Cybersecurity Maturity Model Certification (CMMC) Compliance Guide
Anwita
Sep 20, 2024Your organization’s data is perhaps your most valuable asset. Protecting its security, confidentiality, and integrity is key to keeping your organization safe. This need to preserve information gets even more pronounced when you work with the Department of Defense (DoD), the United States of America, which values Cybersecurity Maturity Model Certification (CMMC) Compliance.
The CMMC ensures adherence to DoD cybersecurity standards and helps DoD contractors implement necessary cybersecurity practices.
Your compliance with the CMMC program is key to demonstrating your ability to handle DoD data securely.
If you are a service provider for the DoD or a sub-contractor to one of the DoD’s prime contractors or are going to enter the Defense Industrial Base (DIB) sector, then CMMC certification will be a prerequisite. Here’s a lowdown on the CMMC compliance program, its asks, and the way to go about it.
- CMMC compliance has three levels: level 1 focuses on basic hygiene, level 2 on intermediate to advanced cyber practices, and level 3 on comprehensive security practices and controls.
- To get CMMC certified, understand your level, appoint an officer, track CUI, develope a plan, mitigate risk, and continuously monitor.
- CMMC 2.0 reduces from 5 levels to 3, aligns better with NIST, allows annual self-assessment for Level 1 and some Level 2, and reduces complexity and costs while maintaining robust cybersecurity requirements.
What is CMMC?
The Cybersecurity Maturity Model Certification, CMMC for short, is a unified cybersecurity framework developed by the Department of Defense, USA, to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at every step across the DoD’s supply chain.
The CMMC program standardizes the asks for cybersecurity practices and helps the DoD determine the extent of cyber protection practices organizations have incorporated. CMMC compliance, therefore, provides the DoD assurance that its contractors and sub-contractors meet its cybersecurity requirements and have the wherewithal to protect sensitive DoD data.
It also helps organizations that constitute the DIB assess their current security posture, identify security gaps, optimize their processes, and maintain cyber hygiene per DoD’s requirements.
What is CMMC Compliance?
The CMMC compliance outlines essential cybersecurity practices that organizations must follow to safeguard sensitive information for the DoD.
Why is CMMC compliance important?
CMMC compliance is important because it helps contractors implement strong cybersecurity practices, reducing the risk of cyberattacks and data breaches.
Its primary goal is to protect sensitive government information, including FCI and CUI, while also strengthening the security of the defense supply chain.
Get CMMC compliant with ease
Who needs to comply with CMMC?
CMMC certification is for organizations that handle/work with DoD information. The compliance level will depend on the type of information the organizations are privy to. For instance, if the organization operates with non-classified DoD information, it may only need a Level 3 clearance or below. A Level 4 clearance or higher is needed if it handles high-value information. An interesting aside here – these classifications are project-based.
All defense contractors will be required to have a CMMC certification. This includes:
• Small businesses
• Contractors that do or do not possess CUI or FCI
• Subcontractors
• Commercial contractors
Note that CMMC applies only to DoD contracts, and not all US government contractors.
To become CMMC certified, companies must implement and pass an external CMMC assessment carried out by authorized and accredited CMMC Third-Party Assessment Organizations (C3PAOs). C3PAOs must be accredited by the Cyber AB (formerly CMMC Accreditation Body). Check their marketplace for a list of accredited C3PAOs.
During the assessment, organizations must produce documented evidence for the required processes and practices, and demonstrate the necessary capabilities.
Successful assessments result in the issuance of CMMC certificates to the DIB organization at an appropriate maturity level. Wondering what the levels of maturity are? We’ve covered that in the later section.
CMMC compliance requirements will appear in all contracts starting in the fiscal year 2026. This means DoD contractors will need to comply in order to bid on such work.
You may also like to read: PCI DSS certification
Domains, Practices, and Maturity Levels
The CMMC model framework organizes processes and cybersecurity best practices into 17 domains. Each domain consists of processes that span five levels of cybersecurity maturity. Additionally, each domain contains one or more capabilities spanning the five levels. And, for any given capability, organizations must demonstrate one or more practices (171 in total).
Capability Domains
Each domain comprises processes and capabilities across the five levels of CMMC. The domains include:
Processes, Practices & Maturity Levels
Processes and practices in CMMC depend on the organization’s maturity levels in terms of the type of DoD information it handles.
Here’s a quick overview of the CMMC maturity level, processes, practices and focus.
These aren’t mere checkboxes but should be seen as processes or activities ingrained in an organization’s operations. The following section details the CMMC maturity levels.
CMMC compliance levels
The framework has five different CMMC compliance levels against which DoD contractors and subcontractors are assessed to determine the extent and maturity of their information systems’ cybersecurity processes and practices.
Note: Please note that the CMMC has updated its structure, reducing the previous five levels to three. This change was announced in November 2023 as part of CMMC 2.0, which aimed at streamlining the certification process. The new levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
This breakdown makes it easier for organizations to achieve the minimum cybersecurity standards required per their risk profile (based on the type of sensitive information handled).
Here are the 5 CMMC certification levels:
Level 1: Basic Cyber Hygiene
Level 1 defines the minimum level of cyber hygiene required to protect FCI. It includes 17 practices derived from NIST standards, and requires a performance-only approach to cybersecurity. It is the easiest of the five levels to achieve, and there isn’t any CMMC requirement to document security processes at this level.
Practices, typically, can be defined as the specific technical activities that must be performed to showcase a specific level of cybersecurity maturity.
Level 2: Intermediate Cyber Hygiene
Level 2 is slightly more challenging than Level 1. It is, in essence, a mid-way transition point to managing CUI. It requires a total of 72 practices (55 additional along with the 17 from Level 1) to be demonstrated. Level 2 requires organizations to perform and document the processes, procedures, and cybersecurity policies.
Level 3: Good Cyber Hygiene
This level requires adherence to 130 practices to showcase the protection of CUI. This is the minimum level needed to use, share, or handle CUI. Level 3 requires organizations to demonstrate that their cybersecurity processes are managed and documented.
Level 4: Proactive Cyber Hygiene
Level 4 comprises 156 practices and indicates a reasonably advanced cybersecurity system. To achieve level 4 certifications, organizations must review and document activities as well as loop management into the entire process. The focus at Level 4 also shifts towards proactively defending against Advanced Persistent Threats (APTs) as against only protecting CUI in Level 3.
Level 5: Advanced & Progressive Cyber Hygiene
Level 5 includes 171 practices and is the highest level of CMMC compliance. Organizations with Level 5 certifications have an advanced and progressive cybersecurity system in place to protect CUI from APTs. A CMMC level 5 certification indicates that organizations can assess APTs and that their cybersecurity defenses are optimized and reviewed to thwart them.
Note that these practices are not new, but rather are derived from Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 and NIST SP 800-171 r1 and Draft NIST SP 800-171B. Besides, each level builds off the levels before. So, a Level 5 CMMC organization will also comply with all lower levels.
CMMC Compliance requirements
To comply with the CMMC framework, you have to implement a number of security practices based on your level. Level 1 includes 17 practices under six domains. To comply with level 2, you have to implement 110 practices grouped under 14 domains.
All domains are listed below:
- Access Control (AC)
- Incident Response (IR)
- Risk Management (RM)
- Access Management (AM)
- Maintenance (MA)
- Security Assessment (CA)
- Awareness and Training (AT)
- Media Protection (MP)
- Audit and Accountability (AU)
- Personnel Security (PS)
- System and Communications (SC)
- Configuration Management (CM)
- Physical Protection (PE)
- System and Information Integrity (SI)
- Identification and Authentication (IA)
- Recovery (RE)
- Situation Awareness (SA)
All DoD suppliers will have to be certified to the appropriate CMMC level in order to continue doing business with DoD under the mandated CMMC requirements. NSF-ISR was named one of the first C3PAO candidates to participate in the CMMC program.
Giles suggests that organizations start the CMMC process with a basic question: Does my organization have controlled unclassified information? This is information created or owned by the government that needs to be safeguarded and released only under proper, legal and regulated controls, such as parts for a new defense aircraft or specifications for military uniforms.
How do I get CMMC compliant?
Getting CMMC compliant starts with determining your requirement level, appointing a compliance manager, and ending with continuous compliance monitoring. The end-to-end process requires time, effort, expertise, and dedication.
We spoke to our in-house auditors to summarize the CMMC compliance checklist to help you get started.
Step 1: Determine your requirement level
The controls applicable to your business depend on your organization’s maturity level. Each level builds on the previous one, so knowing the right one is critical.
Step 2: Appoint a compliance manager
Select someone to oversee the CCMC compliance activities. This person will be responsible for collaborating with external stakeholders, developing the right policies to meet the organization’s objectives, ensuring that all activities align with the CMMC checklist, and developing a timeline for each activity.
Step 3: Collaborate, communicate, and document
Understand the people, process, and technologies in your infrastructure. Know who is responsible for handling which sensitive system, the systems that are in place to protect them, and coordinate with all functions to develop a unified channel to communicate compliance efforts. Document the roles of contractors and third party stakeholders.
Step 4: Track the CUI flow within your systems
To protect CUI, you should know where and how it flows within your IT environment. Once identified, r