What is the CMMC?

October 12, 2020
Posted in Resources
October 12, 2020 sean.booker

The Problem

In the past, government contractors only had to adhere to NIST security standards. While these standards established a critical framework for securing information, they weren’t enough to protect against constantly evolving cyber criminals. 

The Defense Industrial Base (DIB) is a vast network with over 300,000 subject-matter experts tied together with contracts and specific projects (not always integrated into a whole). The DoD needed something more to evolve with the times and protect this massive network of vulnerabilities and increasingly sensitive, mission-critical data. 

The CMMC is the DoD’s response to this need due to the ongoing compromise of sensitive defense information located on contractors’ information systems. Previous safeguards and standards are simply no longer sufficient for today’s cyber landscape. 

The CMMC Solution

What It Is

The Cybersecurity Maturity Model Certification (CMMC) is a DoD unified standard for implementing strong cybersecurity practices across the DIB. The CMMC builds upon and improves currently existing NIST cybersecurity standards to account for the ever-changing landscape of defense needs, contractors, vulnerabilities, and cyber threats.   

The new certification contains five levels that assess your organization’s level of cybersecurity preparedness and allow contract specialists to designate a project’s required cybersecurity level.

These levels reflect the maturity and reliability of a company’s cybersecurity infrastructure and how capable they are of safeguarding sensitive government information, now and in the future. Each level builds on the next, requiring compliance with the lower-level specifications.

Five Levels

  • Level 1: The company uses “basic cyber hygiene” practices like using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information, “not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” 
  • Level 2: The company maintains “intermediate cyber hygiene” practices to protect Controlled Unclassified Information (CUI) through implementation of some of the NIST 800-171 r2 security requirements. CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information.
  • Level 3: The company has an established management plan with “good cyber hygiene” practices that protect CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.
  • Level 4: The company has implemented auditing processes and enhanced practices to address the changing tactics of advanced persistent threats (APTs). 
  • Level 5: The company has optimized and enhanced processes in place that provide a more sophisticated ability to detect and respond to APTs.

Contractors will still be responsible for implementing cybersecurity requirements, but the CMMC requires third-party assessments of contractor compliance. After assessment, the contractor will achieve one of these levels and be eligible to apply for contracts requiring that level (or below) of cybersecurity preparedness. 

What it Means for You

The CMMC details were released on January 31st, 2020, allowing plenty of time to review the requirements and begin preparations now. Very soon, the DoD will accredit their third-party assessors, establish a certification process, and begin requiring the CMMC on all contracts. Now is the time to review all technical requirements and start repositioning your security safeguards to meet the CMMC requirements. 

DoD contractors that have already started to evaluate their practices, procedures and gaps when the details are finalized will be well-positioned to navigate the process and meet the mandatory CMMC contract requirements for upcoming projects.

Booker DiMaio is a cybersecurity and IT expert with decades of Defense Industrial Base experience. Our unique CompleteCloud business solution and data engineering capabilities help others achieve the required level of cybersecurity excellence for the CMMC. Schedule a free consultation by visiting our CompleteCloud site or by emailing us at sales@bookerdimaio.com.

P.S. Want to learn more about the CMMC requirements and how to check them off your list? Watch the full CMMC webinar here.