The new Cybersecurity Maturity Model Certification (CMMC) framework was presented in January of 2020, which details tiers of cybersecurity best practices, which all 300,000 members of the Defense Industrial Base (DIB) will need to be certified in. As of the writing of this article, the AB is still finalizing the criteria to certify the auditors necessary to certify these members. While instructions regarding next steps and auditing are still unreleased, there is still much that can be done now in preparation.
What is the CMMC?
For a full detailed briefing on what the CMMC certification is, and what each level entails, we recommend connecting with the Department of Defense via the CMMC website. At the time of this article, the current version is 1.02. The good news is the briefing is only a 15 page presentation. The bad news is the entire document, with appendices covering v1.02 of the standard, is only 336 pages.
For those of us that don’t have the time or energy to read all 300+ pages of the document, below is a brief rundown of what CMMC entails:
The CMMC framework consists of 171 maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references—including input from the DIB and Department of Defense (DoD) stakeholders. It consists of five different levels of security, ranging from basic cyber hygiene to advanced or progressive protection of Controlled Unclassified Information (CUI).
While NIST 800‐171/DFARS was self‐certifying, CMMC is not. Receiving a certification level will require a third party to audit your cyber security framework and submit the audit to the Accreditation Body (CMMC AB) for review. Once reviewed, the approved CMMC level will be stored in publicly searchable database.Each subsequent level builds upon the previous tier’s number of required processes and practices. Where level one only requires you to adhere to 17 practices, level five requires all 171 practices. The majority of the practices are found within the current NIST 800‐171/DFARS standard.
Starting in June of 2020 all RFIs will contain a required CMMC level, companies that do not possess the required level will not be eligible to bid on a contract.
Who needs to be concerned with CMMC?
CMMC standard compliance will be required by all members of the DIB and any suppliers to the DOD and military, regardless of your handling of CUI. However, the DoD has carved out a very small exception for suppliers that exclusively provide Commercial Off The Shelf (COTS) products. These products are ones that are not altered in any way for government use; items like produce or gasoline. Suppliers that exclusively provide COTS products, will not need to concern themselves with being compliant to CMMC standards. However, The DoD is quick to point out that companies and suppliers should not assume that they (or their subcontractors) are exempt. For now, it is best to stick to the adage of “Better to have and not need, than need and not have”.
What Can We Do Now?
At the current time, the DoD and the CMMC-AB have not yet released the necessary training and documentation needed to become a Certified 3rd Party Auditing Organization (C3PAO). Because of this NO ONE is able to assist with an audit. However, there is still a lot that can be done prior to the official roll out of the audit process. The vast majority of the CMMC practices and processes were taken from the NIST 800‐171/DFARS standard.
If you can confidently prove that you are adhering to NIST 800‐171, along with any additional practices, you stand a better chance of processing through an audit and getting the certification you want. If you can get a Level 3 certification, and your competition cannot, you have access to bidding on new contracts that they don’t.
While you can self‐certify by using the NIST self certification handbook, having a second set of eyes reviewing your framework will ensure you don’t gloss over or misinterpret any practices. Likewise, should you need any remediation items to fulfill missing items, a proper cyber security partner can assist you in filling those gaps with the proper tools, policies and procedures.
How Can Summit Help?
At Summit we are on the forefront of assisting companies preparing for the CMMC audit with completing NIST 800‐171/DFARS gap analysis. As a pending C3PAO, we can review your cyber security framework against the current NIST‐800‐171 standard and the current draft of the additional controls required to be considered for level 3 CMMC accreditation. In addition, should we find any potential gaps, we can work with your company to complete a necessary SSP and POAM remediation plan, and assist in remediating any gaps within your cyber security framework to better align you with the CMMC standard.
Contact our Cyber Security Division to discuss the process and any questions you might have