By: Kellep Charles and Adrian Williams
So, if you haven’t heard or if you are not familiar with the cybersecurity maturity model certification (CMMC), don’t worry about it, we are here to explain it all to you.
The CMMC is a certification procedure developed by the Department of Defense (DoD) to certify contractors have the controls to protect sensitive data including Federal Contract Information and Controlled Unclassified Information (CUI). The CMMC Model is based on the best-practices of different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one cohesive standard for cybersecurity. The Domains have seventeen (17) sections listed below:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Security
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
The CMMC contains five levels ranging from basic hygiene controls to state-of-the-art controls, but unlike NIST 800-171, the CMMC will not contain a self-assessment component. Every organization that plans to conduct business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.
The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides in the Department’s industry partners’ networks. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information. The initial implementation of the CMMC will only be within the DoD, but we predict this will be expanded to the Federal sector at some point as well.
So, how can we obtain the CMMC for our organization?
As stated, there is no self-certification. Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier. Once your certification has been obtained, the level will be made public, however, details regarding specific findings will not be publically available. The DoD will only see your certification level.
Why is it important?
Existing measures have failed the U.S., just take a look at the Chinese J-31 aircraft as a prime example, which is very similar to the American F-35 Joint Strike Fighter. The question is not whether U.S. adversaries have become better innovators, as compared to becoming better thieves. The NIST 800-171 relies on organizations to self-assess their posture and then report their compliance. Self-assessments cannot be truly trusted, thus a new approach is needed.
In addition, compliance does not mean you are secure and will never equal that. Compliance requires only achieving a level of implementation and making sure items are in place. For example, putting a lock on a door may satisfy a compliance requirement, but the type of lock and the type of door that affects how safe and secure the item being protected can actually be safeguarded. To address these shortcomings, as well as protect the information, CUI and national security the CMMC is a welcome and needed mechanism.