An Explainer on the DOD’s Cybersecurity Maturity Model Certification (CMMC)

The Rise of Cybersecurity Attacks and the DOD’s Response

Because of the rise of cybersecurity attacks, especially against defense contractors and their subcontractors, the Department of Defense (DoD) has determined that a graded model defining maturity in the safeguarding and protection of Controlled Unclassified Information (CUI) should be established for all of its contracts. That model is the Cybersecurity Maturity Model (CMMC).

This model is based on two well-established framework publications: 1) the Federal Acquisition Regulation (FAR) Clause 52.204-21, which establishes basic safeguarding requirements for Federal Contract Information (FCI), and 2) the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which provides the standards for securing CUI.

The Reason for the DOD’s CMMC Program

In an effort to confirm that defense contractors are consistently practicing good cybersecurity hygiene and properly protecting sensitive information, the U.S. Department of Defense (DoD) has announced that it will establish a Cybersecurity Maturity Model Certification, or CMMC, model and assess all current and prospective contractors in the defense industrial base (DIB), more than 350,000 in total, against the CMMC model as soon as September 2020. As of now, this is a gradual, possibly phased, rollout of the requirement to allow time for the development of the CMMC model itself, certification of assessors, and credentialing of third-party assessment organizations (termed C3PAOs).

CMMC program progress to-date

In January 2020, an accreditation board (CMMC-AB) was established to manage training, credentialing, certification, and assessments for all DIB contractors. In March 2020, version 1.02 of the CMMC model was released to the public. While still in its relatively formative stages, several developments have emerged in recent weeks, giving the industry some guidance and setting expectations for what is to come. This blog article will provide an overview of these developments.

As of today, the CMMC is not yet formally released, nor have any C3PAOs been credentialed, and no certified assessors have yet been trained. There was some early confusion on this point, with a few unscrupulous parties attempting to claim that they were, in fact, official assessors. This led to several statements released by both the CMMC-AB and the DoD clarifying that the framework was not yet ratified, and no organizations or individuals were yet qualified to assess or certify contractors.

That is all quickly changing. In the last two weeks, the CMMC-AB has released several ‘national conversations’ covering in greater detail some of the requirements for certification, accreditation, training, and how the model is to be rolled out in the coming months.

An Overview of the Cybersecurity Maturity Model

In v1.02 of the CMMC model, five (5) levels of accreditation available to contractors have been defined. It has a similar structure to the Capability Maturity Model Integration (CMMI), which has been used for years to measure an organization’s process maturity. If you are familiar with this model, then the basic structure of CMMC will make a great deal of sense.

The CMMC model is broken into 17 domains, defined primarily by the Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171. For each domain, five levels of maturity are defined (see Figure 1).

How CMMC Scoring is Done

There are a few things to keep in mind regarding the CMMC model. First, each level of maturity is based on an organization’s ability to meet both the ‘processes’ (left side) and ‘practices’ (right side) of the figure above. These maturity levels are considered cumulative. In order to reach Level 3 maturity, any contractor would have to demonstrate adherence to the model at Level 1, Level 2, and Level 3, for both processes and practices. As an example, if an organization were to demonstrate Level 3 maturity for processes, but only Level 2 maturity for practices, that organization would be accredited at Level 2.

The CMMC-AB believes that the majority of all contractors will certify Level 1, meaning that 17 practices need to be certified (which map to all of the safeguards required by FAR Clause 52.204-21, along with two additional requirements in NIST 800-171). This means that most DoD contractors will seek only to establish maturity in the following practices.

(Note: the CMMC model states, “Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not accessed for Level 1”):

Let’s Walk Through the 17 Domains of CMMC Level 1:

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

3. Verify and control/limit connections to and use of external information systems.

4. Control information posted or processed on publicly accessible information systems.

5. Identify information system users, processes acting on behalf of users, or devices.

6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

9. Escort visitors and monitor visitor activity.

10. Maintain audit logs of physical access.

11. Control and manage physical access devices.

12. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

13. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

14. Identify, report, and correct information and information system flaws in a timely manner.

15. Provide protection from malicious code at appropriate locations within organizational information systems.

16. Update malicious code protection mechanisms when new releases are available.

17. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Easy, right? In fact, there’s a pretty good chance that as a DoD contractor, you are already performing many, if not all, of these things. The curve starts to steepen from here. Level 3 requires adherence to 130 practices and getting to Level 5 requires adherence to a whopping 171 practices. The question then becomes, “Do I need to certify, and at what level?”

Do We Need to Get CMMC Certified and At What Level?

The answer to this first question is straightforward. If you are, or intend to become, a DoD contractor, you must be assessed and certified at Level 1 or above. The second question, “What CMMC level do we need to pursue?” is a little more complicated. It depends quite a bit on what type of information your organization is handling. If the information you handle falls under FCI, then Level 1 is almost definitely sufficient. If the information you currently handle (or intend to handle) falls into the definition of CUI, then you will likely need to pursue a Level 2 (more likely, Level 3) or higher certification.

Here’s a Breakdown of Each CMMC Level:

• Level 1: Safeguard Federal Contract Information (FCI)
• Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI
• Level 3: Protect Controlled Unclassified Information (CUI)
• Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

Keep in mind, this model is still essentially theoretical. No firm requirements or guidance has yet been fully adopted or ratified by the DoD. But the current model can act as an extremely helpful guideline in preparing for certification once all requirements have been fully approved and implemented.

Certified CMMC Assessors

I will start this section with a very important reminder: there are currently exactly zero—zilch, nil, nada—certified assessors in the world for CMMC. Until the certification process is approved and implemented, anyone trying to sell the idea that they can get you CMMC assessed is not on the level. That privilege/responsibility is controlled 100% by the CMMC-AB ; and a memorandum of understanding (MOU) was signed with the DoD on March 25, 2020.

With that disclaimer out of the way…how do you get certified as an assessor?

Again, in just the last couple of weeks, the CMMC-AB has released additional detail around the certification process. The training and certification program will be rolled out in two phases. There will be an initial, provisional phase, which will allow the CMMC-AB to train a pilot group of 60 assessors. This group will be handpicked from a pool of highly experienced security professionals from across the industry. The training itself will be delivered entirely online. This pilot group will serve as the first assessors, allowing the CMMC-AB to ramp up assessments per the DoD timeline, while also providing the board with invaluable feedback to ramp up a more sustained training and certification program later in the year. The exact timeline for the pilot group has not been established, but it is expected in Q2 of 2020. Once the pilot group has been trained and certified, the CMMC-AB will immediately turn its attention to releasing the broader program (estimated to include more than 10,000 certified CMMC assessors).

Certification Levels for CMMC Assessors

Today, there is a planned hierarchical certification scheme for assessors, beginning with a foundational certification known as CMMC-AB Certified Professional (CP). Once this foundational level is achieved, a prospective assessor will need to move on to the next level(s) of certification, namely Certified Assessor Maturity Level 1 (CA1), then Certified Assessor Maturity Level 3 (CA3), and ultimately Certified Assessor Maturity Level 5 (CA5). Each level of certification will require that the assessor reach the previous level, i.e., for CA5, an assessor would need to achieve the CP, CA1, and CA3 certifications before attempting the CA5 certification. Exact experience and educational requirements are still being worked out, but it is expected that some combination of professional experience, formal education, and likely professional certification such as CompTIA Security+, ISACA CISM, or (ISC)² CISSP will be required to sit for CMMC certification training.

Recertification is expected to be required only when the CMMC framework undergoes a major revision. For example, when the model is updated from v1.02 to v1.3, no recertification will be necessary; however, if the model is updated from v1.02 to v2.0, all assessors will need to re-certify at their current level. There is no need to recertify at all levels, only at the highest level achieved by the assessor. There will also be a continuing education requirement for assessors which has yet to be detailed by the CMMC-AB.

The CMMC Assessment Verification Process

The CMMC program was born out of a need to more thoroughly verify the cybersecurity processes and practices of all potential contractor organizations. Until now, this verification has come through self-assessment by individual contractors. As CMMC is rolled out, each contractor, along with its subcontractor(s) and/or tertiary supplier(s), will need to request a CMMC assessment at the level required by the RFP issued by the DoD. Once the provisional program is in place, new RFPs issued will include a maturity level requirement under the CMMC, and all contractors and subcontractors will need to meet that minimum level in order to be awarded the contract. All assessments will be conducted by certified assessors (CA1-CA5) and in order to be validated, a Certified Quality Assessor (CQA) will review the assessment for accuracy and completeness.

Unsurprisingly, CMMC Level 1 will be the most common maturity level required and attained, and this level only requires that 17 practices be assessed. No process maturity assessment other than the fact that the practices are being performed will be required for this level. From there, each additional maturity level will require a significant increase in the number of practices assessed, and each additional level will require more related process controls to be verified.

Program timing, reassessment requirements, and issues such as mediation of disputed assessment results have not been fully released by the CMMC-AB, but these and other details are expected in the coming weeks and months.

There has been some speculation that the CMMC maturity model may expand beyond the DoD in the coming years, as it is modeled heavily after well-established and trusted cybersecurity frameworks and publications. This means that there is the possibility—perhaps even likelihood—that other federal contractors will need to achieve some level of assessed cybersecurity maturity within this model as time goes on.

Continue Educating Yourself

The CMMC is here. Not even a global pandemic has stopped progress toward the official release of this new model and requirement set forth by the DoD. If you currently work, or plan to work, within the DIB and contract with them, it is vitally important that you begin to educate yourself on this model and begin preparations to be assessed. Once the provisional period ends, the market will open to all contractors, and as there are an estimated 350,000, the demand for assessments will be understandably high. This means that assessors will be in short supply, most likely, at the outset, and without careful planning and readiness, some contractors may be left unqualified to bid on upcoming work. Keep your eyes peeled for important updates surrounding CMMC.