CMMC Compliance

NIST Compliance and Cybersecurity Maturity Model Certification, known as NIST CMMC for short, is a new standard from the Department of Defense (DOD) that was started in January 2020. Before NIST CMMC became relevant organizations followed other NIST standards. These older NIST compliance standards now have some loopholes and weaknesses. As a result, a high percentage of companies still experiencing losses or theft of intellectual property, etc.

On the other hand, NIST CMMC compliance requires third-party validation. Ensuring the proper policies, procedures, and safeguards are there to become compliant and win contracts with the DoD.

The biggest difference between NIST 800-171 and CMMC is who determines your compliance. With NIST 800-171 it is a self attestation (within organization), yes it does work…but not as well as a third-party validation (external) which is required to achieve CMMC compliance. Furthermore, this ensures the verification and audit processes remain unbiased during evaluation and that everything was evaluated by a certified industry professional. To elaborate, the third-party assessor is similar to a lawyer making sure your case to the judge is “clear as day” based on evidence and that you did everything you could to prevent the “incident” from occurring.

CMMC encompasses certain sections of the NIST standards but does not address Non Federal Organization Controls (NFO) required by NIST 800-171. Above all, NIST is not completely outdated and unused. If it is implemented already it can be supplemented with CMMC Compliance. The main reasons being it is a requirement, it will improve security and reduce losses due to security incidents, and it can help you safely secure your Intellectual Property (IP) from theft.

CMMC was implemented due to the scarcely low adoption rate of NIST 800-171. CMMC can help you set the stage for complying with security standards in accordance to the company’s needs. Also as briefly mentioned earlier it can improve security policies, procedures, standards, and protect your company’s Intellectual Property (IP).

In the DOD, entities and contractors vary from international contractors to national workers. Besides the DOD, contractors compose other federal agencies. As a contractor, jobs permit manufacturing and maintenance of government equipment and systems. With this in mind, contractors work with defense related products. These include weapons and vehicles used for military operations. In a nutshell, this diversity is complex and spans in different sectors. Companies who must abide by the CMMC requirement must be compliant in order to bid on any government contracts available to contractors in the Defense Industrial Base (DIB).

CMMC version 1.0 includes 5 levels and each has a different number of controls but grows in size and scope with each level. This can start to becoming a challenge quickly if you are not experienced with these controls prior and you will end up wasting lots of time and effort. The best way to be prepared for a CMMC Compliance Assessment or Pre-Assessment is to get your documents in order. Make sure they are updated and accounted for because good documentation is half the challenge. Below the levels of CMMC compliance are listed with how many controls are in each level.

CMMC compliance provides various levels of security checks. Different system checks and parameters depend on organizations needs and openness. Given these points, each level has a given amount of practices.

Level 1: Basic Cyber Hygiene – CMMC Level one focuses on the foundation of NIST CMMC and must be completed by any DoD contractor that works within the defense Industrial Base (DIB). It was modeled after  48 CFR 52.204-21 and It addresses things such as implementing the proper cyber practices including security training and antivirus software. In addition, it ensures Federal Contract Information (FCI) is protected but there is no process maturity requirement for level one.

Level 2: Intermediate Cyber Hygiene – Level two is geared towards the protection of Controlled Unclassified Information (CUI). It is required that organizations keep a record of certain “intermediate cyber hygiene” practices. The level has much overlap with NIST 800-171 r2 controls and makes it simple to be CMMC Level two compliant if there is proof of compliance with the framework.

Level 3: Good Cyber Hygiene – Level three further extends the requirements of Level two that focus on the protection of CUI. This level is comprised of 47 security controls that must be properly documented. Also if the company is subject to DFARS compliance those regulations are still is in effect.

Level 4: Proactive: Level four of the CMMC introduces the requirement for organizations to be proactive in defending against advanced persistent threats (ATPs*). CMMC guidelines state, level four is intended to be the minimum level for prime contractors working with CUI. It replicates some of the requirements of DFARs, whilst also putting these into a framework in which they can be worked towards. Level 4 CMMC maturity indicates review and review documentation informs upper management of issues requiring remediation.

*APT –  not your basic threat, has a sophisticated levels of expertise and resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors and seems to be common form of cyber espionage.

Level 5: Advanced/Progressive – the final level of the CMMC and defines those organizations that are Advanced/Progressive/State-of-the-Art in cybersecurity. The CMMC defines 30 extra security controls – over level four – that need to be put in place in order to achieve level five. Whether level five will become the standard for DoD contractors is unclear. Process level maturity at this most advanced level indicates the company that has been DoD CMMC certified ensures processes have been standardized and implemented uniformly across their entire company.

In order to get started, you must baseline where you currently stand in the process. We call this the CMMC “Pre-Assessment”. The System Security Plan (SSP) and (POA&M) must be reviewed before starting the CMMC Assessment. CMMC requires organizations to be trained, have an accreditation license, and sometimes get a background check. The two most popular services we offer are documented below.