In January 2020, before our normal routines and work days were impacted by the global pandemic, the Department of Defense (DoD) launched Version 1.0 of the newest compliance acronym, CMMC. The Cybersecurity Maturity Model Certification is modeled after multiple industry-recognized frameworks to create a single, unified cybersecurity standard for companies within the defense industrial base (DIB).
Before CMMC was created, contractors were responsible for assessing the cybersecurity of their own environments. This self-certification model entrusted companies to follow the requirements described in NIST Special Publication 800-171. However, it never required contractors to provide evidence that the requirements were met. This unfortunately allowed companies with security gaps to continue to provide products and services to the DoD. Consequently, it led to breaches, disruptions and theft of intellectual property in the defense supply chain.
How CMMC is different from previous cybersecurity certification practices
The major differentiator between the previous practice of self-certification with NIST and the imminent adoption of CMMC is that a company must be audited by a certified third-party assessment organization (C3PAO) or a credited individual assessor to achieve compliance. Current information states that certification will be valid for three years. Therefore, this will alleviate the need for an annual certification process and associated costs.
CMMC uses maturity levels to fairly certify defense contractors of all sizes
CMMC was designed to be applicable for defense contractors of all sizes. Therein lies the both the most confusing and biggest strength of the framework. Let’s revisit the one-size-fits-all framework idea that applied to the previous NIST-based self-certification model. How is it fair that a small machine shop and a massive manufacturing facility had to both meet compliance requirements and obtain the same certification for performing vastly different services for the DoD?
The CMMC aims to address this problem through what it refers to as maturity levels. CMMC incorporates several cybersecurity controls – NIST, ISO, DFARS and FedRAMP. The beauty of the standard is that it organizes all those cyber practices and processes into five maturity levels. These range from basic cyber hygiene to advanced security operations. DoD contracts will indicate the required level of certification based upon the sensitivity and security required to protect information.
CMMC controls lay the groundwork for a successful cybersecurity foundation
The controls within the five levels are expertly curated from the different control frameworks and lay the groundwork for a successful cybersecurity foundation from the ground level 1. They also promote the organic growth of a security posture and add in layers of strength with each level. In other words, the model successfully empowers organizations to determine their requirements to reliably safeguard sensitive information without breaking the bank or hindering the productivity of the business. So all that’s left is to determine what level will be required on your contracts and where you are in the process of getting certified.
CMMC Framework phased rollout has begun
DoD recently issued an interim rule, Assessing Contractor Implementation of Cybersecurity Requirements, which went into effect on November 30, 2020 to implement:
- The NIST SP 800-171 DoD Assessment Methodology
- The Cybersecurity Maturity Model Certification (CMMC) Framework
So, as of November 30, 2020, contractors and subcontractors subject to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 are required to document the results of their NIST 800-171 self assessment within the Supplier Performance Risk System (SPRS), and that the phased rollout of the CMMC framework has begun.
How ADNET can help
ADNET has experience advising organizations within the defense industrial base (DIB) that fall under CMMC compliance regulations. ADNET’s experienced cybersecurity experts can review your situation and help you prepare for CMMC certification. Reach out to us for more information!