The Cybersecurity Maturity Model Certification (CMMC) is a system of compliance levels that helps the U.S. defense community to determine whether an organization has the security protection necessary to work with controlled or otherwise sensitive data. It is a Department of Defense (DoD) requirement that’s designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that reside on Defense Industrial Base systems and networks.
CMMC is how contractors will validate their compliance with cybersecurity standards. Compliance is designed to protect all points of the Defense Industrial Base (DIB). Companies that are interested in working with the DoD generally build a CMMC framework and use CMMC best practices because they will need to be CMMC compliant and follow specific CMMC requirements.
Who Needs CMMC?
CMMC certification is required by DoD contractors and subcontractors that operate with sensitive information. Depending on the type of information that the organization utilizes, the organization must attain a certain level of certification.
Every organization within the DoD supply chain, including prime contractors and subcontractors, is required to achieve CMMC clearance. According to the DoD, CMMC compliance regulations affect some 300,000 organizations.
What Are the Levels of CMMC?
There are different CMMC levels that must be recognized. Particularly, the CMMC framework defines three cybersecurity maturity levels that are designed to protect Federal Contract Information (FCI) and controlled unclassified information (CUI) that is handled, stored and/or otherwise processed by DIB companies and contractors. The latest CMMC 2.0 model contains three levels, and it replaced the previous 5-tier system. These three levels (foundational, advanced, expert) describe an organization’s security posture.
Level 1 is the lowest level of security control that’s required by a defense contractor to earn CMMC certification. This is considered to be the basic cybersecurity hygiene that’s needed for federal contract information (FCI). There are six domains that contain nine capabilities and require 17 practices to be active and integrated within the organization to reach Level 1 compliance. The requirements covered in Level 1 include system and communication protections, media protections, system and information integrity and more.
Level 2 focuses on intermediate cyber hygiene, and it creates a logical but necessary progression for organizations from Level 1 to 3. In addition to safeguarding FCI, Level 2 begins to include protections of controlled unclassified information (CUI). Organizations are required to satisfy the objectives of 110 practices that are aligned with NIST SP-800-171. Level 2 CMMC can be broken down into objectives that focus on cybersecurity requirements that are related to people, facilities, equipment and processes. These objectives are further broken down into practices. There are 22 practice requirements for access control, for instance, 9 for audit and accountability and 11 for identification and authentication.
Level 3 of CMMC is focused on reducing the impact of advanced persistent threats. It is also designed for companies working with CUI on DoD’s highest-priority programs. There are 130 controls that make up CMMC Level 3, which encompass the level 1 & 2 controls. A CMMC Level 3 audit will cover 100 percent of the NIST SP 800-171 CUI controls and adds an additional 20 controls from various sources.
What Are Examples of Requirements?
CMMC is all about organizations demonstrating an internal ability to control their cyber environments. As such, there are many different aspects that must be addressed. Level 1 requirements associated with Access Control include controlling information that’s posted or processed on publicly accessible information systems and limiting system information access to authorized users, and processes that act on behalf of authorized users or devices, including other information systems. Regarding Media Protection, the organization must sanitize or destroy information system media that contains Federal Contract Information before disposal or release for reuse.
Level 2 CMMC requirements associated with Access Control involve 22 practices that involve user access provisioning, securing application services on public networks and mobile device policies. Regarding Media Protection, there are nine practices that include a clean desk and screen policy, along with proper handling of assets and disposal of media. Regarding Personnel Security, there are two practices, which are personnel screening and termination.
Level 3 CMMC requirements include eight additions to the Level 1 and 2 requirements. Among them are authentication and encryption measures for safeguarding wireless access and cryptography to safeguard the confidentiality of remote access sessions. There are four additions regarding Media Protection, including marking or coding any media that contains CUI which are intended for limited distribution and disallowing the use of portable storage devices with unclear ownership or origin. Cybersecurity will always be a critical element in protection of the cyber world. This rule applies to your own personal data, your business’s data and any data that is utilized for e government purposes. At the government level, where cybersecurity is tantamount to protecting national security, the CMMC framework encourages the latest data security requirements to maintain data integrity.
