Advisory: How To Adopt CMMC To Improve Your Security Maturity

The American Department of Defense (DoD) spends more money on contracts every year. The (DoD) awarded a record $445 billion in contracts to federal contractors in the U.S. defense industrial database (DIB) — contractors that contribute to the defense sector’s research, engineering, development, acquisition, production, delivery, and other supply chain operations—in the 2020 fiscal year, with 54% of those contracts going to small businesses. Sensitive DoD information is dispersed across over 300,000 businesses in the DIB along with these contracts. This large number of contractors and subcontractors raises the possibility of a data breach.

With the U.S. playing a significant role in global warfare, malicious cyberattacks often target the DIB and the DoD supply chain. As a result, the Pentagon enforces security regulations to guarantee the confidentiality of its data when it is shared with contractors.

Previously, DoD contractors were required to comply with the NIST SP 800-171 security framework to ensure security against such hostile cyberattacks. While some large institutions have the facilities to safeguard their systems from cyberattacks that can lead to the breach of sensitive data, many small businesses struggle to comply with many of its requirements.

The American Department of Defense (DoD) spends more money on contracts every year. The (DoD) awarded a record $445 billion in contracts to federal contractors in the U.S. defense industrial database (DIB)—contractors that contribute to the defense sector’s research, engineering, development, acquisition, production, delivery, and other supply chain operations—in the 2020 fiscal year, with 54% of those contracts going to small businesses. Sensitive DoD information is dispersed across over 300,000 businesses in the DIB along with these contracts. This large number of contractors and subcontractors raises the possibility of a data breach.

With the U.S. playing a significant role in global warfare, malicious cyberattacks often target the DIB and the DoD supply chain. As a result, the Pentagon enforces security regulations to guarantee the confidentiality of its data when it is shared with contractors.

Previously, DoD contractors were required to comply with the NIST SP 800-171 security framework to ensure security against such hostile cyberattacks. While some large institutions have the facilities to safeguard their systems from cyberattacks that can lead to the breach of sensitive data, many small businesses struggle to comply with many of its requirements.

To establish a suitable and simple-to-implement security framework to safeguard federal contract information and manage unclassified information across the DIB supply chain, the DoD introduced Cybersecurity Maturity Model Certification (CMMC) as its new standard.

To establish a suitable and simple-to-implement security framework to safeguard federal contract information and manage unclassified information across the DIB supply chain, the DoD introduced Cybersecurity Maturity Model Certification (CMMC) as its new standard.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) framework is a security standard that aligns a set of processes and practices with the type and sensitivity of the information to be protected. CMMC incorporates capabilities and best practices from multiple standards such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense,” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).

With CMMC, DoD ensures that companies, contractors, and subcontractors in the DIB supply chain implement standard security requirements that guarantee the security and confidentiality of sensitive defense data. The first version of CMMC was released in January 2020, and the most recent version (2.0) was released in November 2021.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) framework is a security standard that aligns a set of processes and practices with the type and sensitivity of the information to be protected. CMMC incorporates capabilities and best practices from multiple standards such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense,” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).

With CMMC, DoD ensures that companies, contractors, and subcontractors in the DIB supply chain implement standard security requirements that guarantee the security and confidentiality of sensitive defense data. The first version of CMMC was released in January 2020, and the most recent version (2.0) was released in November 2021.

CMMC Compliance Levels

Version 1.0 introduces five levels of measuring the maturity of the cybersecurity measures:

  1. Performed — aligned to safeguard Federal Contract Information (FCI).
  2. Documented — aligned to serve as a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI).
  3. Managed — aligned to protect CUI.
  4. Reviewed — aligned to protect CUI and reduce the risk of Advanced Persistent Threats (APTs).
  5. Optimizing — aligned to protect CUI and minimize the risk of Advanced Persistent Threats (APTs).

Each of these levels or processes is associated with specific practices that measure its fulfillment. Each level builds on the previous one; to be certified for a particular compliance level, an organization must demonstrate the implementation of practices recommended at lower levels.

Version 2.0 of the security model, released on November 4th, 2021, modifies the security model to offer a more flexible and straightforward procedure. The following are the notable modifications introduced in v2.0:

  • Reduction of the compliance levels to 3 (removing levels 2 and 4)
  • Eliminating the maturity processes and CMMC 1.0 level unique practices
CMMC Compliance Levels

Version 1.0 introduces five levels of measuring the maturity of the cybersecurity measures:

  1. Performed — aligned to safeguard Federal Contract Information (FCI).
  2. Documented — aligned to serve as a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI).
  3. Managed — aligned to protect CUI.
  4. Reviewed — aligned to protect CUI and reduce the risk of Advanced Persistent Threats (APTs).
  5. Optimizing — aligned to protect CUI and minimize the risk of Advanced Persistent Threats (APTs).

Each of these levels or processes is associated with specific practices that measure its fulfillment. Each level builds on the previous one; to be certified for a particular compliance level, an organization must demonstrate the implementation of practices recommended at lower levels.

Version 2.0 of the security model, released on November 4th, 2021, modifies the security model to offer a more flexible and straightforward procedure. The following are the notable modifications introduced in v2.0:

  • Reduction of the compliance levels to 3 (removing levels 2 and 4)
  • Eliminating the maturity processes and CMMC 1.0 level unique practices

Compliance Levels of CMMC Version 2.0

Level 1: Foundational

The first level comprises 17 practices that require an organization to implement basic security practices. These procedures are designed to protect federal contract information, which is confidential and not meant for public consumption.
The level requires compliance with basic practices like staff awareness and ensuring employees change passwords regularly, which correspond to the safeguarding requirements specified in 48 CFR 52.204-21.

Certification for this level is based on an annual self-assessment.

Level 2: Advanced

Level 2 requires establishing, documenting, and maintaining a repeatable plan and process that guide the organizational effort to achieve maturity. The plan may include security goals, resourcing, required training, and the involvement of relevant stakeholders. This level encourages implementing and institutionalizing 110 good cyber hygiene, alongside the practices in Level 1, with a focus on CUI. The required practices are aligned with NIST SP 800-171 to mitigate threats.

Certification for this level is based on triennial third-party assessments for critical national security information and an annual self-assessment for selected practices.

Level 3: Expert

This is the most advanced level of the CMMC framework. Level 3 involves the standardization and optimization of the practice and processes. It also introduces 110+ new practices aligned with the NIST SP 800-172. By incorporating techniques that aid in detecting and reacting to changes in the tactics, techniques, and procedures (TTP) of advanced persistent threats (APTs), these new practices seek to increase the breadth and sophistication of overall security capabilities.

Certification at this level requires a triennial government-led assessment.

Compliance Levels of CMMC Version 2.0

Level 1: Foundational

The first level comprises 17 practices that require an organization to implement basic security practices. These procedures are designed to protect federal contract information, which is confidential and not meant for public consumption.

The level requires compliance with basic practices like staff awareness and ensuring employees change passwords regularly, which correspond to the safeguarding requirements specified in 48 CFR 52.204-21.

Certification for this level is based on an annual self-assessment.

Level 2: Advanced

Level 2 requires establishing, documenting, and maintaining a repeatable plan and process that guide the organizational effort to achieve maturity. The plan may include security goals, resourcing, required training, and the involvement of relevant stakeholders. This level encourages implementing and institutionalizing 110 good cyber hygiene, alongside the practices in Level 1, with a focus on CUI. The required practices are aligned with NIST SP 800-171 to mitigate threats.

Certification for this level is based on triennial third-party assessments for critical national security information and an annual self-assessment for selected practices.

Level 3: Expert

This is the most advanced level of the CMMC framework. Level 3 involves the standardization and optimization of the practice and processes. It also introduces 110+ new practices aligned with the NIST SP 800-172. By incorporating techniques that aid in detecting and reacting to changes in the tactics, techniques, and procedures (TTP) of advanced persistent threats (APTs), these new practices seek to increase the breadth and sophistication of overall security capabilities.

Certification at this level requires a triennial government-led assessment.

CMMC Domains

The CMMC helps to improve the maturity of an organization’s security across 17 domains. These domains reflect the effect of each maturity level and the capabilities of the organization’s security at that level. Below are some of the most impactful ones:
  • Access Control: This domain establishes control of access to the organization’s internal, physical, and remote systems. It also defines the requirements for access to the organization’s system and limits access to authorized users only.
  • Audit and Accountability: Security audits are essential to evaluate progress and analyze gaps. This domain defines audit requirements and performs the audit. After that, it identifies crucial audit information and then reviews, manages, and protects the audit information.
  • Awareness and Training: Conduct periodic organization-wide security awareness and threat mitigation training activities.
  • Incident Response: In the case of a cybersecurity incident, these domains ensure an incident response plan is in place. It monitors and reports events, then develops and implements appropriate responses to specific security incidents.
  • Risk Management: Identify, evaluate and manage security risks.
  • Security Assessment: Create and oversee the implementation of a security assessment plan.
  • System and Communications Protection: Establish security requirements for systems and communications, and control communications at system boundaries.
  • System Information Integrity: Recognize and manage information system flaws, spot malicious content, carry out system and network monitoring, and put advanced email security into place.

Other domains include asset management, physical protection, recovery, maintenance, media protection, situational awareness, configuration management, personnel security, identification, and authentication.

Each domain helps organizations excel in their security maturity by implementing their accompanying capabilities.

CMMC Domains

The CMMC helps to improve the maturity of an organization’s security across 17 domains. These domains reflect the effect of each maturity level and the capabilities of the organization’s security at that level. Below are some of the most impactful ones:

  • Access Control: This domain establishes control of access to the organization’s internal, physical, and remote systems. It also defines the requirements for access to the organization’s system and limits access to authorized users only.
  • Audit and Accountability: Security audits are essential to evaluate progress and analyze gaps. This domain defines audit requirements and performs the audit. After that, it identifies crucial audit information and then reviews, manages, and protects the audit information.
  • Awareness and Training: Conduct periodic organization-wide security awareness and threat mitigation training activities.
  • Incident Response: In the case of a cybersecurity incident, these domains ensure an incident response plan is in place. It monitors and reports events, then develops and implements appropriate responses to specific security incidents.
  • Risk Management: Identify, evaluate and manage security risks.
  • Security Assessment: Create and oversee the implementation of a security assessment plan.
  • System and Communications Protection: Establish security requirements for systems and communications, and control communications at system boundaries.
  • System Information Integrity: Recognize and manage information system flaws, spot malicious content, carry out system and network monitoring, and put advanced email security into place.

Other domains include asset management, physical protection, recovery, maintenance, media protection, situational awareness, configuration management, personnel security, identification, and authentication.

Each domain helps organizations excel in their security maturity by implementing their accompanying capabilities.

Adopting CMMC In Other Regions Including the Middle East

Although CMMC is designed for the U.S. defense supply chain and the certification is only required in the region, the practices and recommendations can be deployed to improve security maturity in other regions, including the Middle East. The recommendations of the CMMC are based on a renowned cybersecurity framework, which makes them easy to adapt in different scenarios. Evaluating your organizational security maturity based on this standard will help you align your security practices to global standards.
Adopting CMMC In Other Regions Including the Middle East
Although CMMC is designed for the U.S. defense supply chain and the certification is only required in the region, the practices and recommendations can be deployed to improve security maturity in other regions, including the Middle East. The recommendations of the CMMC are based on a renowned cybersecurity framework, which makes them easy to adapt in different scenarios. Evaluating your organizational security maturity based on this standard will help you align your security practices to global standards.

Conclusion

The CMMC is a comprehensive cybersecurity framework developed by the U.S. Department of Defense. Although the design targets defense contractors in America, its practices can be adopted across various industries and regions to improve security posture.
Conclusion
The CMMC is a comprehensive cybersecurity framework developed by the U.S. Department of Defense. Although the design targets defense contractors in America, its practices can be adopted across various industries and regions to improve security posture.