The Department of Defense (DoD) is prepared to roll out CMMC 2.0, a revamped version of the Cybersecurity Maturity Model Certification. As of May 2023, a phased implementation of the new version is in place, with the final deadline anticipated in October 2025. What does this mean for organizations wanting to do business with the DoD? Let's take a look.
What is CMMC?
CMMC is designed to ensure all DoD contractors have sufficient security controls to protect sensitive information. Initially announced in mid-2019, version 1.0 of the standard was published in January 2020. CMMC's end goal is to significantly reduce the risk of adversaries penetrating the systems of defense contractors.
As the old saying goes, CMMC 'stands on the shoulders of giants' by incorporating requirements from multiple pre-existing frameworks, including those published by NIST, ISO, and AIA. With the release of CMMC 2.0 announced in November 2021, the updated version follows NIST 800-171 more closely. CMMC 2.0 marks a significant milestone in the ongoing efforts to enhance cybersecurity across the defense industrial base. The DoD aims to foster a collaborative relationship with industry players by refining the certification process and easing the compliance burden.
Who Needs to Comply with CMMC?
Anyone wanting to do business with the DoD must be certified under CMMC.
Subcontractors aren’t exempt — every organization throughout the supply chain needs some level of certification. The level of certification needed varies by organization type and the type of information held or transmitted. Although the final deadline to comply with CMMC 2.0 isn't until October 2025, some DoD contractors are beginning to require subcontractors to demonstrate compliance now.
The rule is simple: No certification, no contract.
Further, aspiring contractors are expected to get certified before applying for a contract. However, organizations will be able to reclaim part of the cost if successful in winning a contract.
There is one (and only one) exception to the need for certification. Companies that only sell commercial-off-the-shelf products (COTS) are exempt and will not need to achieve any level of CMMC certification.
What’s Included in CMMC?
CMMC is one of the most comprehensive compliance standards ever produced for cybersecurity. Based on industry best practice — and borrowing heavily from existing frameworks — the standard requires DoD contractors to establish and maintain controls across 43 cybersecurity capabilities:
ACCESS CONTROL (AC)
- Establish system access requirements
- Control internal system access
- Control remote system access
- Limit data access to authorized users and processes
ASSET MANAGEMENT (AM)
- Identify and document assets
- Manage asset inventory
AUDIT AND ACCOUNTABILITY (AU)
- Define audit requirements
- Perform auditing
- Identify and protect audit information
- Review and manage audit logs
AWARENESS TRAINING (AT)
- Conduct security awareness activities
- Conduct training
CONFIGURATION MANAGEMENT (CM)
- Establish configuration baselines
- Perform configuration and change management
IDENTIFICATION AND AUTHENTICATION (IA)
- Grant access to authenticated entities
INCIDENT RESPONSE (IR)
- Plan incident response
- Detect and report events
- Develop and implement a response to a declared incident
- Perform post-incident reviews
- Test incident response
MAINTENANCE (MA)
- Manage maintenance
MEDIA PROTECTION (MP)
- Identify and mark media
- Protect and control media
- Sanitize media
- Protect media during transport
PERSONAL SECURITY (PS)
- Screen personnel
- Protect CUI during personnel actions
PHYSICAL PROTECTION (PE)
- Limit physical access
RECOVERY (RE)
- Manage back-ups
- Manage information security continuity
RISK MANAGEMENT (RM)
- Identify and evaluate risk
- Manage risk
- Manage supply chain risk
SECURITY ASSESSMENT (CA)
- Develop and manage a system security plan
- Define and manage controls
- Perform code reviews
SITUATIONAL AWARENESS (SA)
- Implement threat monitoring
SYSTEMS AND COMMUNICATIONS PROTECTION (SC)
- Define security requirements for systems and communications
- Control communications at system boundaries
SYSTEM AND INFORMATION INTEGRITY (SI)
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protections
Similar to existing frameworks like the CIS Benchmarks, CMMC previously included five levels of certification. One of the primary changes in CMMC 2.0 is the elimination of levels two and four, effectively reducing the number of security tiers from five to three. In this case, Level 1 is the same as the previous Level 1, Level 2 becomes the previous Level 3, and Level 3 becomes the previous Level 5.
- Level 1: Performed - Requires the basic controls needed for essential cyber hygiene. This level of certification is needed by contractors that hold or process mildly sensitive content such as Federal Contract Information (FCI).
- Level 2: Managed - Managed Level 2 certification represents a moderate standard of cyber hygiene for an established organization and requires all 110 NIST controls with an additional 20 controls from various sources. This level will be a requirement for the majority of DoD contractors that hold or process CUI.
- Level 3: Optimizing - To be certified at level 3, contractors must have a fully mature cybersecurity function across all 43 capabilities.
Note that the requirements for many capabilities increase as you progress through the five levels of certification. At the lower levels, many capabilities (e.g., threat monitoring) aren’t required at all.
Prepare for CMMC with CimTrak
For many current and aspiring DoD contractors, CMMC represents a significant need to improve cybersecurity maturity.
With version 2.0 of the standard underway and all DoD contracts requiring certification, many organizations face the challenge of revamping their cybersecurity program in the upcoming year.
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to substantially improve cybersecurity maturity. CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making identifying security issues in hardware and software assets easy.
Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC.
-
AC - Access Control
-
AM - Asset Management
-
AU - Audit and Accountability
-
CM - Configuration Management
-
IR - Incident Response
-
RE - Recovery
-
RM - Risk Management
-
SA - Security Assessment
-
SC - System & Communication Protection
-
SI - System & Information Integrity
To find out more about how CimTrak can help your organization align its security strategy and processes with CMMC, download the CMMC Solution Brief today.
Tags:
ComplianceFebruary 8, 2024