Guide To The CMMC Standard And Certification
The Cybersecurity Maturity Model Certification (CMMC) lays a framework to implement cybersecurity policies and practices for organizations throughout the Defense Industrial Base (DIB).
By the fiscal year 2026, all new defense contracts will contain CMMC certification requirements. By then, nearly every vendor in the national defense supply chain will need to become CMMC certified. For many contractors, especially small businesses, becoming CMMC-compliant could mean a complete overhaul of their cybersecurity programs.
The new cybersecurity standards are slated to transform the industry. Yet, 58% of contractors aren't familiar with the initiative. So, NQA created this guide to CMMC, with all the requirements explained straightforwardly, to help your organization get up to speed and prepare for this change.
Overview Of CMMC
In 2016, the U.S. economy lost between $57 billion and $109 billion due to malicious cyberactivity. The loss of Controlled Unclassified Information (CUI) from the Defense Industrial Base poses a risk to national security. So, as cybercrimes continue to evolve, the U.S. Department of Defense (DOD) has developed new measures to increase security across the defense supply chain — the CMMC standards.
CMMC means "Cybersecurity Maturity Model Certification." It's a new set of standards from the DOD to enhance the cybersecurity capabilities of defense contractors in the DIB. The CMMC standards will become part of the Defense Federal Acquisition Regulation Supplement (DFARS) and will be a requirement for contract awards. The basic purpose of requiring CMMC certification is to protect CUI and ensure all defense contractors have basic cyber hygiene measures in place.
The DOD released version 1.0 of the CMMC standards on January 31, 2020. While there's no certification process in place yet, organizations can now begin to review their cybersecurity processes and improve their capabilities to align them with these standards. If you are a prime contractor, you can also begin preparing your supply chain to develop programs to meet the standards.
While the CMMC standards offer many improvements, defense contractors have always been responsible for implementing cybersecurity measures. The 110 security requirements included in the National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 are also part of the CMMC Levels 1-3 certification requirements. The new standards also incorporate practices and procedures from other sources, including:
- CERT Resilience Management Model (CERT RMM) v1.2
- CIS Controls v7.1
- Draft NIST SP 800-171B
- FAR Clause 52.204-21
- NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
- NIST SP 800-53 Rev 4
The CMMC certification standards unify these standards into one universal framework for defense contracts.
The new standards introduce the need for third-party assessments to certify CMMC compliance with mandatory procedures, capabilities and practices. The standards also introduce a five-level certification model. Each level increases the number of cybersecurity practices and policies an organization must use. The DOD Requests For Information (RFIs) and Requests For Proposals (RFPs) will specify the required level of certification. By unifying and improving upon the standards already in place, the CMMC will make contractors and subcontractors more agile and able to prevent and respond to evolving cybersecurity threats.
Industries CMMC Certification Applies To
Who should be certified to CMMC? The short answer is anyone in the defense contract supply chain. The DOD estimates the roll-out of CMMC standards will affect 300,000 companies. Most contracts will require a certification between Level 1 and Level 3 to qualify for government contracts.
The CMMC standards will apply to DOD contractors that deal with CUI. The categories of information the Executive branch protects includes:
- Critical Infrastructure
- Export Control
- International Agreements
- Law Enforcement
- Natural and Cultural Resources
- Procurement and Acquisition
- Proprietary Business Information
Even if a DIB company doesn't have or make CUI, if it has Federal Contract Information (FCI), it must meet FAR Clause 52.204-21 and be certified at a minimum of CMMC Level 1.
The certification requirements apply to suppliers at all tiers along the supply chain. So, a subcontractor for a DOD contract will also need a CMMC certification. Subcontractors won't necessarily need certifications at the same level as the prime contract. Instead, the level will depend on the type and nature of information flowed down from the prime contract. The only exception to CMMC certification requirements within the DIB sector is for companies that solely produce Commercial-Off-The-Shelf (COTS) products.
Those in the DIB, such as aerospace manufacturing, will need CMMC certification. Any subcontractor at any tier in the supply chain will need at least a Level 1 Certification to be included in DOD subcontracts. So, any software or service providers, such as logistics, IT or communications companies that contribute to the DOD supply chain, are likely to be subject to the new CMMC standards.
Only about 1% of DIB companies have implemented all 110 NIST practices. Since many of the NIST requirements lay the framework for the CMMC requirements, it presents a major gap in preparedness for many contractors who will need to meet CMMC requirements.
What Are The Requirements?
The requirements for CMMC certification will depend on the level of certification required. Each level adds to the requirements from the levels beneath it. So, a Level 2 certification includes all the Level 1 requirements, and a Level 5 certification requires an organization to meet the requirements for Levels 1-4. Across the five levels, the certification requirements include:
- 43 capabilities spanning 17 capability domains
- Five processes to measure process maturity
- 171 practices to measure technical capacity
- Access Control (AC)
- Incident Response (IR)
- Risk Management (RM)
- Asset Management (AM)
- Maintenance (MA)
- Security Assessment (CA)
- Awareness and Training (AT)
- Media Protection (MP)
- Situational Awareness (SA)
- Audit and Accountability (AU)
- Personnel Security (PS)
- System and Communications Protection (SC)
- Configuration Management (CM)
- Physical Protection (PE)
- System and Information Integrity (SI)
- Identification and Authentication (IA)
- Recovery (RE)
If you are a prime contractor, you must flow down any CMMC level requirements into any subcontracts as the DOD requires. The level of certification will be specified in your contract, depending on the information you share with subcontractors.
The level of certification required for a particular contract will be specified in the RFIs and RFPs from the DOD. As you evaluate which practices you already have in place and which you can afford to implement, it makes sense to aim for the highest certification feasible for your business. The higher your CMMC level, the more DOD contracts you'll be able to bid on. You can find a detailed description of the process and practice requirements for each level from the DOD.
Level 1The minimum CMMC certification level requires basic cyber hygiene and only requires that processes are performed. The 17 practice requirements are equivalent to the 15 practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21. They are also equivalent to 17 practices drawn from NIST SP 800-171 Rev 1. The practices include items such as requiring using antivirus software and sanitizing or destroying any media containing FCI before disposal or reuse. If an organization is already required to protect FCI, it should have all the practices in place to meet CMMC Level 1.
Since these standards are already in place for federal contractors, a business aiming for Level 1 certification will usually only need to receive certification from a third-party assessor organization. Evaluators will check that an organization performs the 17 practices and will not require documented information on processes or assess process maturity.
Level 2The second level of CMMC requires intermediate cyber hygiene and requires documented information on all CMMC practices and policies. Documented information is a key step to achieving Level 2 process maturity. Evaluators will also require the organization to have a policy that encompasses all activities.
Level 2 adds 55 new practices to the 17 required at Level 1 for a total of 72 practices. The practices deal with the protection of CUI and include a subset of 48 of the practices listed in NIST SP 800-171 Rev 1. There are also seven additional practices meant to support intermediate-level cyber hygiene. These practices include policies about levels of privilege for account access, having a plan for incident responses and other mid-level cyber hygiene measures.
Level 3A Level 3 certification requires good cyber hygiene practices. Besides documenting practices and policies, an organization must maintain and resource a plan that encompasses all activities. A Level 3 certification indicates that an organization has achieved a process maturity designation of "Managed."
There are a total of 130 practices at the third level, including all the practices from NIST SP 800-171 Rev 1 and 20 other practices to foster good cyber hygiene. At this level, an organization must adopt practices including testing its incident response capabilities and mark all media with CUI indicators and distribution limitations.
Since a Level 3 certification incorporates all the procedures necessary to safeguard CUI, an organization that regularly deals with CUI will benefit the most from earning at least a Level 3 certification.
Level 4The second-highest certification level incorporates proactive practices to enhance detection and response capabilities. At this level, an organization becomes better equipped to respond to cybersecurity incidents and can prevent them from occurring. This level also requires that an organization regularly reviews and measures its practices for effectiveness and compliance with standards, and results of the review are shared with higher-level management.
The 156 practices in Level 4 incorporate those in Levels 1-3 plus 11 practices from the Draft NIST SP 800171B and 15 other practices. Some of the practices required in Level 4 include practical exercises and training to teach employees to respond to current threat scenarios and using a security operations center with 24/7 response capabilities. When certified at Level 4, an organization must have practices in place to detect and address changing tactics, techniques and procedures (TTPs) used by Advanced Persistent Threats (APTs).
At Level 5, an organization can boast "Advanced/Progressive" cybersecurity practices and a process maturity status of "Optimizing." In this highest certification level, a company has a standardized, documented approach to process optimization that spans the entire organization.
Level 5 certification introduces 15 new practices, for a total of 171. It adds four more practices from the Draft NIST SP 800-171B and 11 more practices that contribute to an advanced cybersecurity program. The practices introduced at Level 5 enhance the level of protection for CUI and generally create more sophisticated cybersecurity systems.
Benefits Of CMMC Certification
The CMMC standards will soon become a necessity throughout the DIB supply chain. The DOD predicts they will begin requiring some companies to meet CMMC standards for new contracts by the end of September 2020. While this is causing many businesses to scramble to get their policies up to par, it can also become a competitive advantage. Here are some of the benefits you can gain by earning a CMMC certification:
Compete for DOD contracts: In fiscal year 2017, the DOD spent 63% of the $507 billion encompassing the federal government's contractual obligations. There are high rewards in defense contracting, and it goes beyond manufacturing. Any business that provides software or services within the defense sector has money at stake in federal contracts. With CMMC certification soon to become mandatory for all government contracts, getting certified allows you to compete for these in-demand contracts.
Unify cybersecurity management systems: The CMMC draws from several sets of cybersecurity standards. All these standards, when combined, will create a truly unified and integrated security system. No matter which standards your business already adheres to, you can make your cybersecurity more robust when you improve it to meet these combined standards.
Respond to cyberthreats more quickly: At certifications 4 and 5, an organization can detect threats and respond to them swiftly. Whether you work exclusively for the federal government or also for other industries, you'll benefit from that increased security all around. Keep government intelligence, your own proprietary knowledge and customer data alike as secure as it needs to be.
Leverage cybersecurity as a competitive advantage: The higher your certification level, the more government contracts you are eligible for. More than that, having a certification higher than the minimum requirement may give you an advantage over other bidders. Also, remember that whether or not your business has been CMMC-certified will be public knowledge. If you also work for the private sector, you can advertise CMMC certification status to customers concerned with data breaches.
Get certified cost-effectively: The DOD aims to prevent CMMC certification from being cost-prohibitive or overly burdensome to implement. The lower levels of certification will be cost-effective and achievable even for small businesses. Moreover, the cost of CMMC certification will be an allowable, reimbursable expense. So, you can effectively subsidize your organization's cybersecurity improvements if you get certified as per the terms of a DOD contract.
Stay ahead of the curve: Every federal agency must safeguard against data breaches and protect crucial information from getting into the wrong hands. While the initial roll-out of the CMMC standards will only apply to DOD contracts, other federal agencies may someday adopt these standards as best practices for data hygiene and cybersecurity. As cyberthreats continue to evolve, CMMC may soon become a requirement on any federal contract. If your organization already has these practices in place, you can stay ahead of the market.
Let NQA Help You Achieve CMMC Certification
While the DOD and the CMMC Accreditation Body (AB) haven't yet established the methodology for third-party certification, you can still prepare your organization to meet these rigorous standards. What makes the CMMC different is its focus on implementation. While certification will last three years, an organization has to uphold its cybersecurity policies and practices and continue to improve them.
As an accredited third-party certification body for standards across many industries, NQA offers a comprehensive service to help you gain CMMC certification. We can analyze your current cybersecurity infrastructure, identify areas to improve and optimize your policies to allow you to gain the highest certification level feasible for your organization. After working with your organization, we can outline the costs of earning and maintaining certification so you can make an informed decision on whether to pursue a CMMC certification.
When the DOD finalizes the CMMC assessment process, our technical experts can help you keep up with these developments. As the three-to-five year CMMC roll-out continues, NQA is committed to offering up-to-date resources and information for the DIB supply chain.
Contact us to get started and learn more about how the CMMC standards will affect your organization.