About a year ago, we started hearing about new requirements for organizations doing business with the United States Federal Government, particularly with the Department of Defense (DoD). In the interest of protecting sensitive information, the government began developing and introducing the Cybersecurity Maturity Model Certification, or CMMC. While there are many similarities for the goals and framework of CMMC as compared to other standards such as HIPAA/HITECH and PCI, the CMMC adjusted standards in a way that are meaningful and important to discuss.
I want to outline some key pieces of information you should know about CMMC so that you can meet and maintain strong cybersecurity controls that satisfy the powers that be.
Below are a few frequently asked questions that we hear about CMMC from our clients.
"Why did the CMMC get created in the first place?"
The simple answer to this question is that, as stated earlier, the government has a distinct interest in avoiding data breaches of Controlled Unclassified Information or CUI. To define CUI broadly, several types of data could qualify. CUI might be specific to national defense information or critical infrastructure, but it could also be proprietary business information or financial information. This allows the government to apply the CMMC framework to different kinds of vendors that work with the DoD, from technology companies that create special products for use in national defense, to logistics companies that may simply have business information that should remain private and protected.
Before the CMMC it wasn’t as if the government didn’t have any rules or requirements for protecting information that private companies carry. However, the CMMC framework creates structure, levels, and adaptability of standards for vendors the government works with, as they all have different vulnerabilities and risks. At the time I’m writing this post, an interim rule was published by the Department of Defense outlining expectations regarding assessments, CMMC Levels for compliance, how CMMC will impact awards for contracts, and many more implementation details.
"Does my organization need to be compliant?"
There are two main groups that need to comply with the CMMC. The first is direct contractors to the Department of Defense. Chances are, if you are doing business with the DoD, you carry some kind of sensitive information that the government cares about protecting. As previously mentioned, this information may be fairly minor in nature, such as contract terms, yet still relevant to CMMC. Or you could be carrying much larger or more sensitive information. The federal government will determine your CMMC Level based on the contract and the data being kept by the contractor.
Most likely, unless you are very large or doing extremely sensitive work with the government, you probably will be somewhere in the CMMC Level 1 through 3 range based on the estimates provided by the Department of Defense. Into the future, contracts with the federal government should provide expectations as to what level of compliance vendors need to meet as a condition of winning the contract.
What will I need to do to achieve CMMC compliance?
This all depends on the level of compliance and the answer will be different for each organization. But at the risk of oversimplifying the situation, the CMMC will mandate that contractors adopt some or all of the controls outlined in the NIST 800-171 framework (that will continue to evolve over time). The amount of controls they must implement will vary based on the level of compliance assigned. A CMMC Level 1 contractor will need to implement basic cyber-hygiene controls, most of which should not be difficult for any organization to achieve like keeping supportable devices in place, implementing anti-malware/anti-virus, firewalls, and other basic controls that are not particularly expensive. On the other end of the spectrum, from Level 3 and beyond, contractors will have to implement the full NIST 800-171 framework which includes more sophisticated items like encryption at rest for sensitive data as well as adopt other specific practices like audit log management and monitoring.
Not all of these controls are necessarily based in technical tools and security products. Many speak to things like employee background checks, security awareness training, configuration standardization, usage policies, and so on. So you will need to have not only good IT support and leadership in place, but also strong operations management to implement the broader controls and maintain compliance.
How do I assess and certify my organization for CMMC compliance?
First off, whether you need to achieve CMMC compliance or not, regular assessments against a security framework and risk management standards is smart business. The difference between a secure and compliant sensitive data environment and one that is at serious risk is a matter of attentiveness and maintenance. This can be applied to CMMC compliance as well. Organizations that have had strong IT management and discipline over the past several years will find that meeting CMMC may not be as challenging as they expected, despite the depth of the guidelines.
If you are completely new to CMMC and compliance management in general, our advice is to start with a general IT roadmap. Do an honest assessment with your IT staff or service provider to determine where your technology is doing well, and where it may be lacking. It’s going to be impossible to achieve CMMC compliance if you have out-of-date hardware or software, or if IT maintenance has been minimal in the past. So, before going into official certification processes and audits try and tackle the “low hanging fruit” of system hardening and management.
It’s probably also worthwhile to consider the risk/reward of CMMC compliance. Certainly, achieving CMMC Level 3 for a contract is going to make your environment more secure, but this will come with a cost. If the contract value plus the ROI on risk management isn’t worth it, you may want to think about not going for that specific contract.
But assuming you understand the need for compliance for your business as well as have a well maintained system that you believe is on the right track for meeting the assigned CMMC level, you will want to seek out an assessor who can perform a serious evaluation against the standard. At the time of this writing, the DoD has not credentialed any organizations to act as CMMC Third Party Assessment Organizations (C3PAO), however as we move forward there will likely be many organizations that can provide accreditation for their work in evaluating your environment for CMMC compliance.
The expectation is that over time you will be able to work with a C3PAO for a regular review and certification of your CMMC compliance. And as CMMC becomes more normal, the DoD has made clear that contractors seeking work with the government will need to be meeting the CMMC compliance level outlined by the contract at the time of the award. While for now most organizations will be able to either self-assess or work with a company specializing in compliance assessments to bring them up to speed and look for shortcomings in their compliance level, formal certification will be the standard as CMMC rolls out over the next few years.
As mentioned earlier in this post, the first step to addressing CMMC is taking a step back and look at what you have in place, both with technology as well as your processes and policies. This is an important discipline to have in place regardless of your goals, but for those who need to achieve CMMC compliance this now takes on a greater purpose.
If you would like to talk with us about how your business needs to adapt to these evolving standards, please don’t hesitate to reach out and we will be glad to have a discussion about what it means for you and the way you work.