the DoD, “CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”
The cybersecurity challenges faced by the DoD are enormous — for example, the Pentagon stops an estimated 36 million emails containing ransomware and phishing attacks every day.
Despite these best efforts, in late 2018 the Pentagon reported a data breach exposing the personal information of 30,000 DoD employees on a system operated by a third-party contractor.
2020 opened with the Department of Homeland Security warning of a possible increase in cyberattacks against government networks due to rising tensions in the Middle East.
It’s a never-ending battle and predicted only to get worse!
But let’s go back to 2015, when the DoD identified specific cyber requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012).
DFARS required DoD contractors to adopt cybersecurity processes and standards created by the National Institute of Standards and Technology (NIST). All government contractors needed to represent that they had implemented the requirements of the NIST SP 800-171 as of December 2017.
This framework, NIST SP 800-171, was part of the broader government initiative to protect the DoD supply chain from cyber threats and other security risks.
The adoption of the framework has been slow, despite DoD efforts to incent supplier compliance. The DoD has expressed concern that most defense industry contractors maintain only adequate security hygiene practices.
Faced with unacceptable risks to Controlled Unclassified Information (CUI) stored on contractor systems, the DoD has now introduced CMMC to ensure that appropriate levels of cybersecurity protections and processes are in place.
What sets CMMC apart from ‘business as usual’ under the current regime is a strict audit process that will establish compliance as a condition of doing business with the Defense Department.
CMMC will replace the current ‘self-declaring’ model with third-party certification, and the resulting audit and certification process will establish compliance as a condition of doing business with the Defense Department.
With the launch of CMMC 2.0 in November 2021, DoD contractors received information from the DoD and CMMC Accreditation body that the rules on 3rd party audit requirements were being relaxed. It was estimated that somewhere between 40,000 and 80,000 contractor organizations would be able to self-attest versus being required to obtain a 3rd party certification.
In addition, contractors were told that the “all or nothing” or “pass/fail” audit process was changing to include the introduction of Plan of Actions and Milestones (POA&Ms), although no one knows how many POA&Ms an organization may be allowed to submit, if there will be a severity level assigned, or if multiple POA&Ms combine for higher severity findings.
In late January, and into early February 2022, the DoD made multiple announcements indicating that the governance and oversight of the CMMC program was being moved under the DoD’s Office of the Chief Information Officer. Shortly thereafter, articles were published stating that self-attestation at CMMC 2.0 Levels 2 and 3 would not be allowed, thus returning the requirement for formal 3rd party audits and certifications.
While the logic behind the announcement was that virtually all information outside of FCI would be considered CUI, and virtually all contractors would need access to some CUI, therefore it made sense to require 3rd party audits for all contractors operating at these levels of the CMMC model.
While there is no evidence that this is statement is accurate or not, many speculate that removing the 3rd party audit requirement effectively returned the program to the state that existed prior to the implementation of CMMC, where contractors self-attested under DFARS clause 252.204-7012. Returning to this previous state does not provide additional protections to the DoD, as it becomes an honor system of sorts.
Additional concerns have been voiced by CMMC RPOs and C3PAOs over the resources and funds spent to position themselves to assist the DoD with audit requirements, and future concerns of whether there would be a place for them moving forward.
For now, we should assume that any organization intending to meet CMMC 2.0 Levels 2 or 3 will be required to pass a 3rd party audit. In addition, we recommend attempting to pass with no POA&Ms in case the DoD shifts positions back to their original requirements.
There are cases in which relying on a POA&M may prohibit a contractor from passing an audit before contract award, and if that contractor runs into time, resource, and/or funding constraints at the last minute when a POA&M is determined to be unallowed, they may not be awarded the contract.
Finally, with no one knowing how many 3rd party auditors will be available, how long an audit will take, and how long it could take to be re-assessed for failed practices, the risk in relying on a POA&M to pass the audit may be too high for most organizations.
3. An Overview of the CMMC Model
The most recent CMMC model framework is Version 2.0 published in November 2021.
The framework defines cybersecurity practices at the highest level by domains, and each domain is then segmented into practices, also commonly referred to as controls, which are essentially mapped to groups of capabilities. Capabilities identify contractor achievements that ensure cybersecurity objectives are met within each domain.
DoD contractors will demonstrate compliance with required capabilities by showing adherence to practices and processes that have been mapped across the three maturity levels of CMMC.
Practices will measure the technical activities necessary to achieve compliance with a given capability requirement, while processes will measure the maturity of a company’s processes.
Source: CMMC Version 1.02
4. What Are The 3 Levels of CMMC?
The CMMC model has three defined levels, each with a corresponding set of practices and processes. Practices range from basic cyber hygiene (Level 1) to advanced/progressive capabilities (Level 3).
In parallel, processes step up from Level 1 (being performed) to Level 3 (being optimized across the organization).
Contractors must meet both associated practices and processes to achieve each specific CMMC level.
Below is a visual representation of the CMMC Version 1 model that contained 5 levels (on the left), compared to the updated CMMC Version 2 model that contains 3 levels (on the right).
5. Understanding CMMC Domains
The CMMC model consists of 14 domains. Many of these CMMC domains originated from the Federal Information Processing Standards (FIPS) 200 security-related areas and the NIST SP 800-171 control families.
Below is a summary of the domains, but if you would like more information on each domain take a look at our CMMC Compliance Checklist - 14 Domains for more details.
The current CMMC model also includes Asset Management, Recovery, and Situational Awareness domains.
CMMC Level 2 is the second certification for defense contractors out of three possible levels, as outlined above.
Specifically, Level 2 requirements apply to defense contractors who create or access Controlled Unclassified Information (CUI).
Level 2 focuses on the protection of CUI, plus encompasses all the security requirements specified in NIST SP 800-171.
Any contractor with a DFARS clause in their contract will need to at least meet Level 2 requirements. Note that DFARS clause 252.204-7012 applies and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.The 14 domains and their abbreviations are as follows:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentications (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
6. Who Needs CMMC Level 3
CMMC Level 3 is the third certification for defense contractors out of five possible levels, as outlined above.
Specifically, Level 3 requirements apply to defense contractors who create or access Controlled Unclassified Information (CUI).
Level 3 focuses on the protection of CUI plus encompasses all of the security requirements specified in NIST SP 800-171, as well as 20 additional practices to mitigate threats.
Any contractor with a DFARS clause in their contract will need to at least meet Level 3 requirements. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.
7. How Do I Get CMMC Certified?
DoD contractors who have the necessary IT staff and resources may opt to prepare for their chosen CMMC cybersecurity certifications in-house.
NIST created this guide, the SelfAssessment Handbook – NIST Handbook 162, as an aid for suppliers self-directing their certification initiative. The handbook details certification requirements for NIST SP 800-171 Rev. 2, which aligns with CMMC Level 2.
Unfortunately, currently, there is no self-assessment guide available for NIST SP 800-172. A draft of the 172 specifications, however, can be found here.
Before proceeding with an in-house CMMC program, contractors should consider the stakes, especially considering the need to pass their third-party CMMC audit on the first try.
If the initial examination is unsuccessful, contractors stand to lose significant time and costs while they correct any security shortcomings. They may also encounter hold-ups due to a potential backlog of audits, especially in the early days of CMMC.
As CMMC certification becomes a requirement for contract awards, such delays could prove costly for companies who count on DoD business for a considerable portion of their revenue.
8. The Benefits of Outsourcing CMMC
Many contractors may not have the skills or resources to address the requirements of NIST SP 800-171 Rev. 2 or SP 800-172.
For those organizations, an effective means to meet the CMMC cybersecurity requirements is to outsource their compliance initiative to a qualified Managed Security Services Provider (MSSP) such as Ntiva.
Experienced MSSPs have the necessary processes and templates to undertake a gap analysis and create the overall security plan. They also have the available resources and expertise to complete remedial activities if required. They should also have the tools necessary to monitor security performance, resolve issues, and provide detailed reporting.
As a result, contractors may find that outsourcing (rather than building) these capabilities saves significant money and time.
You should also make sure your provider is a Cybersecurity Maturity Model Certification Registered Provider Organization (CMMC RPO.)
Organizations that are given the CMMC RPO seal are ones that are “cyber-knowledgeable” and have a good understanding of CMMC requirements and protocols.
In the next four sections we describe four critical activities that a qualified MSSP or CMMC RPO can perform to help prepare DoD contractors for the CMMC rollout:
- Readiness Assessment and Gap Analysis
- Remediation Plan
- Monitoring and Reporting
- System Security Plan (SSP)
9. What Is The Purpose of a CMMC Gap Analysis and Readiness Assessment?
The gap analysis and readiness assessment are foundational steps for contractors to gain a detailed understanding of how close they are to meeting the requirements of their targeted CMMC level.
The Readiness Assessment will help uncover systems and processes that may not meet the standards outlined in NIST 800-171, such as:
- How is data stored and access to information controlled?
- Are incident response plans in place, current, and effective?
- Are IT staff and other personnel adequately trained?
- How are security protocols implemented and maintained?
The resulting Gap Analysis will pinpoint risk areas for contractors and facilitate the creation and execution of the Remediation Plan, either by the MSSP or utilizing in-house resources.
Without an exhaustive Gap Analysis in hand, DoD contractors may find it impossible to identify risks, prioritize activities, and determine costs for any remedial steps required for CMMC certification.
10. Creating the Remediation Plan
The Remediation Plan is a prioritized, actionable plan of record to address any security gaps uncovered in the Readiness Assessment and bring the contractor into CMMC compliance.
This Plan of Action & Milestones (POA&M) will document:
- The weaknesses found, with description, as associated to each NIST SP 800-171r2 practice (a.k.a. control)
- An overall remediation plan for each non-compliant practice
- A risk rating with corresponding recommended completion/remediation date
- Impact to the DoD’s Supplier Performance Risk System (SPRS) score
11. On-Going Cybersecurity Monitoring and Reporting
Once the DoD Contractor has completed the remediation and is CMMC compliant, they will need to monitor, detect, and report on cybersecurity incidents within their own systems.
These activities require specialized tools and expertise and can place an administrative burden on many contractors, another key reason why many contractors will opt to outsource this task to an MSSP who specializes in cyber security.
12. Building and Updating the System Security Plan
The System Security Plan (SSP) is a living document that must be updated when a company makes substantial changes to its security profile or processes.
Typical information captured in the plan includes company policies, employee security responsibilities, network diagrams, and administration tasks.
For NIST 800-171 and CUI requirements, the SSP must document information about each system in a contractor’s environment that stores or transmits CUI. The SSP also details the flow of information between systems, as well as authentication and authorization processes.
The DoD mandates a review of contractors’ SSPs as part of the awards contest. Without a current, valid SSP in place, contractors may not be awarded DoD business.
While creating and updating the SSP is critical to maintaining certification requirements, it can be a resource-intensive process, so contractors need to ensure they have the resources in place to do this.
13. What is a CMMC Audit?
While the DoD has not finalized all details of the audit process, here is what has been confirmed to date:
- Most if not all DoD Contractors will need to become CMMC Certified by passing a CMMC audit (subject to change). The Accreditation body recommends that you start at least 6 months in advance.
- This will validate they have met the appropriate level of cybersecurity for their business with DoD.
- Certification will become a requirement for any organization that wishes to hold Department of Defense contracts or act as subcontractors on DoD-related projects.
- The DoD will employ certified third-party assessor organizations (C3PAO’s) to conduct audits on DoD Contractor information systems and verify that DoD Contractors have met the appropriate level of cybersecurity controls.
- Based on the audit results, contractors will be awarded the applicable certification (from Level 1-3) if they meet the requirements of 100% of the controls for that level and all lower levels.
- While 3rd party organizations will normally perform assessments, some of the higher-level evaluations may be performed by DoD assessors within the Services, the Defense Contract Management Agency (DCMA), or the Defense Counterintelligence and Security Agency (DCSA).
“Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.”
Office of the Under Secretary of Defense for Acquisition & Sustainment — Cybersecurity Maturity Model Certification
14. Important Dates and Milestones for DoD Contractors
DoD contractors have been anxiously awaiting the start of the official CMMC assessments, which are currently expected to go through a 5-year phase-in period for select pilot contracts. Delays in the program structure (5 levels vs. 3 levels) decisions, an inability to solidify program rules and the rulemaking process, whether POA&Ms will be permitted, whether contractors can self-attest at Level 2, etc., continue to plague the official roll-out of the program.
“During a Feb. 10 town hall, Deputy DoD CIO David McKeown said further analysis has shown all 80,000 will require third-party assessments.” This reverses the previous updates from November 2021 where the DoD implied that a large number, potentially half of the contractors (~40,000 of 80,000) seeking Level 2 compliance would be permitted to self-attest. This comes after the announcement that the CMMC Program was being moved under the Office of the Chief Information Officer (CIO).
CMMC Version 2.0 released, where the major changes included:
- The CMMC model changed from 5 levels to 3 levels, effectively eliminating the CMMC Version 1.0 Levels 2 and 4
- The possible introduction of POA&Ms, eliminating a 100% pass/fail model
- The potential for ~40,000 of the ~80,000 contractors expecting to need Level 2 certification the ability to forego a C3PAO audit and instead self-attest
The DoD has announced that they will NOT be releasing the final rule that would have cemented the implementation of CMMC in September 2021, as planned. This has been pushed out until "late 2021."
DoD contractors will need to be certified by an accredited Assessor to qualify to bid on new projects. Since CMMC will not be applied retroactively on existing contracts, the current DFARS 7012 requirements will be in place through 2026.
On September 28, 2020, DoD released interim cyber related DFARS rule changes that will go into effect on Nov 30, 2020. You can read more about it in our latest post on NIST SP 800-171.
Initial round of audits will launch for a limited number of DoD Programs with the required CMMC Levels specified. Contractors will need to be certified to the appropriate CMMC level to receive the RFP for those programs. It's believed that only the companies submitting on these RFI/RFPs will be eligible for CMMC assessment in the initial stages.
Training for the first round of assessors is being developed. Certification exams, job descriptions, levels of assessors are all in development. Check out the CMMC Accreditation body for updates.
Official CMMC Levels and requirements released.
15. CMMC Compliance Checklist: Next Steps for Contractors
Whether or not DoD contractors choose to prepare for CMMC in-house or outsource to an MSSP, there are key activities they should undertake to stay ahead of the transition.
You will also want to check out our CMMC Compliance Checklist located here that breaks down the CMMC framework by domain, showing you the exact requirement per domain.
- Assess the current organization for NIST 800-171 compliance. NIST 800-171r2 requires that contractors “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
- Create or update the System Security Plan (SSP). NIST 800-171r2 also mandates contractors to document and update SSPs, including information such as company policies, network diagrams, and relationships with other systems.
- Build the Plan of Action & Milestones (POA&M). The POA&M will document the remediation project plan and help establish timelines and resource requirements.
- Implement the Remediation Plan. Completing the POA&M will ensure compliance with NIST 800-171r2 and existing contracts while preparing for the full CMMC rollout.
- Maintain Compliance. Maintaining compliance with DoD security standards can be a complex undertaking and is often overlooked. It requires a documented plan and frequent (sometimes daily) activities.
16. How Ntiva Can Help With CMMC
Submission of a proposal to the DoD – as a prime or sub – requires that you have an SSP and POA&M that documents your cyber practices against NIST SP 800-171 and shows a clear plan for addressing any gaps.
Haven’t done it yet? In addition to being in violation of your DoD Terms & Conditions, you are not ready for CMMC.
One of the first steps you should take is to perform a CMMC Readiness Assessment and Gap Analysis. Our Security Team will assess your process, policies, and systems, develop an SSP and POA&M, and give you a documented plan of what you need to remediate to pass your CMMC audit.
Click on the image below to learn more about how we can help you get ready for NIST and CMMC!