Blog

The Five Levels of CMMC: An introduction to the Cybersecurity Maturity Model Certification framework

According to the DoD, the loss of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB) has led to increased risk for our economy and national security. In order to reduce this risk, the Department has taken on to work with the DIB sector to enhance their protection of CUI in its unclassified networks. The Cybersecurity Maturity Model Certification (CMMC) framework is the result of these actions.
 
The Department of Defense released v 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. The goal of the document is to ensure appropriate levels of cybersecurity practices and processes are in place to protect federal contact information (FCI) and controlled unclassified information (CUI). Audits are a key part of the new CMMC standard and represent a significant change from previous cybersecurity standards established by the DoD.
 
This blog will provide an overview of what CMMC is, its practices and levels, and how to get started with your compliance journey.

Understanding CMMC domains, capabilities, practices and processes

Prior to CMMC, contractors were responsible for implementing and monitoring their own cybersecurity best practices. These contractors were infrequently audited and were often able to self-attest to their level of security. With the advent of CMMC however, the paradigm has changed and every contractor serving the DoD will be audited. The DoD has moved from relying on self-attestation to a model of ‘trust but verify’.
 
CMMC maps cybersecurity best practices and processes to five maturity levels. Process levels range from simply performed at Level 1 to optimized at Level 5. In parallel, practices range from basic cyber hygiene at Level 1 to advanced and progressive cyber hygiene at Level 5.

Quick Guide to Get Started with CMMC

  • This field is for validation purposes and should be left unchanged.

 
CMMC incorporates pre-existing legislation such as NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others, into one unified set of cybersecurity best practices.
 

It categorizes these best practices into 17 broad domains, such as “Access Control” and “Systems and Communications Protection.” Forty-three distinct capabilities, such as “control remote system access” and “control communications at system boundaries,” are distributed across the 17 domains. Not all companies need to demonstrate all 43 capabilities; they apply depending on the CMMC maturity level sought.
 
The table below itemizes the 43 capabilities associated with the 17 domains of the CMMC Model.

CMMC Capabilities


 
Companies will demonstrate compliance with the required capabilities by showing adherence to a range of practices and processes. Practices are the technical activities required within any given capability requirement; 171 practices are mapped across the five CMMC maturity levels. Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures; nine processes are mapped across the five CMMC maturity levels.
 
The distribution of practices across the domains is shown in the figure below. Note that the domains are noted on the left and the number of practices on the right. Six domains — Access Control, Audit and Accountability, Incident Response, Risk Management, System and communications Protection and System and Information Integrity account for the majority of all practices: 105 out of 171.

controls for each domain and at each level

Who needs to comply with CMMC?

Going forward, any defense company that does business with the DoD (except for those handling COTS) will need to become at one of the 5 CMMC levels. This requirement applies to not only prime contractors but also their subcontractors and every supplier across the supply chain the prime works with.
 
The DoD contract will specify which level of compliance an individual contractor needs to meet. And while certain parts of the contract might require the contractor to meet CMMC Level 3, other subcontractors may only have to meet level 1.
 
Currently, the CMMC Accreditation Body (CMMC-AB) is working with the DoD to ensure that an independent, third-party assessment is available for contractors at each of the CMMC levels.

CMMC vs NIST 800-171: The essential differences

CMMC Level 3 is built on the foundation of 110 controls in NIST 800-171. Until a CMMC Level 3 requirements is rolled out into a specific contract, organizations are expected to meet the requirements spelled out in NIST 800-171.
 
The DFARS Interim Rule, passed in late 2020, specifically tells companies that they are required to self-assess their current cybersecurity capabilities under NIST 800-171 and report their SPRS score to the DoD. Contractors will either indicate that they meet all 110 security controls or must have a Plan of Actions and Milestones (POAM) which indicates their plan to do so.
 

Definition:POAM
POAM stands for Plan of Action and Milestones. A POAM is a plan that indicates the specific measures that a DIB company will take to correct deficiences found during a security control assessment. The POAM should identify which tasks should be done as well as the resources required to make the plan work.

 
One of the most significant changes from NIST 800-171 to CMMC is the shift from self-assessment to external assessments of cybersecurity compliance, which will be conducted by Third Party Assessment Organizations (C3PAOs). Further, whereas in the past noncompliance with DoD cybersecurity regulations was acceptable as long as companies prepared POAMS, that will no longer be the case under CMMC.
 
CMMC also expands upon NIST 800-171 by supplementing that standard’s 110 security requirements and adds 20 new requirements to Level 3. These requirements must be met in order to be CMMC certified. These additional practices are designed to support good cyber hygiene.
 
Until CMMC is fully rolled out per the timeline provided by the DoD, CMMC and NIST SP 800-171 mandates will coexist. That is, over the next several years the number of defense contracts subject to CMMC requirements will ramp up and those subject to NIST SP 800-171 will decline to zero.

What CMMC level does my company need to achieve?

The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with. The following summary of the process and practice standards for each of CMMC’s five levels will help you identify the appropriate CMMC level for your business. 

CMMC Level 1

Processes: Performed
 
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
 
Practices: Basic Cyber Hygiene
 
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.

CMMC Level 2

Processes: Documented
 
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.
 
Practices: Intermediate Cyber Hygiene
 
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 3

 
Processes: Managed
 
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
 
Practices: Good Cyber Hygiene
 
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as 20 additional practices to mitigate threats. Any contractor with a DFARS clause n their contract will need to at least meet Level 3 requirements. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

 
Processes: Reviewed
 
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
 
Practices: Proactive
 
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs. 

CMMC Level 5

 
Processes: Optimizing
 
Level 5 requires an organization to standardize and optimize process implementation across the organization.
 
Practices: Advanced/Proactive
 
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

How to enable CMMC Compliance

Organizations handling very basic information will only need to achieve Level 1 certification. For others who are handling CUI, the process is more involved. These contractors will need to achieve at least CMMC level 3. Meeting CMMC Level 3 requires a comprehensive approach to cybersecurity that can be broken down into 3 steps.
 
Step 1: Contractors will need to adopt a secure platform for exchanging CUI.
CUI is most frequently contained in company emails and files. Ensuring the protection of this information is required by CMMC.
 
PreVeil Drive and Email, for example, deliver end-to-end encryption, ease of deployment and use, and compliance related to the encryption and protection of CUI, FCI and ITAR data.
 
Step 2: Contractors will need a robust System Security Play (SSP).
A detailed SSP is required to indicate how a contractor will meet the policies and procedures required by Level 3. Auditors will look to the SSP for detailed explanations of how contractors are meeting the controls. General summaries of how controls are met will be insufficient and will not enable a contractor to pass an audit.
 
PreVeil has developed a robust SSP in collaboration with CMMC-AB certified expert. It includes detailed policies and procedures to expedite an organization’s compliance journey.
 
Step 3: Contractors will need a CMMC consulting partner.
 
Even with a platform for exchanging CUI and a robust SSP, contractors will often need a CMMC consulting partner to guide them through the compliance process. Achieving CMMC Level 3 compliance is too big of a requirement for most companies. A consultant or IT expert will be able to recommend best practices, technologies that will facilitate compliance and minimize costs.
 
PreVeil can connect you to its network of 100+ experienced Provisional Assessors, RPOs, MSPs and MSSPs to help you with your compliance

What CMMC means for DoD contractors

  1. Once the DFARS Interim Rule phases out and CMMC becomes fully implemented, POAMs will not be allowed. Contractors will have to meet all 130 controls.
  2. DoD Prime contractors must flow down the appropriate CMMC level requirement to their sub-contractors, which will vary depending on the nature of the subcontractors’ work. For example, a prime contractor with CMMC Level 5 certification could have a subcontractor with which it shares just FCI; the DoD would require that subcontractor to achieve Level 1 certification.
  3. Organizations must meet requirements for the level they seek in both the practice and the process realms. For example, a contractor that achieves Level 3 on practice implementation and Level 2 on process institutionalization will be certified at the lower CMMC Level 2.
  4. Contractors should get started on preparing their organization now and not wait until they see an actual contract with a CMMC requirement. Preparation takes time and failure to prepare now could mean loss of revenue later.

CMMC Timeline – When will it be required

The CMMC program is currently under review by the DoD. However, the DoD is aiming to add CMMC Level Requirements to DoD contract Requests for Information (RFIs) in 2021 – see table below. CMMC Level requirements will start with an estimated 15 procurements for critical DoD programs and technologies, such as those associated with nuclear and missile defense. At that point, for those contracts, CMMC certification will be used as the basis for “go/no go” decisions.


 
It is expected that approximately 1,500 primes and subcontractors will be affected in the first round of implementation and, likewise, will need to be CMMC certified by Fall 2021. The roll-out will continue over a five-year period, with the expectation that all new DoD contracts will include CMMC requirements by Fall 2026.

CMMC Compliance: A checklist

While no two paths to compliance are the same there are a number of best practices that consultants and MSPs recommend. The following 4 steps were developed in conjunction with Simple Helix and MAD Security:
Baselining: Determine your current state of CMMC readiness

  • Develop a focused plan with a consultant to determine your current state of readiness and what is required for achieving your desired level of compliance
  • Determine if you manage CUI and how you will protect it
  • Create a gap assessment between where your company currently is and where you need to be
  • Create POAMs for the controls you don’t currently meet.

Implementation

  • Execute against the POAM and implement the actions you identified.
  • Close the gaps
  • Implement new procedures, training and tools to remediate the gaps.

Enact

  • Implement monitoring of necessary systems
  • Begin training your employees on the new security requirements.
  • Resolve outstanding issues. Take time to work through the SSP and adjust accordingly

Assessment

  • Undergo an audit by C3PAO
  • Be prepared to present proof of controls met
  • Be prepared for continuous improvement

How to get started with CMMC Compliance

Defense contractors looking to start their CMMC compliance journey should get started by working towards meeting the 110 controls in NIST 800-171. Preparation to meet these controls should not be delayed as preparation can take up to 18 months.
 
PreVeil is also able to help contractors looking to get started on their CMMC compliance journey. PreVeil’s Email and File Sharing platform help contractors meet all of the CMMC requirements for the communication and exchange of CUI. Furthermore, PreVeil can provide contractors with a vetted System Security Plan (SSP) for meeting the 130 controls of CMMC level 3. And finally, PreVeil can help contractor in finding a consultant, MSP or MSSP that can help guide them through the audit process.
 
Contact our sales team to start a conversation. To learn more about CMMC, check out the resources below!

Check out the following CMMC Compliance Resources

FAQs

If a DoD contractor handles CUI, does every employee in the company need to be part of the security boundary?

The documentation for the CMMC model v1.02 states that: “when implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.”
 
So, the “enclave model” for protecting CUI is supported by CMMC policies and the security boundary can include only those employees that handle CUI.

What is my responsibility for protecting CUI I receive from my contractors as well as CUI I need to share with my own suppliers?

If you receive CUI from your prime, it should already be marked as such. You will need to handle the CUI according to the policies and procedures laid out in your System Security Plan (SSP).
 
If you share CUI with your own suppliers, you’ll want to make sure they have a compliant environment for storing and handling CUI. You also want to make sure you share CUI with the proper encryption according to the procedures stated in your SSP.

What do I need to do if someone emails us CUI outside our secure network?

The company should have a policy in their SSP for handling CUI outside of the compliant network intended for CUI. The policy should include instructions for promptly moving the CUI to the compliant network and sanitizing the CUI from the non-compliant network.
 
There is some confusion that this event should be reported as an incident to DIBnet per DFARS clause 252.204-7012 but DOD policy states that a cyber incident is defined as a “compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Assuming the CUI is promptly moved off the non-compliant network it would likely not be considered an incident.