In this guide, we are covering the facts that you need to know in order to prepare your business to tick off the necessary boxes required to meet CMMC compliance.
What Is CMMC?
CMMC (also known as the Cybersecurity Maturity Model Certification) is a recently introduced compliance standard that suppliers and contractors to the Department of Defence (DoD) need to meet in order to be eligible to bid on contracts.
The CMMC builds upon the basic safeguarding requirements of NIST SP 800-171 DoD Assessment Methodology, FAR clause 52.204-21 & DFARS clause 252.204-7012 in the addition of a certification to verify the maturity level of a company's cybersecurity practices in line with how they handle both Federal Contract Information (FCI) & Controlled Unclassified Information (CUI).
There are various levels of CMMC compliance that company’s need to meet based on the level of sensitive data that they handle.
The different CMMC categories that company’s who wish to work with the DoD are judged upon include the following:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity(SI)
What Does CMMC Stand For?
CMMC stands for Cybersecurity Maturity Model Certification.
Why Was CMMC Introduced?
The main reason that CMMC was introduced was to improve the safeguarding of sensitive data for the purposes of national security in response to a number of large data breaches involving DoD information being stored on the systems of contractors.
According to a study published by Atlas VPN, It is estimated that the global cost of cybercrime reached over $1 trillion in 2020.
With implications as severe as this in mind, the Department of Defence (DoD) is actively prioritising the actions needed to ensure data security and reduce the risk of breaches occurring.
The CMMC represents the DOD’s commitment to evaluating all of the Defense Industrial Base’s (DIB) 300,000 contractors to uphold security, compliance and minimise risk throughout any business infrastructure that interacts with controlled unclassified information (CUI).
Even with CMMC compliance coming into play, a breach such as the notable SolarWinds incident of 2020 that affected 37 different companies may have still not been avoided, according to Rear Adm. William Chase III, deputy principal cyber adviser to the defence secretary and director of the Protecting Critical Technology Task Force.
He did however clarify that meeting CMMC requirements may allow organisations to spot breaches earlier by having processes in place to monitor rapid privilege escalation and monitor various security log events.
When Does CMMC Go Into effect?
CMMC started to take effect in January of 2021 and contractors will be increasingly subjected to these requirements over the following five years.
By October 1st 2025 all contracts that exceed the micro-purchase threshold of $10,000 will be required to achieve CMMC certification.
What Are Examples Of CMMC Requirements?
The following assessment tool for CMMC v1.0 should help provide guidelines on the type of processes and audits that need to be conducted internally.
For your reference below we have included a sample of the type of requirements you will encounter during the process of auditing your operating environment.
A few examples of level 1 CMMC requirements include:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
A few examples of level 2 CMMC requirements include:
- Employ the principle of least privilege, including for specific security functions and privileged accounts.
- Enforce a minimum password complexity and change of characters when new passwords are created.
- Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
A few examples of level 3 CMMC requirements include:
- Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- Prohibit the use of portable storage devices when such devices have no identifiable owner.
A few examples of level 4 CMMC requirements include:
- Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.
- Review and measure Identification and Authentication activities for effectiveness.
- Review and measure Media Protection activities for effectiveness.
A few examples of level 5 CMMC requirements include:
- Identify and mitigate risk associated with unidentified wireless access points connected to the network.
- Standardize and optimize a documented approach for Identification and Authentication across all applicable organizational units.
- Standardize and optimize a documented approach for Media Protection across all applicable organizational units.
If you answer yes to meeting any individual requirement you will be asked to describe the mechanism implemented to meet the control requirement.
Understanding how to meet the criteria outlined in the assessment form linked above isn't as simple as reading through the documentation and making changes step by step.
As often this criteria is open to interpretation, a lot of resources have been created to try and fill the gap left by NIST/CMMC not explicitly clarifying what they mean for each requirement.
There is a lot of demand across cybersecurity communities online for a human-readable version of CMMC criteria that is accompanied by real-world examples.
As much of the criteria under numerous different levels of CMMC is taken from NIST, FAR & DFARS you will be able to increase your likelihood of finding accessible resources by searching for the requirements as they appear in pre-existing supporting documentation under these complementary compliance frameworks.
As many cybersecurity engineers are invested in understanding the Cybersecurity Maturity Model Certification it is well worth keeping an eye out for new resources as they are published on sites such as Stackoverflow, Medium, CMMC subreddit.
Engineers may also find the NIST Centre of Excellence Community on Discord to be a highly valuable resource due to the overlap for many of the controls.
Where Can I Find More Information On CMMC?
To read more information on CMMC and review the assessment guides for level 1 through 3, visit the official website of the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification.
Data Retention Under CMMC
As part of the process of auditing your business under CMMC, it is likely that the auditor will request that you are able to pull up events that occurred anytime within the last year to demonstrate that you are retaining data in line with recommended retention requirements.
Due to the high cost associated with a year's worth of retention when implementing a cybersecurity solution such as Splunk, many companies looking to prove their compliance with CMMC may baulk at the costs associated with long term data retention.
Other alternatives that may be considered also involve hosting your data within an S3 Bucket but this brings additional costs of its own due to AWS's standard of levying data egress fees.
Many engineers faced with these options may look for an on-premise solution for centralising data, this also brings additional requirements that often result in additional hiring of engineers to maintain, host and upgrade your chosen technology stack.
CMMC Compliance That Doesn’t Cost The Earth
As it is estimated that 54% of the DoD's contract budget is currently awarded to small businesses, it is clear to see that the demand of meeting CMMC compliance will fall on smaller businesses in the majority.
For those smaller businesses that rely on the DoD as important clients, it will come as welcome news to know that the tools and costs associated with CMMC compliance will be seen as an allowable cost, according to the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification.
Unfortunately, this may only be true in the cases that you win a contract with the DoD according to this statement. In that case, it is probably wise to look to centralise your system data affordably in the event that your DoD contract is not renewed and you don't wish to incur many tens of thousands of dollars spent without a chance of reimbursement.
Logit.io can work alongside your cybersecurity team by providing a platform compatible with a number of levels of CMMC compliance by allowing you to create and retain system audit logs and records used in the process of monitoring, analysis, investigation and reporting (as outlined as a requirement in AU.2.042, level 2).
The Logit.io CMMC solution also allows you to correlate audit events and logs for the purposes of creating reporting dashboards and conducting analysis in order to detect unauthorised and unusual activity occurring within your operating environment (AU.3.051, level 3).
Understanding CMMC compliance requires the knowledge to understand that this is not a compliance standard that can be fully outsourced to any single third-party solution or consultant to solve on your behalf.
By taking the time to understand and resolve the risks that stop your organisation from being the best possible supply chain partner they can be to the DoD you can confidently provide solutions and services that play their part in upholding US national security.
If you enjoyed this article on CMMC certification why not check out our article who needs CMMC certification?