If your business plans to work with the DoD, you will need to meet the appropriate level of cybersecurity preparedness.
With each year bringing an increase in the number and sophistication of cyberattacks, the DoD has made an ongoing priority to improve security around its network of suppliers and contractors, especially with regard to Federal Contact Information (FCI) and Controlled Unclassified Information (CUI).
In the past, cybersecurity protocols designed to safeguard this information have included DFARS clause 252.204-7012, 48 CFR 52.204-21, and NIST SP 800-171. The Cybersecurity Maturity Model Certification (CMMC) is designed to unify these protocols into a comprehensive framework that businesses can use to demonstrate their own cybersecurity compliance.
What makes the CMMC different from NIST SP 800–171?
NIST SP 800–171 and other cybersecurity standards to date have been self-assessments. The CMMC is move away from a self-assessment and toward an external assessment. Businesses planning to work with the DoD will need to have attained a requisite level of CMMC maturity, otherwise they will be deemed ineligible to hold a contract. Because of this, businesses should be proactive in meeting these requirements, especially if DoD work comprises a significant portion of their business model.
CMMC practices are divided into seventeen domains, each with their own set of related capabilities. For instance, the domain of “Audit and Accountability” includes such capabilities as “Define audit requirements” and “Perform auditing.” The first CMMC level only touches on six of the seventeen domains, and the two with the most comprehensive list of practices are “System and Communication” and “Access Control,” with twenty-seven and twenty-six practices respectively. (By contrast, the domain of Personnel Security only has two practices.)
The following are the five levels of CMMC maturity to help give you an idea of what is required to attain certification, and how it will affect your business model.
Level 1: Basic cybersecurity hygiene practiced.
At the most basic CMMC level, businesses only need to practice the kind of cybersecurity hygiene that most of us take for granted—such as using strong passwords and connecting to the Internet through a secure network. Many businesses should already be at this level, and the main concern is to protect FCI. Businesses which do not handle CUI do not need to go beyond this level.
Businesses at Level 1 do not need to document their practices, although they are required to perform them.
Level 2: Intermediate cybersecurity hygiene practiced and documented.
To achieve Level 2, businesses will need to demonstrate that they are not only performing basic cybersecurity hygiene, but are creating processes that incorporate these practices in a systemic, repeatable way.
Level 2 includes 72 practices in total, 48 of which are from NIST SP 800–171. Some of these practices pertain to the protecting of CUI. That said, Level 2 is mostly an intermediate level, designed to help businesses transition to Level 3. There won’t be many government contracts that need more security than Level 1 but not as much as Level 3.
Level 3: Full NIST SP 800-171 compliance plus 20 additional practices and organizational management.
Many businesses intending to work with the DoD would do well to aim for Level 3 CMMC certification. This stage encompasses all practices from NIST SP 800–171, as well as an additional ten practices that go above and beyond those requirements.
At Level 3, businesses need to specifically include senior management in the implementation of cybersecurity practices. Stakeholder buy-in is a key aspect of CMMC, as support from leadership is critical for ensuring security protocols are practiced and maintained throughout the organization.
Level 4: Reviewing cybersecurity hygiene and taking proactive measures.
At level 4, businesses begin taking a proactive approach toward identifying and heading off Advanced Persistent Threats (APTs). This requires a regular review of security practices to be sure that they are still sufficient to protect against shifting security threats. Businesses will need to establish security metrics and then measure their performance against those metrics.
Like Level 2, Level 4 is a transition toward Level 5. It will require increasing support from stakeholders to ensure that the appropriate audits are being performed and security targets met.
Level 5: Optimizing processes and implementing advanced practices.
To achieve Level 5, businesses must implement one-hundred and seventy-one practices across all seventeen CMMC domains for the strictest and most advanced cybersecurity protocols. Maintaining Level 5 certification is an ongoing effort, with businesses required to optimize practices across all domains, and to standardize their processes across their organization.
At Level 5, businesses will also need to fully document their procedures, and demonstrate that they are taking proactive measures to keep their systems secure.
Be prepared to work with a CMMC registered practitioner to meet cybersecurity standards.
For most businesses, working with a CMMC expert will be necessary to meet the appropriate maturity level. More information about the CMMC model and assessment guides can be found on the DoD’s Acquisition and Sustainment website. If you have further questions about what your businesses requirements will be, speak to your contracting officer or reach out to Brightline Technologies. Our team includes two CMMC Registered Practitioners (RPs) who can assess your needs and help you meet your goals.