Cybersecurity Maturity Model Certification (CMMC)


Cybersecurity Maturity Model Certification (CMMC)


Jul. 18th, 2019

The Pentagon has announced that it is developing a new cybersecurity certification program for Department of Defense contractors. Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, and the DoD are working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity.

CMMC aims to replace the current cybersecurity standard NIST SP 800-171 which falls under the DFARS clause 252.204-7012. CMMC will rely on numerous frameworks, including NIST 800-171, ISO 27001 and FedRAMP, but will serve as the enforcement that is lacking in the current DFARS rule. According to Ms. Arrington, everyone in the supply chain, including subcontractors, will need to be certified to do work with the DoD.

To shore up the supply-chain, the new standard CMMC (Cybersecurity Maturity Model Certification) will have five levels of certification ranging from “Basic Cyber Hygiene” to “State of the Art”. Those levels are as follows:

CMMC Level 1 – Basic Cyber Hygiene has 17 security controls
CMMC Level 2 – Intermediate Cyber Hygiene has 46 additional controls.
CMMC Level 3 – Good Cyber Hygiene has 47 controls in addition to completing the first 2 levels. Making level 3 the equivalent of the 110 controls currently found in NIST SP 800-171.
CMMC Level 4 – Proactive will have 26 more security controls in addition to the 110 found in NIST 800-171.
CMMC Level 5 – Advanced/Progressive/ State-of-the-Art will have 30 more security controls in addition to the 110 found in NIST 800-171.

As it stands, small business contractors, like metal manufacturers and printing companies, are being asked to comply with the same standard (NIST 800-171) as the larger defense primes. This makes it difficult for small businesses to keep up with the effort and costs of implementing that standard. The CMMC will be semi-automated and, more importantly, cost-effective enough so that Small Businesses can achieve the minimum CMMC level of 1, while larger primes will need to certify at a level 3.

“If you’re on a contract and you’re making boots in manufacturing, the vendor that is actually sewing the eyelets to lace the boots up does not need to have a state-of-the-art cyber security suite available to be able to do that. We want them to have good cyber hygiene. We want them to protect their employees, their IT, and their data rights. But as far as the government; we should not be sending them anything more than the instructions on how to make the eyelets, the dimensions and how to put the eyelets on the boots. And that would be a level 1 certification. That is what we would look for, and that is basic cyber hygiene. The prime, a level 3, may be receiving CUI that has to do with where the boots need to be shipped to, per se. That is where we’re going to look at enforcing all 110 controls of the NIST SP 800-171 on level 3.”
Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber

The current DFARS cybersecurity clause does not require third-party audits. Contractors may self-certify that they have implemented NIST SP 800-171. CMMC will require independent, third-party audits. Ms. Arrington, her team, and the DoD are in the process of selecting a non-profit organization to train and select the companies who will have the authority to audit and certify contractors with one of the five-level of certifications.

ComplyUp is working closely with officials to develop a tool that contractors can use to gain certification with the new standard. The tool will walk contractors through the assessment process providing guidance and allowing third-party auditors with quick, easy access to automate as much of the process as possible. ComplyUp will be first to market a solution for CMMC and will keep the cost low in order to maintain the effort of making implementation of the standard cost-effective.

The DoD plans to release the draft for CMMC by January. We can expect to see the new standard in RFI’s in June 2020 and in RFP’s by Fall of 2020. Contractors are expected to start achieving their certification between the January draft and the June release.

See how we’re helping small businesses solve CMMC

CMMC Solutions