The Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense (DoD) certification framework that aims to protect sensitive information handled by Defense Industrial Base (DIB) contractors by establishing a set of cybersecurity standards and best practices to follow.
DIB partners often handle critical DoD information and other government data to operate, which typically has various levels of sensitivity and classification. CMMC helps ensure that these third-party contractors secure this data in the same manner that other federal agencies do.
CMMC enforces cybersecurity for these vital DIB partners and provides clear guidelines regarding the security requirements for any programs or systems that involve controlled unclassified information (CUI).
Learn how UpGuard helps organizations meet compliance requirements >
Core Features of CMMC and CMMC 2.0
Toward the end of 2020, an interim rule to the DFARS (Defense Federal Acquisition Regulation Supplement) was made, outlining the basic features of the CMMC framework.
In early 2021, the DoD reviewed CMMC requirements and implementation on the strength of around 850 public comments about CMMC cybersecurity requirements and DOD contractors safeguarding sensitive data.
The existing CMMC framework was reassessed, and the revamped proposition for CMMC 2.0 was published in November 2021. Both CMMC frameworks have a number of focal points that make the program effective at achieving its cybersecurity goals for the defense industry.
Tiered Certification Levels
Rather than being a binary system in which companies either can or cannot work with the Department of Defense according to their security postures, CMMC 2.0 is a tiered program, which means that companies can attain different levels of CMMC certification and thus handle specific information types and data with varying degrees of sensitivity for the DoD.
For example, a company processing highly sensitive data will require a high-level CMMC certification, whereas a low level of CMMC certification is likely to suffice for a firm with minimal access to sensitive data.
CMMC Readiness Assessment
CMMC 2.0 includes obligatory assessments to ensure that entities working with the DoD adhere to the necessary security standards and maintain or improve them over time.
Implemented via DoD Contacts
To win or maintain a contract with the DoD, firms must achieve specific CMMC levels. Existing DOD partners must ensure CMMC compliance to renew their contracts and not lose out to competitors with appropriate cybersecurity maturity levels.
Primary Goals of CMMC 2.0
Following the DoD’s internal review of its CMMC framework, it released its notional, updated program to address the following needs and goals:
- To protect sensitive information
- To enable and protect those involved in war efforts
- To ensure public trust by maintaining professional conduct and clear ethical standards
- To facilitate sharing defense information and collaboration through developing a cybersecurity culture and promoting cyber resilience
- To make it easier for companies to achieve CMMC compliance without weakening cybersecurity
- To ensure accountability for firms attaining or seeking DoD contracts
- To adapt the DoD’s cybersecurity requirements as necessary according to the evolving cyber threat landscape
How Does CMMC 2.0 Differ from CMMC 1.0?
The key changes between CMMC 1.0 and CMMC 2.0 are that the new proposition aims to streamline the certification process, provide more accountability, and effect more flexible implementation. CMMC 2.0 focuses on the most critical cybersecurity standards that will impact information security for defense contractors working with the DoD.
Reduced Number of Compliance Levels
Whereas the CMMC 1.0 model had five levels of CMMC certification according to the type and sensitivity of information handled by the DoD contractor, the new CMMC program would have only three levels of certification.
The proposed certification program also reduces costs by allowing companies seeking the lowest level of certification and some of those attaining the mid-range level of certification to do so via self-assessments and self-attestations rather than having to pay for a certified third-party assessor.
Increased Alignment with NIST Standards
By aligning the new certification levels with the existing National Institute of Standards and Technology (NIST) standards, the requirements are clearer, and DoD contractors should be able to understand and attain them more quickly.
In addition to reducing the number of compliance levels, Levels 2 and 3 of CMMC 2.0 are now aligned specifically with NIST SP 800-171 and SP 800-172 with different requirements for compliance and certification, along with the accepted practices needed to achieve certification.
Adding Waivers to CMMC Requirements
Additionally, under CMMC 2.0, the government can waive the inclusion of some CMMC requirements, depending on the circumstances. However, waivers can only be approved by senior DoD personnel and only under certain circumstances, such as a mission-critical contract that is extremely time-sensitive. All waiver applications are reviewed on a case-by-case basis and will be strictly time-based.
Acceptance of Plans of Action & Milestones (POA&M)
Under CMMC 1.0, organizations had to meet every requirement of each corresponding certification level to be awarded a particular contract. If those organizations didn’t meet every requirement, they could not bid for the government contract.
However, under CMMC 2.0, organizations can develop Plans of Action & Milestones (POA&M) to outline how they intend to implement those requirements in the future and still be able to bid for the contracts. One stipulation is that those organizations must have achieved a baseline score requirement to be eligible for a POA&M. The goal of this change was to allow for more flexibility for organizations to make necessary moves to meet CMMC compliance.
Changes to the Self-Assessment Process
When the CMMC was first introduced, all contractors were required to complete a third-party assessment to ensure that they were meeting all the security control requirements. However, because the costs were the same for all five levels of CMMC 1.0 certification, it put more burden on the contractors in the lower certification tiers.
CMMC 2.0 updated this requirement to allow Level 1 contractors to perform their annual self-assessment since Level 1 contractors did not handle any CUI. However, Levels 2 and 3 are required to obtain a third-party assessment, with contracts handling “critical national security information” needing a triennial third-party assessment.
CMMC 2.0 Certification Levels
There are three main certification levels under CMMC 2.0:
CMMC 2.0 Level 1 (Foundational)
To achieve the most basic level of the proposed CMMC 2.0 certification, firms are required to adhere to 15 cybersecurity requirements, two fewer than in the original certification. Firms aiming to achieve and maintain this level of certification can do so via an annual self-assessment and affirmation.
CMMC 2.0 Level 2 (Advanced)
Achieving the second level of CMMC certification necessitates adhering to 110 cybersecurity requirements, which align with NIST SP 800-171.
Assessment is required three times a year by a certified third-party assessment organization (C3PAO) authorized by the Pentagon’s CMMC Accreditation Body (once CMMC-AB, now known as Cyber AB). As well as using a third-party assessor, annual affirmation is also required.
For some programs, however, DoD contractors with level 2 CMMC 2.0 certification will require triennial self-assessment and annual affirmation.
CMMC 2.0 Level 3 (Expert)
Attaining the highest level of CMMC 2.0 certification — required for the firms working on high-priority programs and that must thus have a reduced risk from Advanced Persistent Threats (APTs) — necessitates more than 110 cybersecurity practices based on NIST 800-171 and NIST 800-172.
The assessment for this level of certification is triennial and government-led. Annual affirmation is also required.
Achieving CMMC Certification
CMMC 2.0 is currently mapped across three levels, each with practices and cybersecurity controls aligning with NIST SP 800-171 and SP 800-172.
Here are some of the most common cybersecurity best practices that can help DoD subcontractors secure their contracts with DoD and their networks against the growing threat from cyber attacks and data breaches.
Basic Cybersecurity Hygiene
Following guidelines from the NIST cybersecurity framework can be considered an example of implementing basic cyber hygiene. Such practices improve a firm’s security posture and defense against data breaches, phishing, ransomware, malware, data leaks, and exposure through healthy daily practices.
In an increasingly connected business ecosystem, it’s more important than ever for every entity and employee to do their part to maintain cyber hygiene. Cybersecurity best practices can also reduce the risks posed by third-party service providers and help organizations fare better against emerging threats.
Humans play a part in the vast majority of data leaks and breaches, such as through security misconfigurations, falling for a phishing scam, or failing to enact proper physical security practices.
Since human error is involved in many data exposures and breaches, maintaining basic cyber hygiene helps organizations counter cyber threats without over-reliance on cybersecurity teams and technological solutions.
Identification and Authentication
The need for identification in cybersecurity refers to users, of course, but also processes and devices. A system is required to authenticate that these users, processes, and devices are genuine and have appropriate access to an organization’s information system.
Identification might be usernames, unique device numbers, or addresses and is often expressed in alphanumeric characters.
An identification system is necessary to protect a network from unknown or malicious entities. It also allows each identified element to be tracked and monitored continuously to stop malicious actions and suspicious behavior or to identify the causes of problems, such as exposures and data leaks.
Authentication can be achieved through passwords, badges, or encryption keys. Multi-factor authentication dramatically boosts system security by requiring two or more proofs of identity.
Strong authentication also requires privileged access management, which involves keeping track of who has access to what data and revoking that access as necessary, such as when an employee leaves the organization or transfers to another department.
At CMMC 2.0 Level 1, 2 practices involve identification and authentication. There are nine at CMMC 2.0 level 2.
Strong Password Implementation
Far from being dead, strong passwords remain a cybersecurity staple. Like many cybersecurity practices, password considerations overlap with other areas of protecting information systems.
While passwords are a part of authentication, they deserve a section of their own. Implementing strong passwords is an efficient and effective way for small businesses and enterprise-level organizations to improve their security postures. Combined with multi-factor authentication, strong passwords make life significantly more difficult for potential hackers, cybercriminals, or malicious insiders.
This method of creating passwords prevents hackers that might try to guess a password using a brute force attack, in which a computer runs through different combinations of characters until it stumbles across the correct password, or a “dictionary attack,” where the computer tests a password against real worlds.
A part of good cyber hygiene is to ensure that passwords are not reused for multiple sites or accounts, especially where financial or particularly sensitive information is involved.
Passwords should also be changed regularly. If a password is compromised due to a third-party data breach or supply chain attack, hackers have this password for life and can try it repeatedly against multiple accounts to see if they can gain access.
Once a hacker has access to an account, they don’t necessarily make it obvious. Sometimes, an account can be compromised for years without detection, posing a massive threat to data confidentiality and integrity.
Access Control
Access control manages access to users or devices according to the organization’s permissions and rules. Limiting access to data to only those allowed to access it reduces the attack surface and makes monitoring easier. Access control, as a part of privileged access management, determines who has access to data and what they can do with it.
In the event of a data breach, an organization with an access control policy may be able to hone in on the source of the breach, reducing the time and cost of remediating the data breach and exposure.
Under the umbrella of access control, you can also expect concepts like how long users can be dormant on a system before their session automatically times out, setting the number of incorrect logins possible before taking action, and encryption of CUI on portable devices.
Media Protection
DoD contractors need to know exactly what CUI and/or FCI store, process, and transmit. Furthermore, they must know what physical and digital media are used to achieve this.
To protect media containing sensitive information, DoD partners can maintain up-to-date records, inventorizing the firm’s media and its use. A monitoring system will be helpful to keep track of who used what media, when, and why.
Keeping media secure by locking it in a room or cabinet is an excellent physical method for securing CUI. If removable media is to be transported to another location, it’s important to consider locking the media inside secure containers, encrypting the device or devices, and keeping track of all transportation details.
Physical Protection
Improving an organization’s physical protection can improve its security posture and help it attain the required level of CMMC certification.
Implementing physical protection is often overlooked in favor of digital cybersecurity systems. However, it can be very effective for large or small businesses, remediating and mitigating some notable risks to CUI.
Physical protection limits physical access to high-security environments, equipment, and systems containing sensitive information, admitting only those with authorization. This kind of solution might manifest as a system of smart cards or staff and visitor badges, programmed with varying levels of authorization, as appropriate, and managed continually as part of a privileged access management system.
CCTV to track people entering, leaving, and moving through the building or sensitive areas can also be effective and may help an organization achieve a higher level of CMMC certification. Guards and/or physical obstructions will also enhance security levels.
Furthermore, visitors should be logged, with those logs reviewed regularly. Depending on the organization’s information security and privacy policy, contractors and part-time employers may be given additional physical access privileges compared to irregular visitors.
Incident Response Planning
An incident response plan needs to outline the exact steps to carry out in the event of a cyber attack. Each plan needs to identify an incident response team along with the contact details of key stakeholders and decision-makers. In addition, there should ideally be separate incident response plans for each potential threat so everyone knows how to respond in each situation.
With an incident response plan, an organization can respond according to the requirements of the Department of Defense. They can contact the appropriate entities, inform the relevant stakeholders, and expedite the threat identification, containment, and remediation process.
To maintain CMMC certification, a DoD contractor must keep its incident response plan and contingency planning current, in line with organizational changes - such as changes in staff, department structure, or use of technology - and changes in the cyber threat landscape.
CMMC certification is about helping DoD contractors deal with known threats and improving the cyber hygiene of all organizations handling CUI and FCI and making the defense infrastructure more robust to adapt to emerging threats.
