Security requirements such as NIST 800-171 and CMMC and what MSP and MSSPs need to know about how they impact cybersecurity and how to comply.
CMMC 2.0 - The Basics
Security requirements such as NIST 800-171 and CMMC and what federal IT pros need to know about how they impact cybersecurity and how to comply.
Since 2018, the Defense Department (DoD) has been working to set up a process to ensure that all defense contractors meet cybersecurity requirements for handling federal contracting information (FCI) and controlled unclassified information (CUI). In this blog, we discuss emerging security requirements such as NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC). We cover what you need to know regarding how these standards will impact your approach to cybersecurity as well as what you need to do to comply.
Fundamentally, NIST 800-171 and CMMC were designed to ensure that defense contractors are meeting at least a basic level of cybersecurity hygiene for protecting sensitive defense information (CUI). Existing federal contractors who provide IT services will already be familiar with the Capability Maturity Model Integration (CMMI) certification process. CMMI is a process used to determine the level of software development maturity. CMMI certification has become a common requirement for contractors bidding on IT-related government contracts. CMMC is an attempt to put in place a similar process for cybersecurity. The CMMC process and rollout have undergone many updates since it was formally introduced in early 2020 and is currently being revised.
DoD is aiming to release a DFARS Interim Rule that will codify CMMC into law by June 2023 and to start including CMMC requirements in DoD contracts by September 2023. Eventually, your contract will specify the CMMC level your organization will need to achieve. The level required will be based on the type of information your organization works with. Organizations that handle just FCI will need to achieve Level 1 (Foundational). Any organization that handles CUI will need to achieve at least Level 2 (Advanced). CMMC Level 3 (Expert) will be required of contractors and university researchers that work with CUI on DoD’s highest priority programs. The exact cybersecurity requirements for level 3 have not yet been finalized by the DoD.
What Is the CMMC Framework?
The CMMC 2.0 framework defines security controls and requirements as well as a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
The framework is designed to ensure that defense contractors can adequately protect sensitive unclassified information (CUI), accounting for information flow down to subcontractors in a multi-tier supply chain. The key to the CMMC is in the name, in that it follows a maturity model very similar to the CMMI in place for assessing software development maturity.
CMMC 2.0 is a recognition by DoD, that improving security posture requires contractors to integrate standard security controls and practices into the daily operations as opposed to just checking off an item on a compliance list. Through the certification process contractors must demonstrate they’ve implemented the security controls by codifying them through policies, practices, and processes.
The CMMC 2.0 framework aligns a set of processes and practices with the type and sensitivity of the information to be protected and the associated range of threats. The model includes maturity processes and cybersecurity best practices from multiple cybersecurity standards and frameworks, including NIST 800-171 and 800-53. CMMC 2.0 adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
What Are the 3 CMMC 2.0 levels?
Unlike NIST 800-171, the CMMC 2.0 model has three levels. The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels.
CMMC 2.0 levels can be categorized this way:
- CMMC level 1: Safeguard federal contract information.
- CMMC level 2: Serve as a transition step in cybersecurity maturity progression to protect controlled unclassified information.
- CMMC level 3: Protect CUI and requires documented security policies and practices.
Each level consists of a set of processes and practices, with the practices ranging from “basic cyber hygiene” at level 1 to advanced or progressive cybersecurity at level 2, and expert at level 3. Essentially, each level-up indicates a higher degree of protection for sensitive information. For an organization to achieve a specific CMMC level, it must demonstrate achievement of all the preceding lower levels. Additionally, organizations must show assessors that they demonstrate the institutionalization of both processes and practices and in cases where an organization demonstrates differing levels for one or the other, the organization will be certified at the lower of the two levels.
Level 1 consists only of practices that correspond to basic safeguarding requirements of federal contracting information. Level 2 requires that organizations establish and document the practices and policies to guide their CMMC 2.0 implementation efforts.
Level 3 includes the 110 security requirements specified in NIST 800-171, as well as protections outlined in other standards, such as NIST 800-53, the Aerospace Industries Association National Aerospace Standard 9933: Critical Security Controls for Effective Capability in Cyber Defense, and the Computer Emergency Response Team Resilience Management Model. Level 3 requires organizations to establish, maintain and provide resources to support a plan to demonstrate the management of meeting these standards. The plan may include information on missions, goals, projects, plans, resourcing, training, and the involvement of relevant stakeholders.
With level 3, contractors need to have all the security and technical infrastructure to not only host that CUI data, but also the government wants to make sure that you can still provide service too. Contractors must demonstrate to the DoD that they have the security and infrastructure and operational status to fulfill a contract through its entire term. Doing this requires contractors to implement policies and procedures and show that they’re executing them by providing appropriate evidence and artifacts.
Only a tiny percentage of the contractors are going to require a level 3 certification. Level 3 will likely only apply to companies dealing with data that foreign nation-states are targeting.
Authorized and accredited C3PAOs are responsible for conducting the CMMC assessments of contractors’ unclassified networks and then issuing appropriate CMMC certificates based on the results of the assessments. The process of receiving accreditation through CMMC is likely to be a lengthy one, at least until the CMMC-AB certifies more C3PAO organizations. Currently, there are a limited number of accredited C3PAOs to assess the cybersecurity credentials of more than 300,000 organizations in the defense supply chain. How this shortfall will be addressed is being worked out by the CyberAB, so stay tuned.
To prepare, contractors should familiarize themselves with the requirements for CMMC 2.0, starting at level 1 and working upward. Do not think of the CMMC 2.0 as a one-time check, since to maintain compliance, contractors will need to be thinking about cybersecurity as part of their operational function going forward.
Once certified, CMMC certification will be valid for three years. Keep in mind, compliance isn’t security, but compliance is a way to document what you’ve done to secure your environment. Without documentation, if key personnel leave an organization, security can rapidly deteriorate, and complacency can set in. Documentation can provide evidence and artifacts to demonstrate that certain security practices are in place. A document that clearly defines role-based access is an example of the type of policies and procedures that a contractor must have in place for level 2 certification.
What Is the Cybersecurity Maturity Model Certification’s Goal?
CMMC’s goal is to ensure that defense contractors do not get hacked, resulting in the loss of sensitive defense information that could fall into the hands of U.S. adversaries. The White House Council of Economic Advisers estimated in 2018 that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
“The aggregate loss of Controlled Unclassified Information (CUI) from the defense sector increases the risk to national economic security and in turn, national security,” the DOD CIO says on its website. “In order to reduce this risk, the Department has continued to work with the defense community to enhance its protection of CUI in its unclassified networks.”
To counter security threats, the DOD developed the CMMC, which is designed to be a unifying standard for the implementation of cybersecurity across the defense supply chain.
Prior to CMMC, contractors were following the National Institute of Standards and Technology’s 800-171 guide for protecting CUI. That document was essentially a self-attestation that an organization is meeting the standards for cybersecurity controls. Defense contractors were required to conduct a self-assessment and register an SPRS score if they had DFARS clauses 252.204-7019 and 252.204-7020 in their DoD contract. The self-assessment generated a “Summary Level Score” to upload into the Supplier Performance Risk System (SPRS).
A summary level score or commonly referred to as the “SPRS score” (pronounced “spurs”) is the result of a NIST SP 800-171 DoD Assessment that is performed in accordance with the NIST SP 800-171 DoD Assessment Methodology, Version 1.2. A summary level score helps identify a contractor's progress towards implementing the NIST SP 800-171 set of security controls. The summary level score, when submitted to the Supplier Performance Risk System (SPRS) provides the DoD with “a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.”
CMMC 2.0 formalizes the process and makes certification of cybersecurity controls a top priority. Recent cyber-attacks have raised awareness of the urgency to protect intellectual property and sensitive data. So, moving forward, with the rollout of CMMC 2.0, contractors will be required to conduct an independent certification performed by a C3PAO. This represents a significant shift in approach to determining compliance that can be characterized as ‘trust but verify’.
What is the status of DoD’s rollout of the CMMC certification requirement?
The overall CMMC program is undergoing a Pentagon review focused on addressing small business concerns about compliance costs and restoring trust in the compliance process. Jesse Salazar, deputy assistant secretary of defense for industrial policy, who was appointed by President Joe Biden and assumed oversight of CMMC, said the review is helping refine an implementation plan for CMMC with three broad goals. Salazar said during the Professional Services Council’s Federal Acquisition Conference, “I recognize that small businesses are under immense market pressures.”
While there may be more revisions in the works based on the outcome of the Pentagon review, the program remains incredibly consequential for the DoD and the wider government contracting community. So, it’s worth exploring what CMMC is, the different levels of the CMMC, and how contractors can achieve and maintain certification.
Eventually, all DoD contractors in the defense industrial base (DIB) will be subject to a third-party cybersecurity assessment to determine their compliance with the security practices and controls defined in CMMC. All DoD contractors will need to certify that they have achieved some level of compliance. The CMMC Accreditation Body, now called the “The CYBER AB” is a nonprofit entity separate from the DoD. It consists of a group of security professionals that the Pentagon has set up to train and certify Certified Third-Party Assessor Organizations (C3PAOs), who will assess contractors’ cybersecurity posture and issue certifications.