Written by Tom Cupples, Lead / Senior Assessor, Prescient Security Ed.D, CAICO CCA/CCP/PI, CISSP, CGRC, PMP
Are you one of many who were skeptical of the Cybersecurity Maturity Model Certification (CMMC) becoming a legal requirement for being awarded a contract by the US Department of Defense? Well… It is real. On Friday, October 11, 2024, it happened. The Final Rule for CMMC was released. You can read the full text here.
The Cybersecurity Maturity Model Certification (CMMC) has existed for many years and evolved over that time, gaining credibility and reliability in their process.
The current version of the CMMC is 2.0, released in November 2021. In the latest version of the model, the original five-level model hierarchy was collapsed into three distinct levels: Foundational, Advanced, and Expert. The update was intended to simplify the process of becoming certified and promote understanding of the appropriate level of certification required by each organization.
Contents
Suppose your organization is currently in a contract or plans to bid on a contract with either the DoD or a contractor of the DoD (subcontractor). In that case, your organization needs to be assessed and gain CMMC certification at the contract level the organization intends to service. This is a crucial step that cannot be overlooked. As the infographic below shows, those only handling FCI can self-attest to their readiness. Those handling CUI must either seek a contract designated CMMC Level 2 (Self) and Self Attest annually or obtain a contract with a designation of CMMC Level 2(C3PAO), pass a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) and repeat it every three years with Self-Attestation annually.
Under the Final Rule, contracts can have one of four designations of CMMC Level requirements.
CMMC will be phased in over three years beginning Monday, December 16th, 2024.
Phase 1 (Year 1) will commence on the effective date of 48 CFR part 204 CMMC Acquisition Rule. In this first year, the DoD will issue contracts with CMMC Level 1 (Self) and CMMC Level 2 (Self) designations, and at its discretion, as a condition to exercise an option period for contracts awarded before the effective date. At its discretion, the DoD may substitute CMMC Level 2 (C3PAO) for CMMC Level 2 (Self).
Phase 2 (Year 2) will commence 1 year after the effective date. In this second year, the DoD intends to require CMMC Levels (C3PAO) as a condition for contract award. At its discretion, the DoD may delay the inclusion of the requirement for CMMC Level 2 (C3PAO) to an option period instead of a condition for contract award. At its discretion, the DoD may also require CMMC Level 3 (DIBCAC) as a condition for contract award.
Phase 3 (Year 3) will commence two years after the effective date. In this third year, the DoD intends to require CMMC Level 2 (C3PAO) on all contracts as a condition for contract award and for exercising an option period on a contract awarded after the effective date. The DoD also intends to include CMMC Level 3 (DIBCAC) as a condition for contract award. At its discretion, the DoD may delay the inclusion of Level 3(DIBCAC) to an option period instead as a condition of contract award.
Phase 4 (Full Implementation) will commence three years after the effective date. From this point forward, the DoD intends to require all CMMC Levels as a condition of contract award and to exercise an option period for contracts awarded after the beginning of Phase 4.
Your boundary must be scoped per the DoD Level 1 scoping guidance found here: CMMC Assessment Scoping Guide (Level 1) or the Level 2 scoping guidance found here: CMMC Assessment Scoping Guide (Level 2), depending on the level needed for the contract.
Understanding the scoping process and properly scoping your Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) boundary is crucial. The boundary should only include the people, technology, and facilities necessary to process, store, and/or transmit these protected datasets. Narrowing the scope has many benefits, including reducing the cost of securing the boundary, the cost of the assessment, and the cost of operation and maintenance.
The type of data your organization processes, stores, and/or transmits determines which resources are allowed access to the FCI/CUI data and specifies any handling and labeling.
CMMC is concerned with two types of data: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The following definitions demonstrate important distinctions between each.
CUI can be categorized by referencing the two publicly available CUI registries: the National Archives and Records Administration (NARA) CUI Registry and the DoD CUI Registry. Categorizing CUI must be tied to the scoping process. Once you determine what type of CUI you are processing, storing, and/or transmitting, you can verify your scope. There are many caveats to categorization; therefore, familiarity with the CUI Registries is essential.
Per the DoD and the Cyber AB (formerly the CMMC Accreditation Body), any third-party services used to provide security services within an organization’s CMMC boundary should be FedRAMP Moderate Equivalent or above or can demonstrate compliance with CMMC 2.0.
It is important to ensure that the third-party services you are implementing can provide minimum compliance. Otherwise, becoming certified at Level 2 will be hindered, possibly causing more expense than necessary. A good start in selecting the correct third-party service provider is to reference FedRAMP.gov.
Before selecting third-party services, organizations should decide whether an on-premises deployment versus a cloud deployment may be more appropriate. In some cases, managing services within the system boundary on-premises can be more difficult and less secure than using cloud services. A deep understanding of the implications of compliance should inform the decision to choose a third-party service provider.
A gap assessment must be conducted prior to engaging a C3PAO for an official CMMC Level 2 assessment. The 110 controls of NIST Special Publication 171 revision 2 are the guiding standard for CMMC. However, it is best to understand the manner in which a CMMC Level 2 assessment is conducted by referencing the CMMC Level 2 Assessment Guide.
If you are unsure of the process and/or whether you will meet the CMMC Level 2 Assessment standards, you would be well advised to engage an outside firm qualified to perform CMMC gap assessments. This could be done either by sending your employees to the same training mandated by CyberAB for assessors before taking their respective exams or by engaging a third-party vendor to act as an advisor for the assessment. While the CyberAB dictates that only C3PAOs and the assessors employed by them are approved and accredited by the CyberAB, a gap assessment can be accomplished using any qualified CMMC compliance vendor. However, engaging with a CyberAB Register Practitioner Organization (RPO) is best.
Your final step and goal is to receive a recommendation for compliance so that the DoD recognizes your organization as meeting the appropriate standard for your target contract. Only a recommendation of compliance from a CyberAB C3PAO can make that recommendation. There are a finite number of C3PAOs and a finite number of CCAs and CCPs to perform these assessments. The longer you wait to engage with a C3PAO, the longer you will wait to receive an assessment.
Prescient Security, LLC is a CyberAB CMMC Register Practitioner Organization (RPO), Authorized Training Provider (ATP), Candidate CMMC Third-Party Organization (C3PAO), and FedRAMP-recognized Third-Party Assessment Organization (3PAO).