In recent years, the rate of cybercrime has increased significantly. In the process, billions of records have been breached, exposing people to threats such as identity theft and corporations to the liability that ensues. In response, industries and companies are investing heavily in cybersecurity.
As a result, the cybersecurity market has grown exponentially in the past few years. According to data from a Cybersecurity Magazine report, the sector grew by 35 times between 2004 and 2017, from $3.5 billion to $120 billion.
One of the key steps to curb the threat cybercrime poses is developing industry guidelines that companies should adhere to. In this regard, the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) in 2019. The CMMC is a cybersecurity compliance framework that all DoD vendors should comply with. In doing so, contractors can continue accessing DoD systems and bidding for contracts.
If you are a DoD contractor in Hampton Roads, Virginia, there is no running away from CMMC. Though navigating through the requirements of CMMC may seem like a challenge, it does not have to be a burden. Read on to gain a clear understanding of what it entails, how to comply, and how to gain certification.
Rather than just selling technology, we become a virtual extension of our clients’ businesses, helping them develop and maintain a technology strategy that aligns with their business needs and goals.
What Is Cybersecurity Maturity Model Certification Compliance?
The Cybersecurity Maturity Model Certification is a set of cybersecurity guidelines that all DoD contractors must observe. The primary focus areas for this framework include:
- Security awareness training for staff
- Cyber hygiene
- Threat detection and response
It outlines five levels of certification, with each building on the previous one. For instance, a vendor cannot gain level 5 certification without being certified for levels 1 to 4.
All vendors must at least achieve level 1 certification. However, it is best to work toward achieving level 5 certification to ensure you are eligible to apply for all DoD contracts.
Why Is the DoD Implementing CMMC?
As with all other organizations, government agencies are also susceptible to cyberattacks. In 2019, the Defense Information Systems Agency, the arm of the DoD that handles IT and secure communications for the president, experienced a data breach.
In fairness, that breach is not the spark that triggered CMMC. Efforts by the DoD to ensure cybersecurity within their supply chain kicked off with NIST SP-800-171 standards, which were rolled out in 2018. Under NIST, there are five levels of security controls that businesses can attain. Though the framework is robust, the policies for enforcing NIST were limiting.
One of NIST’s main challenges was that vendors would conduct their own audits and certify that requirements were being met. In case any issues arose, they would still develop remediation steps internally, which does not necessarily guarantee any improvements.
It is due to the enforcement challenges with NIST SP-800-171 that CMMC was developed. In essence, CMMC was developed to enforce NIST guidelines. Unlike with NIST, CMMC is mandatory, and the audits and certification are conducted by a Certified 3rd Party Assessment Organization (C3PAO).
NIST implementation was lax at best. Considering the risks that come with breaches and that there are over 300,000 DoD contractors, additional measures were necessary.
To ensure that there would not be a repeat of the same, the DoD released CMMC with clear timelines for various stages of implementation. Details on CMMC requirements and levels were released in January 2020, along with the training materials for the CMMC Accreditation Board.
Between February and May, the first round of training for auditors and assessors took place. Audits for vendors who want to bid for open contracts began in June 2020. With mandatory compliance and such clear guidelines, contractors are now scrambling to comply.
What Are the CMMC Levels?
There are five levels under the CMMC framework. They advance from basic cyber hygiene (Level 1) to advanced IDS/IPS procedures (Level 5).
CMMC levels are as follows:
- Level 1: Basic cyber hygiene
- Level 2: Intermediate cyber hygiene
- Level 3: Good cyber hygiene
- Level 4: Proactive
- Level 5: Advanced/ Progressive
Certification for the various levels is progressive. Once you are certified for a specific level, you can bid on a contract on that level or the levels below it.
How to Gain Certification for CMMC Levels
With each CMMC level, there are specific controls required to be implemented, listed in different federal guidelines. Such guidelines include NIST 800-171 Revision, NIST SP 800-172, and NIST SP 800-53, among others.
Each level has a specific number of controls that should be implemented. They are as follows:
- Level 1 – 17 practices
- Level 2 – 72 practices
- Level 3 – 130 practices
- Level 4 – 156 practices
- Level 5 –171 practices
Since the levels build on one another, the number of new practices you will need to implement will be less than the number of the practices needed for the previous level. With each new level, the number of practices you need to add is as follows:
- Level 1 – 17
- Level 2 – 55
- Level 3 – 58
- Level 4 – 26
- Level 5 – 15
Out of the 171 practices, 110 can be found in DFARS Clause 252.204-7012 and 48 CFR 52.204-21. The other 61 practices were drawn from multiple sources and contributions from DoD stakeholders and the DIB.
What Are the CMMC Requirements and How Can You Prepare for the Audit?
There are various requirements that you should comply with for different CMMC levels. To gain certification, each of the requirements for the respective level must be met. Otherwise, you will have to schedule another audit.
There are four steps that you should follow in preparation for CMMC:
- Determine your target CMMC level
- Conduct a self-assessment
- Ensure your system is up to code
- Gather all the documents necessary for the audit
1. Determine Your Target Level
Depending on the type of DoD contracts you want to bid for, there is a minimum level certification you are required to attain. Though the minimum for all vendors is level one, you may be locked out of your target contracts if they require higher-level certification.
As such, the first step toward attaining CMMC is determining the level you are required to meet. From there, conduct a comprehensive system and protocol assessment to identify areas that require improvement.
2. Perform a CMMC Audit Self-Assessment
At present, there are no clear indications from the DoD as to how the CMMC audit process will take place. Nonetheless, it is likely to borrow from NIST SP 800-171A guidelines, which is an ideal template to follow as you prepare.
3. Get Your System Ready for CMMC Audit
After the assessment, address all deficiencies and ensure that your system is ready for audit. Since this process requires a lot of resources and technical expertise, it’s often challenging for small businesses. If that’s the case for you, a Managed Security Service Provider (MSSP) is a suitable alternative.
They will help you interpret, implement measures, and monitor the state of your cybersecurity framework.
4. Gather All the Necessary Documents for the Audit
For each CMMC level of certification, there are documents that the auditor will have to assess that are outlined in NIST SP 800-171A. Even if your system is fully secure, you cannot get certified until all the documents are reviewed.
Considering that auditors will bill you based on the amount of time it takes to complete the audit, make sure that all the documents are ready and available for the audit.
What’s the Cost of CMMC?
One of the major hurdles towards achieving CMMC compliance is the cost involved. As organizations work towards complying, they will need to adjust their cybersecurity practices. More importantly, they will need to work with third-party service providers conversant with cybersecurity matters and have the necessary requirements.
In appreciation of the burden placed on businesses as they scramble to comply with CMMC, the DoD has offered to reimburse contractors for the upgrades. Once you have attained certification, you can bill the cost of CMMC preparation and assessment to the federal government.
CMMC Compliance Is a Process, Not an Event
The road toward full CMMC compliance is a long one. It involves many processes, such as outlining protocols, testing the system, and initiation solutions. From start to finish, expect the process to take at least half a year.
Aim for a Minimum Level 3 Certification
Though the minimum certification requirement is level 1, you are better off aiming for level 3 certification. This is especially relevant for organizations that handle Federal Contract Information (FCI) and Controlled Unclassified Data (CUI). Level 3 certification is also necessary if you handle export-control data as it is considered as CUI.
Get the Right Partner for CMMC Compliance
Even if you have an IT guy, handling CMMC requirements will be too much of a burden for them plus an unnecessary risk for the company. This is why it is essential to hire a CMMC compliance expert to assess the state of your system and offer remedial measures.
Xodyak is an IT consulting and systems integration company based in Hampton Road, Virginia. Schedule a free consultation today to find out how we can help you prepare your CMMC requirements and attain compliance.