What is CMMC compliance: Inside the Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification (CMMC) has been in the news a lot lately. CMMC is the next phase of the U.S. Department of Defense's (DoD) efforts to fully secure the Defense Industrial Base (DIB). Its scope is enormous, as expected in any program intended to improve the security of a network comprising more than 300,000 external contractors.
The overall goal is to protect sensitive information related to federal contracts and government-created or owned information that requires controls to be implemented according to government policy.
Save on DoD 8570 training
What is CMMC compliance?
The CMMC framework is intended to assess and enhance the cybersecurity posture of the many companies that contribute to the research, engineering, development, acquisition, production, delivery, sustainment and operation of DoD systems, networks, installations, capabilities and services.
The initial version of CMMC was pulled back, and the government recently retooled the entire framework. So what's new in CMMC 2.0? How does this impact organizations needing to get CMMC certified? And how does it impact those looking for careers as a CMMC auditor?
“Assumptions were made about what contractors were doing for their own cybersecurity versus what was actually happening,” said Leighton Johnson, CTO and Founder of the Information Security Forensics Management (ISFM), on the Cyber Work Podcast. Johnson is also an Infosec instructor and a 40-year cybersecurity veteran.
The DoD, perhaps naively, expected the vendor community to follow the DoD acquisition regulations that have been in place since 2016. These regulations laid out the basic cybersecurity duties and responsibilities that were expected of every contractor. The DoD discovered that the commercial world was not based on requirements as is typical in government operations. The commercial world is based on cost. As a result, many of the mandated cyber requirements were never implemented.
“The DoD has always had an extremely strong viewpoint about security and cybersecurity, for its own components and its own activities,” said Johnson. “They just translated that over to the commercial world, and that’s when a big disconnect was seen.”
When is CMMC compliance required?
But the clock is ticking. As the DoD states, “CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program,” and that process “can take up to 24 months.” The approaching deadline applies to both prime contractors and sub-contractors. If they don't comply, they will not be able to work with the DoD until they reach compliance.
Save on DoD 8570 training
CMMC lays out two levels of certification for both assessors and instructors. Organizations will be evaluated by a qualified assessor at the level they wish to achieve. It is up to them to determine the appropriate level before scheduling an assessment.
FCI
The first level is called federal contract information (FCI). It encompasses information that is not in the public domain about contracts, such as terms, conditions, schedules and so on. Every contractor must get to at least level one.
CUI
The second level is controlled unclassified information (CUI). It is a special criterion around whatever the contractor is building that is unique and specific to DoD and their requirements.
“I’ve seen estimates that anywhere from 40% to 75% of all contracts will have a CUI requirement,” said Johnson.
That means perhaps 120,000 contractors — and even as high as 225,000 — will need to be assessed and certified for the CUI level. With the deadline looming, getting so many contractors through the process will be difficult.
What must be understood is that CMMC is not going away. The DoD has been expecting compliance with these cybersecurity rules for about five years. They don't want to wait any longer. Further, adversaries of the government continue to steal data and compromise DoD systems.
CMMC auditor careers
Those wishing to become a certified CMMC auditor (e.g., those that assess organizations for CMMC compliance) should understand that assessment is based on NIST Special Publication 800-171. They should obtain a copy of NIST Special Publication 800-171 (a), an assessment guide and material and guides posted on the DoD CMMC website. That represents the source material that anybody needs to understand. It covers as many as 110 security controls.
Those guides teach you how to conduct assessments in the federal space under CMMC, the kind of mechanisms to look for, the specifications, best practices and processes that need to be in place, and the proof required to demonstrate compliance.
Save on DoD 8570 training
There are also licensed training providers for CMMC and licensed publishing partners, and Infosec is qualified for both. Such services are vital as hundreds of thousands of companies must be assessed quickly.
There is a high demand for CMMC auditors. The good news is that there is an overlap in knowledge bases with people already working in privacy, compliance, and risk management.
Johnson said certified auditors, certified security component installers and engineers or holders of various other professional certifications have the right background for a career related to CMMC. There is no need to possess a DoD security clearance as the data is not classified. But a background check is required.