CMMC Compliance Services & FAQ’s
NeoSystems is proud to be a best-of-breed provider of CMMC audit preparation and compliance services for government contractors. Here are some frequently asked questions related to CMMC certification.
- What is CMMC?
- What Are The CMMC Levels?
- Who Does CMMC Apply To?
- When Does CMMC Go Into Effect?
- Why is CMMC Being Implemented?
- How Do I Achieve CMMC Compliance?
- How Do I Choose A CMMC Partner?
- Additional CMMC FAQs
What is CMMC?
The Department of Defense (DoD) has announced the introduction of a new program called the Cybersecurity Maturity Model Certification (CMMC). CMMC will serve as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. The current DFARS cybersecurity requirements were implemented in December 2017 to provide security protection for controlled unclassified information (CUI) as provided by the NIST SP800-171 codification. CMMC will be implemented in 2020, with the goal of improving CUI security by introducing a formal audit program for compliance.
The CMMC framework will associate different security processes and practices to levels (one through five). The higher the level, the more complex and important the security posture is. It’s important to note that ANY organization that does business with the Department of Defense must meet, at the very least, all the provisions of the basic maturity level (Level 1) of the CMMC program. The previous self-assessment process is being replaced by audits from qualified, accredited 3rd-party organizations (C3PAOs). These auditors will determine the appropriate maturity level that the contactor, or subcontractor, has achieved. The CMMC program has put focus on making sure the certification process is both affordable and straightforward.
Breach Detection and Security Assessments
One of the main focus areas for the CMMC program is simplifying breach detection, which is a capability that many defense contractors do not currently have in place. Businesses will be required to integrate the latest breach detection solutions into established processes and applicable governance to detect malicious devices, activities, and other breach indicators. To address these issues, contractors and subcontractors must put in place solutions that assess all-new attack vectors and protocols so they can detect anomalous behavior and breaches on their networks.
It’s important to note that the need for DoD contractors and subcontractors to prove a satisfactory security posture will not go away with the implementation of the CMMC program. A contractors’ CMMC Level will be determined by the number of NIST 800-171 controls and additional processes and practices they have implemented. The more security practices a defense contractor implements, the higher their required CMMC Level certification is likely to be. That being said, the contract itself will dictate the certification level needed to be awarded. That being said, contractors (both primes and subs) will still need to prove that they have implemented adequate security controls to be awarded contracts by the Department of Defense.
The CMMC framework consists of five maturity levels – Level 1 through 5 – whose cybersecurity requirements become more advanced as you ascend up the levels. Level 1 or “basic cybersecurity”, is expected to entail a small subset of NIST 800-171-based data controls and other “best practices”. Levels 2 and 3 provide a closer approximation of what is required by NIST SP 800-171 and DFARS 252.204-7012. The mid-levels will encompass all rev 1 controls under 800-171 as well as other practices outside the CUI protection scope. Level 5 of the CMMC calls for the most advanced cybersecurity practices within and beyond the perimeter of CUI protection. Additional controls may include 24/7 SOC, network segmentation, real-time asset tracking, and initial response actions. Here is a high-level looks at what contractors can expect in order to gain certification in each level:
- FAR Requirements
- Ad hoc incident response
- Awareness and training
- Risk management
- Security continuity
- Compliance with all NIST SP 800-171 requirements
- Share threat information with key stakeholders
- Multi-factor authentication (MFA)
- Network segmentation
- Detonation chambers
- Mobile device inclusion
- Use of DLP technologies
- Supply chain risk consideration
- Threat hunting
- 24/7 SOC operation
- Device authentication
- Cyber maneuver operations
- Organizational custom protections implementation
- Real-time asset tracking
Who does it apply to?
CMMC applies to ALL government contractors, primes and subs, who do business with the Department of Defense. This includes over 300,000 organizations that will need to be certified. Previously, federal contractors were allowed to self-certify as required in the DFARS 252.204-7012 clause, which could include a Plan of Action and Milestones (POAM) for any security gaps that existed. With the inception of CMMC, defense contractors must now achieve CMMC certification via a certified and accredited 3rd-party auditor in order to be awarded a defense contract.
When does it go into effect?
The final version of CMMC (V1.0) was released on January 31, 2020 to help support training requirements. This version includes feedback collected from industry leaders during a listening tour held in the second half of 2019. In addition to the official CMMC levels and requirements released in January, there will also be a program development kick-off to certify the auditors who will ultimately perform the reviews and award the certifications.
In June 2020, CMMC requirements will begin to appear in Department of Defense Requests for Information (RFIs). Also in June, certified and accredited 3rd-party auditors will be available to begin CMMC certification assessments. Starting in September 2020, some DoD contractors will need to be certified at the appropriate CMMC level in order to bid on Requests for Proposal (RFPs).
Why is this new regulation being implemented?
Quite simply: existing cyber security measures have failed the United States. A prime example of this is Chinese J-31 aircraft, which is strikingly similar to the American F-35 Joint Strike Fighter. It’s unlikely that U.S. adversaries have become better innovators. Rather, they are more likely becoming better thieves. The NIST 800-171 security standard relies on organizations to self-assess their security posture and then report their compliance. Obviously, self-assessments cannot be truly trusted, thus a new approach is needed.
In addition, compliance does not mean that you are secure and will never equal that. Compliance requires only achieving a level of implementation and making sure items are in place. To address these shortcomings, as well as protect the sensitive information, CUI and overall national security, the CMMC is a welcome and needed mechanism.
The Department of Defense is migrating to the new CMMC framework so they can assess, regulate and enhance the cybersecurity stance of Defense Contractors. CMMC will serve as a verification tool to ensure appropriate cybersecurity practices are in place. The goal is to confirm that the most basic cyber security controls are enacted to protect controlled unclassified information (CUI) used and maintained by any and all contractors supporting the DoD.
Am I compliant now? If not, how do I achieve compliance?
No defense contractor is compliant with CMMC until they coordinate directly with an accredited and independent third party commercial certification organization to request and schedule their CMMC audit. These auditors will review the contractor’s security processes and practices. Based on the security controls in place and the contractor’s ability to demonstrate organizational and operational maturity, the contractor will be awarded a CMMC certification level from one to five (one being the most basic security controls, five being the most stringent and complex security requirements). CMMC will require companies to have the certification to match the level required on the solicitation prior to be awarded the contract.