If you work with the Department of Defense in any form, you’ve probably heard the term Cybersecurity Maturity Model Certification (CMMC) mentioned . But what is the CMMC, and how can you meet its standards?
The CMMC is the Department of Defense’s (DoD) response to recent supply chain attacks and cyber attacks in general. Previously, those that worked with the DoD were responsible for their cybersecurity. Now, the CMMC adds a 3rd party assessment of an organization’s cybersecurity, along with a framework to adhere to. All DoD contractors will eventually need to be CMMC certified – no matter where you are along the supply chain. The DoD wants to know that you are following proper cybersecurity procedure.
The regulations have five levels that represent various stages of cybersecurity maturity. Each build upon the previous level.
In the first level of CMMC, your organization must perform basic cybersecurity practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or certain transactional information.
Requires your organization to document your cybersecurity practices to begin to protect any Controlled Unclassified Information (CUI). CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information. It includes requirements from NIST SP 800-171.
Documenting your practices is essentially what it sounds like – the DoD wants to see that you have recorded what you do to protect your organization. For example – how often is your data backed up? What is are your password requirements for users?
Your organization must have a management plan for cybersecurity to safeguard CUI, including all the NIST 800-171 requirements as well as additional standards. This includes goals for your cybersecurity, required training, involvement of stakeholders and resourcing.
The management plan builds on the documentation in level 2 – you have certain procedures, how will you implement them consistently and company-wide? For example, what will be the procedure for training new end users on social awareness, and how will you continue to educate current employees as well?
Your organization is required to have a review process to measure effectiveness of your cybersecurity strategy. Additionally, you should have plans for corrective action when effectiveness falls short. Added on level 4 is protecting your organization from advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
Your organization must standardize and optimize processes across your organization, and add enhanced practices that provide more capability to detect and respond to APTs. Managed Detection and Response solutions can be useful in this case.
How to Prepare Your Organization for CMMC Certification
Your organization should become thoroughly familiar with CMMC requirements, and then assess your cybersecurity posture in relation to CMMC. Gather all of the information you can, and understand what practices already follow proper procedure, and identify areas for improvement. Consider working with an outside vendor that understands CMMC regulations to help assess your current level, and create a security roadmap for you to progress your controls in the future.
Your organization should also continue to monitor updates from the Cybersecurity Maturity Model Office.
It is important to note that CMMC is only a starting point for cybersecurity. Beyond being CMMC certified, it’s imperative your organization stays up to date on the cyber landscape and adapt as needed. Promoting a culture of cybersecurity awareness within your organization is a vital step as well.