An Overview of CMMC, the Department of Defense Cybersecurity Maturity Model Certification Program
No matter what, your company’s important information is worth protecting. if you’re part of the DoD network of contractors or their supply chains, this is even more critical. A new information security program called Cybersecurity Maturity Model Certification (CMMC for short) is coming your way.
Announced in November 2020, CMMC mandates new cybersecurity requirements for companies that are part of the vast defense industrial base which includes more than 350,000 firms.
To continue doing business with the DoD, all suppliers and contractors need to be audited and certified by a CMMC Third-Party Assessment Organization (C3PAO) consistent with CMMC requirements by the end of 2025. NSF-ISR was recently named one of the first candidate C3PAOs and provides DoD suppliers with the gap assessments, audits and certifications required under the CMMC program.
“CMMC is a unified standard that takes into account all of the various information security standards and best practices,” says Rhia Dancel, a CMMC registered practitioner, lead ISO/IEC 27001 auditor and information security technical manager with NSF-ISR. “The goal of the program is to protect controlled unclassified information (CUI). The difference between CMMC and other NIST security standards is that it adds a third-party verification element to the mix, and that verification is what we provide,” she adds.
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and policies. Examples of DoD CUI include blueprints for parts of new defense aircraft or specifications for military uniforms.
Tony Giles, a CMMC provisional assessor, information security business lead and lead auditor with NSF-ISR, offers this view on the importance of CMMC within the broad spectrum of DoD programs. He says, “It’s the first ever mandated information security standard, and one the Department of Defense is extremely interested in. It wants to see organizations meet those requirements.”
Why is the DoD rolling out the CMMC program? The rise in cyberattacks over the last few years poses a growing threat to the nation’s economic security and national security. High-profile cyberattacks covered in the media are just the most recent examples.
“In December, a large, publicly-traded firm was breached and you can walk through their incident response. There's so much involved with the breach. Security seems to be top of mind for everybody these days.” says Giles.
It is estimated that $600 billion, nearly 1% of global GDP, may be lost to cybercrime annually based on a report from the Center for Strategic and International Studies and information security firm McAfee. The estimate is up from a 2014 study which placed global losses at about $445 billion annually1.
An important part of what Dancel does for clients is staying informed on the constant cybersecurity threats that take place around the world. “The threats and attacks that get press coverage usually affect high-profile companies or agencies,” she says. “But there are many smaller ones that take place in any given month. For the firms, they’re just as significant.”
The CMMC program is an important part of the Defense Department’s overall response to rising cyber security threats. It’s a verification mechanism to ensure that companies in the DIB implement proven cybersecurity practices to protect controlled unclassified information.
Dancel and Giles are ready to provide the information companies need to ensure they’re in compliance by the CMMC deadline. “It's a five-year phased rollout with new DoD contracts,” Dancel says. “CMMC requirements will appear in all contracts starting in fiscal year 2026, meaning all DoD contractors will need to be in compliance to bid on the work.”
The CMMC model includes five levels of cybersecurity practices with NIST SP 800-171 controls as the foundational requirements for levels 1-3. Level 1 represents basic cyber hygiene and focuses on the protection of federal contract information (FCI). Level 2 is a transitional step in cybersecurity maturity progression to protect controlled unclassified information.
Level 3 focuses on protection of CUI. It includes all the security controls specified in NIST SP 800-171, plus an additional 20 practices from various information security standards and references. Level 4 targets the proactive activities an organization can take to protect, detect and respond to threats. Level 5 focuses on protecting CUI from advanced persistent threats (APTs).
Even though the final deadline for CMMC certifications is not until the end of 2025, Giles points to many DoD suppliers that have active contracts and have chosen to move forward with CMMC certification, especially now that COVID-19 pandemic impacts are starting to lessen.
“There are probably going to be about 1,500 defense industrial base customers that have contractual requirements to meet. We should likely see those certifications in place by the end of 2021,” he says. “I'm optimistic that there will be companies that meet requirements in 2021 and that we will have audits completed by end of the fourth quarter this year.”
An important goal for the DoD is to ensure CMMC is affordable for small businesses. Firms seeking CMMC certification pay for their own assessments, but there are grant programs through organizations like the University of Michigan’s Economic Growth Institute to help firms offset the cost of CMMC gap assessments. Companies are also allowed to include certification as a project cost in budgets for proposals they submit to DoD.
As with any large, new government program being rolled out over a five-year time span, there is always the possibility of changes. The best approach is to stay informed and be proactive in this initial phase of the certification process.
Giles also points to NSF-ISR’s ongoing public information efforts. “We want to continue to create content and continue to educate organizations on information security and make sure we get the proper materials out there. I want to demystify the information security experience for all companies and clients, especially the really small ones.”
Dancel agrees with Giles and adds that she would like to see a positive outcome for the DoD suppliers she works with on CMMC certifications. “We want each of them to be the contractor that is a secure link in their supply chain. They're all part of the defense industrial base, so, they're looking to gain business as a contractor,” she says. “We want them to be eligible to bid on work in the defense industry.”
If your company does business with the U.S. Department of Defense and you’ve been tasked to ensure your company can meet the new mandated CMMC requirements, some questions are sure to arise. Good to know there are information security experts like Rhia Dancel and Tony Giles you can call on to get answers.