CMMC – 9 Dot Security Solutions

Cybersecurity Maturity Model Certification (CMMC)

CMMC & the Defense Industrial Base (DIB)

With more than 300,000 Department of Defense (DoD) companies and subcontractors essential to military operations, the defense industrial base (DIB) is a frequent and valuable target for malicious cyberattacks. Potential breaches of intellectual property in this sector could weaken U.S. defense capabilities and become a matter of national security.

In an attempt to increase the security and resiliency of the DIB, the U.S. Department of Defense launched Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) in January 2020. Adapted from industry-recognized frameworks, the CMMC represents a unified cybersecurity standard required for all contractors hoping to do work with the DoD. In this post, we’ll take a closer look at the CMMC framework and how your company can start preparing now for CMMC certification.

9 Dot Security Solutions is a Registered Practitioner (RP) certified by the CMMC Accreditation Body (CMMC-AB). This partnership will allow 9DSS to provide approved consulting services and join an ecosystem of accredited cybersecurity companies working towards CMMC compliance and increased cybersecurity posture of DIB companies in the future and ultimately protecting the U.S. Department of Defense (DoD) supply chain.

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

What is the CMMC Accreditation Board (CMMC-AB)?

The CMMC Accreditation Body is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community or other communities that may adopt the CMMC. The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program. Also, the CMMC-AB is responsible for the registration, training, and certification of all CMMC Third-Party Assor Organizations (C3PAOs), Registered Practitioners (RPs), CMMC Certified Assessors (CA), and Licensed Instructors.

CMMC Certification Levels

Building upon existing frameworks and standards, the CMMC incorporates a selection of security controls from NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, DFARS 252.204.-7012, and FedRAMP to create one maturity model. The CMMC also pulls from the Federal Acquisition Regulations System, which details basic security controls for protecting CUI that all organizations must follow under the CMMC. The CMMC organizes these cyber practices and processes into five cumulative maturity levels ranging from basic cyber hygiene to advanced security operations.

- Level 1 – Basic Cyber Hygiene: Level 1 practices are foundational and required for all higher CMMC levels. This level is centered around the safeguarding of Federal Contract Information (FCI), which is government information not intended for public release, and corresponds to the requirements specified in 48 CFR 52.24-21 and NIST SP 800-171, which details 17 basic cyber hygiene practices to protect FCI.
- Level 2 – Intermediate Cyber Hygiene: Level 2 creates a maturity-based progression for organizations to transition from Level 1 to 3. At Level 2, an organization is expected to establish and document practices and policies for CMMC compliance. This level includes 55 additional cyber hygiene practices from NIST SP 800-171 as well as others and references the protection of CUI.
- Level 3 – Good Cyber Hygiene: A Level 3 certification indicates a basic ability to protect CUI and effective implementation of the security requirements of NIST SP 800-171. At this level, organizations are expected to adequately maintain activities and review policies and processes, demonstrating a plan to manage specific activities. This level requires an additional 58 cyber hygiene practices from NIST SP 800-171 and others for a total of 130.
- Level 4 – Proactive: Level 4 requires enhanced cybersecurity practices that can defend CUI from advanced persistent threats (APTs), or malicious long-term attacks to mine for sensitive information. At Level 4, organizations are expected to review and document activities for effectiveness and inform upper management of any issues. This level adds another 26 cyber hygiene practices from Draft NIST SP 800-171B plus others, for a total of 156 hygiene practices.
- Level 5 – Advanced / Progressive: Level 5 centers on the protection of CUI from APTs through the sophisticated ability to optimize cybersecurity capabilities. Organizations at this level are expected to improve and standardize process implementation across the enterprise. This level includes 15 more practices beyond the first four levels from Draft NIST SP 800-171B and others, bringing the total number of cyber hygiene practices to 171.

The five CMMC certification levels reflect the maturity and reliability of an organization’s cybersecurity infrastructure and controls, and their ability to safeguard sensitive government information. The levels are cumulative, meaning compliance with a higher level requires meeting all of the previous lower level security and technical specifications. DoD contracts with more vulnerabilities will require contractors to meet higher security standards, indicating a higher certification level will be necessary. Other than the fact that Level 3 contracts and higher will deal with significantly more CUI, specifics regarding which types of contracts are associated with each certification level have not yet been released.

How to get CMMC Certified

Since companies are not allowed to self-certify under the CMMC, they must be audited by a certified third-party assessment organization (C3PAO) or a credited individual assessor to achieve compliance. C3PAOs are authorized to manage the assessment process for organizations seeking compliance with the CMMC. C3PAOs provide advisory services, schedule the assessments, hire and train individual assessors, and review the results with the CMMC-Accreditation Body (AB) Quality Auditors.

Companies seeking a CMMC Certificate will first need to identify the desired maturity level they want to be audited for compliance. Companies will then need to find an available C3PAO who will schedule the assessment with the certified independent assessor. When performing the assessment, the independent assessor will evaluate security gaps and weaknesses and determine if the company’s environment meets the CMMC requirements necessary for that specific level. Companies will have up to 90 days to resolve any issues and close any gaps with the C3PAO.

If a company achieves compliance at any level, a CMMC certification notice will be public knowledge. However, specific findings will be kept private, and certification failures will not be made public.

Preparing for CMMC Certification

Even though full implementation of the CMMC will take roughly five years, companies should not wait to start on certification efforts. Writing policies, deploying solutions, and instituting the necessary changes will take considerable time. Depending on your current environment and level of cyber hygiene, your company should plan for at least six months to achieve compliance. With the DoD planning to roll out proposals requiring CMMC compliance by the end of the year, there is no time to delay on certification preparations.

To get started on compliance efforts for the CMMC, your company should:

- Determine which CMMC level your company hopes to obtain, and start reviewing the cyber hygiene requirements that will be necessary for compliance.
- Start drafting a budget for CMMC compliance to include costs for enhancing security requirements, updating policies, leveraging applications, contracting a third-party assessor, and any additional measures.
- Configure your existing security environment to align to NIST 800-171 requirements; contractors that have implemented all controls should be able to successfully achieve CMMC Level 3.
- Build a Plan of Action & Milestones (POA&M) to ensure continual compliance with NIST 800-171 and existing contracts and establish timelines and resource requirements.

While you cannot earn CMMC compliance until C3PAOs and independent assessors are certified, you can begin planning for an initial readiness assessment with a professional cybersecurity consulting firm, like 9 Dot Security Solutions.

CMMC Readiness Assesment

The first step towards certification is for the DoD contractor to get a third-party Readiness Assessment completed to see how close, or how far away, the DoD contractor is from meeting the minimum requirements outlined in the appropriate CMMC Level. The Readiness Assessment is designed to discover inadequate system setups and processes that may not meet all of the required controls. Taking a close look at a company’s network and procedures is the first step to ensuring compliance.

The results of the CMMC Readiness Assessment may reveal issues such as:

- How access to information systems is controlled
- How managers and information system administrators are trained
- How data records are stored
- How security controls and measures are implemented
- How incident response plans developed and implemented

Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements.
The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.

CMMC Assessment to DoD Contractors

The CMMC is the DoD’s first attempt to set clear cybersecurity requirements for its contractors and verify that they are implementing the appropriate level of security before handling sensitive defense information. Although the CMMC is still in its developmental stages, your company should start getting prepared for certification now by understanding its requirements, leveraging guidance from compliance experts, and aligning security controls and policies with its framework.

9DSS stands ready to help you on your road to CMMC certification. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently.

Company

Who We Are
Social Responsibility
Careers
Executive Team

Services

Managed Services
Security Consulting
PCI Compliance
Professional Services
Forensic Services

Links

Resources
Industry News

2250 Riverwood Pkwy, Suite 1900
Atlanta, GA 30339
404-919-4774
info@ninedss.com