Preparing for CMMC: A FAQ on the Cybersecurity Maturity Model Certification

Eric Seward January 14, 2021

    As the U.S. Department of Defense prepares to introduce the Cybersecurity Maturity Model Certification (CMMC), contractors and subcontractors must get ready to implement – and become certified against – the new framework. Some of the details are still being finalized – such as what level of certification each organization will need to achieve – but there are several steps that organizations can take to prepare themselves for the upcoming roll-out of the CMMC.

    Below are some of the most frequently asked questions surrounding CMMC, as covered in our webinar: Everything You Need to Know About the Cybersecurity Maturity Model Certification. If you’d like to view the entire presentation on demand, you can access the recording here.

    What is CMMC?

    The Cybersecurity Maturity Model Certification is a security framework that is aiming to replace the National Institute of Standards and Technology (NIST) special publication 800-171 when it comes to federal RFPs and RFIs. CMMC is very similar to NIST 800-171, in that they both outline requirements, practices, and processes. However, unlike NIST 800-171, CMMC does not allow for self-attestation. Organizations will need to be audited by an independent third party to be certified at a specific level; this is required to continue doing business with the DoD.

    In order to comply with CMMC, organizations will need to produce a System Security Plan (SSP). This means going through each requirement individually; assessing IT systems; documenting policies and procedures; and making changes as necessary.

    Most cybersecurity and compliance assessments are built around a specific type of data (such as PII or PHI).

    What type of information does CMMC ask organizations to protect?

    CMMC focuses on CUI, or controlled unclassified information. This can be any data that the government wants you to protect – from a blueprint to a shipping address.

    Currently, what is considered CUI is a bit of a gray area; the DoD is still defining the parameters. However, it can come down to one simple question: is there a DFARS clause on your contract? If so, the DoD has deemed the data sensitive enough that specific measures need to be taken to keep it safe.

    The first step that organizations can take is to scope out their CUI and determine where the data is stored. This will determine which systems need to be included in a CMMC assessment.

    In some cases, it may be possible to split up a network and ensure that sensitive information is only stored in certain locations; organizations can then assess only a particular portion of their environment. That can make the process more manageable. However, CUI may touch every aspect of what an organization is doing – going from their computer networks to their production floor. In these cases, the entire environment may be in scope.

    How can you prove to the DoD that you’re appropriately protecting CUI, and are the requirements different between CMMC and NIST 800-171?

    With NIST 800-171, organizations are required to produce a System Security Plan outlining how they plan to comply with applicable requirements, as well as a Plan of Action for deficiencies. With NIST 800-171, the DoD knew the most contractors would have gaps; most companies have not implemented every single security control when they start their compliance journey. Companies were permitted to create Plans of Action to remain compliant as long as they were taking steps to implement each requirement.

    Under CMMC, Plans of Action are no longer permitted. When it comes time for a formal assessment, organizations need to be 100 percent implemented.

    What if you currently comply with DFARS?

    If you are 100 percent implemented with DFARS, you’re most of the way through CMMC.

    110 DFARS requirements map directly to the practices of CMMC level 3. There are 20 additional practices under CMMC, but organizations that already comply with DFARS have a head start with CMMC. They will, however, still need to complete an independent audit to become CMMC certified at the appropriate level.

    And what about other certifications, such as HITRUST?

    The industry is pushing for reciprocity. Many organizations are recommending a model where previous compliance efforts – such as HITRUST certification – can demonstrate that a contractor or subcontractor has gone above and beyond what is required of CMMC. However, it remains to be seen what the final process will look like.

    How do NIST 800-171 families compare to CMMC subsets and requirements?

    Under NIST 800-171, families are large subsets of requirements. There are 14 families, inside of which are individual controls. These are actual requirements and line items that organizations must follow to be compliant.

    CMMC is different, in that it has a large subset, smaller subsets, and then individual requirements. It has 17 capability domains, which are equivalent to the family aspect of NIST 800-171. Those are “big picture” items, such as access controls; within those domains are capabilities. From there, CMMC capabilities are further broken down into the actual requirements that organizations are required to respond to.

    What are processes under CMMC?

    Processes are a new aspect of the CMMC, and are designed to measure an organization’s maturity level, or the extent to which processes are engrained in an organization’s activities. The more deeply engrained they are, the more likely they are to continue to perform the activity, and that it will be consistent, repeatable, and of high quality. This concept is the heart of the model: the DoD wants to see that organizations are adopting the framework and continually improving their security posture, rather than just implementing minimum requirements from a checklist.

    What are the different levels of CMMC certification?

    The Cybersecurity Maturity Model Certification has five levels.

    Level 1 is the most basic. It includes 17 requirements, most of which can be met with basic cyber hygiene. Any organization that receives a federal contract will need to certify – at minimum – at Level 1.

    Level 2 is a bit more in depth, and generally considered a “bridge” level to get organizations from Level 1 to Level 3, which is expected to be the most common level once the program is fully rolled out.

    Level 3 is the planned equivalent for NIST 800-171. This has 130 practices, 110 of which come directly from NIST. Most contractors that receive CUI will need to certify at this level.

    Levels 4 and 5 are the most stringent, but these are set apart for a small subset of DoD contractors. This will primarily cover the largest enterprises that handle the most sensitive data.

    Could certain organizations be certified at multiple levels?

    Absolutely. This is because CMMC certifications are not issued at the organizational level; they are issued at the system level.

    Large enterprises may have multiple divisions or departments, each one running on a different system. In these cases, they would need to certify each individual location and system. However, this offers much-needed flexibility. The divisions that handle the most sensitive CUI can obtain the higher levels of certification, while other divisions may qualify for a lower level, which will require fewer resources and come at a lower cost.

    What about organizations that don’t handle CUI?

    Even if an organization does not receive or process CUI, being in possession of FCI (federal contract information) will require – at minimum – Level 1 certification. However, the final definition of CUI is expected to be broad; many organizations may find that they do handle CUI once the framework is finalized.

    What does the CMMC assessment process look like?

    CMMC does not allow for self-assessments. Instead, certification is overseen by the CMMC Accreditation Body (AB).

    Two types of organizations are expected to be involved in the certification process:

    • Independent assessors, who will deliver assessments against a defined set of best practices and controls
    • CMMC Third Party Assessment Organizations (C3PAOs), who will issue the formal certification upon completion of an assessment

    Organizations that are seeking certification will need to work with an independent assessor, as well as a C3PAO. Their assessor will formally conduct the audit, then send the information to the C3PAO, who will perform a quality assurance check. The C3PAO will pass the documentation to the AB, who will perform their own quality assurance check, and – if all requirements are met – instruct the C3PAO to issue the certification. This is fairly similar to the process for FedRAMP.

    Can C3PAOs provide advisory services, and vice versa?

    A C3PAO cannot provide advisory services for a company they are planning to certify. To ensure the proper level of due diligence, auditors cannot audit their own work. However, C3PAOs can provide advisory services, although the contractor or sub-contractor seeking certification would need to find a second C3PAO to issue their certification.

    Do advisory service providers have to be C3PAO certified?

    No. Organizations providing CMMC assessments do not have to be certified C3PAOs. However, it is important to choose an assessor that is specifically trained in federal cybersecurity and compliance standards to oversee gap assessments and remediation. There are many items that will need to be interpreted; from a quality standpoint, it’s crucial to work with an organization that can reliably explain the requirements of the framework.

    Will there be a concept of continuous compliance?

    It’s likely that organizations will need to re-certify after their original assessment. Since maturity is a core component, the board will want to look and ensure that organizations are compliant and improving. They will want to see what an organization has done since they were originally certified; it’s likely that they will ask for evidence of updates. For instance, they may ask for an organization’s current SSP as well as their previous one, then compare to ensure that things aren’t exactly the same several years later. They will likely be looking to see a living, breathing document.

    There’s also the possibility that each level will have its own re-certification requirements, with higher levels requiring more frequent re-assessments.

    What should contractors and sub-contractors be doing now to get certified once the program goes live?

    The first step is learning about the requirements. While many things are still under discussion, version 1.02 is published and publicly accessible; organizations can familiarize themselves with the current expectations and prepare for next steps.

    From there, organizations should evaluate their current programs through the lens of CMMC. If they have already implemented NIST 800-171, for instance, they can map the requirements to determine which ones have already been covered.

    The third step is remediation. Organizations should implement additional controls based on the level of certification that they expect to be subjected to. To the fullest extent possible, all loose ends should be addressed prior to the assessment, with controls thoroughly documented in an up-to-date SSP.

    Once the CMMC has gone live, organizations should contact the Accreditation Board, independent assessor, or C3PAO. From there, they can formally scope their assessment, choose the appropriate level of certification, and move forward with next steps.

    Connect with an Independent CMMC Assessor

    At 360 Advanced, we are working with the relevant governing bodies to become an authorized CMMC assessor. We can guide you through the gap assessment and remediation process, leveraging extensive experience in the federal compliance space to help you meet the relevant requirements.