The Cybersecurity Maturity Model Certification (CMMC) is a program established by the recently published Title 32 CFR rule by the U.S. Department of Defense (DoD) that requires government contractors to demonstrate their cybersecurity preparedness. Effective since mid-December 2024, it aims to protect Controlled Unclassified Information (CUI) by setting security standards for contractors handling this sensitive data. A companion rule, within Title 48 CFR, is expected to establish CMMC as a mandatory requirement to be phased into contracts starting in mid-2025.
Organizations that work with DoD are already following existing cybersecurity requirements, specifically Federal Acquisition Regulation (FAR) 52.204-21, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012, and NIST SP 800-171 Rev 2. CMMC is a strengthening of cybersecurity requirements already in place, with added third-party and/or DOD assessments, depending on your level of CMMC compliance.
Here are some best practices for understanding how CMMC applies to your organization and how to achieve and maintain compliance.
Understanding the CMMC Model
While contracts will require CMMC compliance, businesses need to determine their target level based on their desired government work and the type of information they handle. CMMC has three levels with increasing security requirements. Each level dictates the type of government work a contractor can pursue. Primes will require subcontractors to have a specific level of CMMC certification. Assessment guides provide detailed information about each practice and how it will be assessed.
- Requirements and Renewals
- Level 1 requires annual self-assessments plus annual affirmations.
- Level 2 requires assessment from a Certified Third-Party Assessor Organization (C3PAO) every three years plus annual affirmations.
- Level 3 requires assessment from the DIBCAC every three years plus annual affirmations. Also, a CMMC Level 2 certification is required as a prerequisite.
Auditing Your Readiness
Begin by evaluating the types of data you handle and who needs access. Your government clients and prime contractors define CUI requirements for you. Then consider your own infrastructure, including:
- Cloud Services: Cloud services used to store CUI must be FedRAMP approved or equivalent. Be vigilant about changes. A vendor such as Microsoft, Amazon Web Services, or Google may introduce something in a commercial tenant that nullifies compliance. You may need to move to a GovCloud tenant to be CMMC compliant.
- Training: Conduct internal training for users, auditors, and implementers regarding CMMC and data security best practices. Consider Certified CMMC Professional (CCP) training for IT and quality assurance personnel in your organization.
Achieving & Maintaining Certification
Allow at least a year for implementation if you’re starting from scratch. Staffing needs will depend on your current security posture and the level of compliance you are seeking. External consultants can help with preparation, training, and gap and mock assessments.
- Conduct a Gap Assessment
- Evaluate your current cybersecurity posture: Identify any gaps between your existing security controls and the CMMC requirements. This involves evaluating existing security controls, policies, and procedures against the specific CMMC level requirements.
- Prioritize remediation efforts: Focus on addressing the most critical gaps first, then create a plan to address identified weaknesses and implement necessary security controls to meet CMMC requirements.
- Develop a System Security Plan (SSP): This is a crucial document that details how an organization implements each of the CMMC practices, including:
- Secure content management
- Encryption
- Network engineering and management
- Authentication
- Intrusion detection
- Automated monitoring
- Incident response and forensics
- Focus on the CIA Triad: Common-sense security practices are vital, and consistent monitoring and updates are needed to avoid complacency. While data security is a constant balancing act of confidentiality, integrity, and availability (CIA) in data security, you should have a firm foundation of:
- Strong Access Controls
- Principle of least privilege: Grant users only the access they need to perform their job duties.
- Multi-factor authentication: Implement MFA for all users, especially those with access to sensitive information.
- Continuous Monitoring & Communication
- Regularly monitor your systems: Look for signs of suspicious activity or potential security breaches.
- Establish an incident response plan: Have a plan in place to respond to and recover from security incidents. Immediate communication is both crucial and required by contract in case of security incidents.
- Regular Security Awareness Training
- Educate your employees: Ensure that all employees understand their role in protecting sensitive information.
- Reinforce good security practices: Regularly remind employees about the importance of strong passwords, phishing awareness, and other security best practices.
- Strong Access Controls
Being Proactive About Compliance
According to IntelliDyne’s Director of Information Security, Derrick Weaver, “Keeping up with the updates and implementing change to meet new guidance and criteria are essential. My greatest pain point has been the ever-changing landscape. Now that the 32 CFR rule has been published and the companion 48 CFR rule is about to be published, we can focus on being proactive rather than reactive.”
- Start early: Don’t wait until a contract requires CMMC certification to start preparing.
- Document everything: Keep detailed records of your security controls and compliance efforts.
- Stay current: The CMMC framework is subject to change, so it’s important to stay informed about the latest requirements.
By following these best practices, you can improve your organization’s cybersecurity posture and ensure compliance with the CMMC framework.