What is the CMMC (Cybersecurity Maturity Model Certification)?
The CMMC programme, updated to CMMC 2.0 in November 2021, is a cyber security standard designed to improve the cyber security readiness of businesses that work with the US DoD (Department of Defense). CMMC 2.0 is expected to be completed by March 2023, while an initial draft rule is not expected until at least July 2023.
Who does the CMMC apply to?
The CMMC was developed for all government contractors and their suppliers with cyber security clause DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012 in their contract. It is expected that all DoD contracts will have the mandatory clause by May 2023. It applies to both primary contractors and subcontractors, which will have until the US 2026 financial year to demonstrate CMMC compliance.
DFARS 252.204-7021 requires that “The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.”
Why has the CMMC been introduced?
The CMMC was developed to help the DoD assess cyber security readiness when seeking suppliers and subcontractors. Its objective is to standardise cyber security controls and ensure that risk-based and effective measures appropriate to the contractor are in place to protect FCI (Federal Contract Information) and CUI (Controlled Unclassified Information) on contractor systems and networks. The CMMC was also developed to ensure accountability for adoption of controls.
Why do we need the CMMC if we already have DFARS?
The DFARS and the FAR (Federal Acquisition Regulation) are administered by the DoD. The DFARS is a regulation, a subset that implements and supplements the FAR, which contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies and procedures that have significant effect on the public. The DFARS should be read in conjunction with the primary set of rules in the FAR.
The CMMC will be a regulation that is a part of and a subset of the DFARS. It was introduced in response to the slow adoption rate of the cyber security sections in the DFARS, false compliance claims and wide-ranging non-compliance among contractors, with the intention of functioning as a verification mechanism for the DFARS requirements.
How does the CMMC differ from NIST SP 800-171?
NIST SP (Special Publication) 800-171 outlines recommendations on protecting CUI, which DoD contractors must meet through the SPRS (Supplier Performance Risk System) process.
The CMMC, on the other hand, is a multi-tiered model for protecting FCI as well as CUI. This model has three tiers, of which the middle tier (Level 2) is aligned with NIST SP 800-171. The CMMC is also intended to better enforce the NIST SP 800-171 standard.
How can ISO 27001 and ISO 27002 support CMMC compliance?
ISO 27001, the international standard for information security management, contains a list of good-practice information security controls, for which ISO 27002 offers guidance on selecting and implementing them. A lot of those controls overlap with the ones required for CMMC Level 2.
As ISO 27001 is also a certifiable standard, organisations that have achieved ISO 27001 certification can offer additional assurance that they are keeping their information secure. Implementing ISO 27001 also puts organisations well on their way to complying with the first two levels of the CMMC.
What levels of certification are there for the CMMC?
CMMC 2.0 has three levels:
- Level 1 (Foundational): 15 practices.
- Level 2 (Advanced): 110 practices aligned with NIST SP 800-171.
- Level 3 (Expert): 110+ practices based on NIST SP 800-171 and NIST SP 800-172.
The levels also differ in how they are assessed, with Level 1 requiring annual self-assessment and affirmation; Level 2 either triennial self-assessment or triennial third-party assessment; and Level 3 triennial government-led assessment.
How do you prepare for a CMMC audit?
The first step is to identify what requirements you must meet, which should be stated in the contract between the prime contractor and the DoD, or the contract between your entity and the prime contractor. From there, it’s often useful to conduct a gap analysis (or arrange for one to be conducted) against those requirements, and use any identified gaps to plan your remediation actions.
Where you have other security requirements you must meet, such as ISO 27001 or NIST SP 800-171, we recommend the same approach: start with a gap analysis, which then informs your action plan.
IT Governance USA CMMC services
IT Governance CMMC solutions can be found here.
The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ, which provides updates on the certification process.