The Cybersecurity Maturity Model Certification (CMMC) is a new requirement from the U.S. Department of Defense (DoD). It mandates that DoD contractors obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet “basic cyber hygiene,” as well as protect controlled unclassified information (CUI) that resides on partner systems.
Why CMMC Formed
The CMMC is a verification mechanism for assessing the cybersecurity posture of contractors in the Defense Industrial Base (DIB). The DoD created the certification to better secure the DIB. The cybersecurity practices and protection of CUI information is already in regulations like Defense Federal Acquisition Regulation Supplement (DFAR) and NIST; however, those standards do not have a third-party attestation to validate the effectiveness of the controls and provide certification.
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) developed this certification to assess and certify a company’s maturity of cybersecurity practices and processes more broadly. This new certification uses many of these standards as a foundation for the framework.
What is the CMMC Comprised Of?
The CMMC is built upon established NIST special publications and DFAR regulations (with some additional sources, such as UK Cyber Essentials and the Australia Cyber Security Centre Essential Eight maturity model). There are 17 practice domains that include 171 practices, or controls, broken down across five levels of progression that measure technical control capability.
In parallel, there are five levels of process maturity that measure the extent to which those activities are embedded or ingrained in the operations of the organization. Organizations seeking certification will be certified at one of these five levels.
How are Certification Levels Determined?
The DoD will assess which CMMC level is appropriate for a particular contract and deliver that level in contract Sections L and M of a request for proposal (RFP). The DoD will use the assessment as a “go/no go” evaluative determination. The level of certification required in each contract will depend upon the amount of CUI a company will handle or process.
Independent third-party organizations (C3PAO’s) will evaluate customer’s environments for certification. A company will specify the level of the certification requested and will be certified at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
As of the date of this publication, no further guidance beyond the briefings and models have been issued by the DoD or the accreditation board that will help an entity determine what a C3PAO will rate their environment. No organizations have been accredited as an official C3PAO, and training materials are still in development. Updates on this are expected within the next couple of months.
When Will CMMC Compliance be Required?
A number of RFPs with a CMMC requirement were released in the summer – including the GSA’s STARS III contract – with another set of RFPs that are expected to release with a CMMC requirement in the fall.
While there is no official number of RFP’s that will require CMMC certification in 2020, we do know that there is no retroactive requirement for existing contracts. However, by 2026, all DoD contracts will include a CMMC requirement.
To learn more about CMMC and how LogRhythm can help organizations meet Cybersecurity Maturity Model Certification (CMMC), click HERE to watch a complimentary Webinar entitled, “Understanding the New Cybersecurity Maturity Model Certification.”