The Department of Defense has released version 1.0 of the Cybersecurity Maturity Model Certification framework (CMMC), which measures a defense contractor’s ability to safeguard important information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
As outlined by the document, it will be necessary for every company contracted by the Department of Defense to achieve CMMC certification before any contracts are awarded, and audits will begin later this year. All contracted businesses, from low-level contractors to prime contractors, will be required to comply with these new regulations.
This new version of the CMMC adds new guidelines to those included in previous drafts and offers important insights for how DoD contractors can become CMMC certified.
Important Additions to Version 1.0 of the CMMC
Version 1.0 of the CMMC closely resembles the previous drafts that you might have already seen. But there are some new updates that you’ll need to be aware of too.
The official Version 1.0 provides clarity regarding practices that businesses must follow to achieve each level of cyber hygiene (Levels 1 through 5). In Appendix B, the new version of the CMMC offers an in-depth description of all 171 practices across each level of the framework. This expands on the descriptions offered in the previous versions of the model.
As has been stated by the Department of Defense, each DoD contractor will be required to meet a certain level of hygiene depending on how much CUI they handle and depending on which contracts they plan to bid on. Businesses who attain Level 3 certification, for example, will only be allowed to bid on contracts for Level 3 and below.
Currently, there are no specific guidelines stipulating which defense contractors will need to be certified at what level. These guidelines will be outlined in Requests for Information (RFIs) and Requests for Proposals (RFPs), which will begin being issued later this year.
The new version is also a new source mapping resource, offering a detailed table of relevant practices from other similar references and frameworks focusing on cybersecurity.
Certification duration is not directly addressed in version 1.0 of CMMC. However, in a press briefing, a key player in CMMC rollout said that certification would be good for 3 years once obtained. This gives us an idea of how much time there’ll be between audits.
Version 1.0 Model Overview
The new framework has 5 levels of certification that can be achieved. Level 1 is the most basic level of certification and must be met by all DoD contractors. To progress to higher levels of certification, an additional set of cybersecurity practices must be adequately displayed by the company.
The DoD shows how these practices are aligned with the different levels of certification and the result each level of cyber hygiene should attain. The five CMMC certification levels correlate to the following goals:
Level 1: Safeguard Federal Contract Information (FCI)
Level 2: Serve as a transitional step in cybersecurity maturity progression to protect CUI
Level 3: Protect CUI
Levels 4–5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
This model outlines all of the practices that are specific to each level of certification within the CMMC, as well as contains an appendix which explains these requirements in more detail.
Preparing for CMMC Audits
In order to become certified, all DoD contractors must undergo an audit conducted by a Certified Third-Party Assessment Organization, or C3PAO. Auditors must be accredited by the CMMC Accreditation Body. Audits are expected to begin in Spring 2020.
As audits are quickly approaching, preparation to become CMMC certified should begin immediately to ensure your business can meet all of the compliance regulations required.
Assessing your current cybersecurity practices through a CMMC assessment service is the first thing you should do. You can then begin to identify areas where you will need to adapt your procedures and policies to align with the requirements of CMMC version 1.0. As the framework makes clear, written policies and documented systems are required for certification.
DoD contractors are being faced with an entirely new framework for cybersecurity that will determine whether or not they can bid on certain contracts. Understanding this new framework so you can prepare for an audit is critical for your business.