Achieving Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense Contractors

On January 31, 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v1.0 of the Cybersecurity Maturity Model Certification (CMMC). Developed to serve as a single cybersecurity standard for all DoD acquisitions, CMMC requires that each of the more than 300,000 DoD contractors become CMMC certified beginning in October 2020, with a five-year phase-in and renewals every three years after that.

CMMC requires companies to achieve third-party certification against cybersecurity and information handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.

This blog discusses the levels of CMMC certification available to DoD contractors, how certification content was developed, processes for certification, how contractors can achieve Level 1 certification in particular, and how certified auditors can use the Prevalent Third-Party Risk Management Platform to facilitate the assessment process.

CMMC Certification Levels

There are five levels of CMMC certification ranging from Level 1 (lowest, Basic Cyber Hygiene) to Level 5 (highest, Advanced/Progressive) with increasing requirements and costs for each level. See the graphic below for an explanation of the levels.

• Level 1 certification will apply to the vast majority of all DoD contractors, about 285,000, and will require that the company report against 17 no-cost controls which are based on good business practices and standard cyber hygiene.
• Level 2 is a transitional level for organizations with the resources to reach for Level 3.
• Level 3 certification applies to organizations that are approved to touch controlled unclassified information (CUI) and requires those companies by law to demonstrate certification against all 110 controls in NIST 171. Level 3 certification will apply to about 15,000 contractors to the DoD.
• Levels 4 and 5 apply to approximately 0.06% of all DoD suppliers each. Unless a firm is receiving CUI all they need to maintain is CMMC Level 1 certification.

Source: CMMC Public Briefing, January 31, 2020

How CMMC Certification Content was Developed

The framework for the CMMC certification requirements includes the basic safeguarding requirements for Federal contract information (FCI) from the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the Security Requirements for Controlled Unclassified Information (CUI) from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,
per the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204.7012.

The CMMC Certification Process

All DoD contractors will need to become CMMC certified by passing an audit. This will validate they have met the appropriate level of cybersecurity to conduct business with the DoD. CMMC assesses against 17 capability domains as noted in the figure above. For a representation of the cumulative certification requirements by level, see the figure below.

Source: https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf

Every DoD supplier will need to visit www.cmmcab.org in order to see which cyber 3^rd
party audit organizations (C3PAOs) are certified to be auditors. (Note: The auditing process currently requires an onsite component, so the current pandemic may impact the timeline for auditor certification.) Once the supplier audit is complete, the auditor will submit the audit information report to the CMMC accreditation body, and the accreditation body will issue the certification to the business.

How Auditors Can Perform CMMC Assessments for All 5 Levels

CMMC certified auditors can use the Prevalent Third-Party Risk Management Platform with all five levels of CMMC controls questionnaires included. With this access, certified auditors can:

• Invite clients into the Prevalent platform to complete standardized control assessments in an easy-to-use, secure tenant
• Automate chasing reminders to clients to reduce the time required to complete assessments
• Centralize supporting documents submitted as evidence of the presence of controls
• Produce a single risk register based on client responses
• Issue remediation recommendations for failed controls

CMMC Level 1 Certification in Detail

Auditors and DoD suppliers should consult the specific requirements for demonstrating controls at each certification level as outlined by the Defense Under Secretary for Acquisition and Sustainment. This section of the blog focuses specifically on Level 1 certification only as it pertains to the vast majority of DoD contractors, and should not be considered specific compliance guidance. See below for a summary of 17 CMMC Level 1 practices by domain.

17 Level 1 Practices by Domain

Access Control (AC)

• AC.1.001Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• AC.1.002Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• AC.1.003Verify and control/limit connections to and use of external information systems.
• AC.1.004Control information posted or processed on publicly accessible information systems.

Identification and Authentication (IA)

• IA.1.076Identify information system users, processes acting on behalf of users, or devices.
• IA.1.077Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organization information systems

Media Protection (MP)

• MP.1.118Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Physical Protection (PE)

• PE.1.131Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
• PE.1.132Escort visitors and monitor visitor activity.
• PE.1.133Maintain audit logs of physical access.
• PE.1.134Control and manage physical access devices.

System and Communications Protection (SC)

• SC.1.175Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• SC.1.176Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

System and Information Integrity (SI)

• SI.1.210Identify, report, and correct information and information system flaws in a timely manner.
• SI.1.211Provide protection from malicious code at appropriate locations within organizational information systems.
• SI.1.212Update malicious code protection mechanisms when new releases are available.
• SI.1.213Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

How DoD Contractors Can Perform CMMC Level 1 Self-Assessments

Any DoD contractor can use the Prevalent Third-Party Risk Management Platform to conduct a Level 1 pre-assessment prior to the formal audit. With this access, DoD contractors can:

• Assess against the 17 controls required to measure Level 1 compliance
• Upload documentation and evidence to support answers to questions
• Gain visibility into current compliance status
• Leverage built-in remediation guidance to address shortcomings prior to your formal audit
• Produce compliance reports for auditors

For more information on how Prevalent helps to secure the DoD supply chain, visit our CMMC compliance page, download our compliance white paper, or request a demo of the Prevalent platform today.