The U.S. Department of Defense (DoD) released the first version of the Cybersecurity Maturity Model Certification (CMMC) on January 31, 2020, with substantial input from Federally Funded Research and Development Centers, and University Affiliated Research Centers. For DoD contractors that are still not in compliance with CMMC, this guide discusses the things they need to know about this certification.
What is CMMC?
The CMMC or Cybersecurity Maturity Model Certification is a set of standards that serves as the minimum requirement for DoD contractors that want to secure federal contracts and is the main line of defense against the compromisation of sensitive information in the systems of DoD contractors.
Before, contractors possessed the majority of the responsibility for implementing and monitoring information technology security for systems that handled and transmitted DoD information. The Department of Defense created CMMC to ensure that these contractors can adapt to new cyber threats by requiring third-party compliance assessments to ensure that contractors are utilizing mandatory cybersecurity practices. Moreover, CMMC helps secure CUI, financial data, and other information that are can result in detrimental effects to national security if compromised.
What are the five levels of CMMC?
The CMMC framework contains five certification levels. Each level represents the maturity and reliability of the contractor’s cybersecurity infrastructure. Hence, the higher the level that a DoD contractor possesses, the better their infrastructure is at protecting government information on their systems.
Here are the following certification levels in CMMC:
A contractor at the first level has basic cybersecurity measures in place. These measures include:
- The use of anti-malware software on all computer systems
- Education of employees on basic cybersecurity practices
- Frequent and periodic changing of passwords
- Collection of incident reports
- Constant updating of software
- Backing up data to a secure secondary source
Unlike the first level that involves the use of basic security hygiene, Level 2 requires a contractor to implement the best practices (or intermediate hygiene practices) for cybersecurity. To achieve this tier, a contractor must:
- Conduct a risk management assessment
- Implement and safeguard access control to CUI
- Collect and investigate security incidents
- Establish a good configuration management program
- Implement a good incident response plan
- Have business continuity measures in place
- Limit access and backup media that contains CUI
- Implement background screening on all personnel
- Implement physical security measures for network and server rooms
- Conduct preventive, adaptive, and corrective maintenance on all systems
Achieving the third tier means that a contractor has an institutionalized management plan in place to safeguard CUI through the best security hygiene practices. To reach this level, here are some of the things that a contractor must do:
- Establish zero-trust login measures
- Communicate updates on IT security threats to key stakeholders
- Have authentication and encryption measures in place for wireless access
- Separate employees’ duties to decrease the risk of malicious activities
- Use cryptography to maintain the confidentiality of remote access measures
- Encrypt CUI on all devices and computers
- Sanitize equipment that is moved off-site for maintenance
- Disallow the use of unauthorized portable storage devices
Level 4 certification requires cutting-edge cybersecurity technology and infrastructure. At this level, a contractor also has defense techniques in place for advanced persistent threats (APTs). Some of the most important steps for this tier are:
- Prove effective use of DLP technologies
- Segment or partition data network effectively
- Add any and all mobile devices to the IT security blanket
- Detect threats proactively
The last level of CMMC certification involves highly sophisticated cybersecurity practices, measures, and technologies. Highly advanced DoD contractors can attain the fifth tier by accomplishing the following:
- Establish a 24/7 security operations center
- Enforce compliance with port-related security protocols
- Use exception processes for non-whitelisted software
- Perform risk management solution assessment at least once a year
- Establish a dedicated incident response team
- Test procedural and technical responses by conducting regular operations exercises
What happens when contractors don’t comply with CMMC?
Without CMMC compliance, a contractor cannot bid, participate, or win any contract, which will eventually cause detrimental effects on their third-party associations. Ultimately, everyone in the company will be affected, as well as those involved in the supply chain. Hence, any and all DoD contractors must comply with these standards in order to continue doing business.
The first level of CMMC compliance is easy to achieve, but the same cannot be said for the rest. For contractors that are having trouble achieving higher levels of CMMC compliance, they can turn to reputable cybersecurity services to increase compliance and improve cybersecurity measures tenfold.