Cybersecurity is only as good as an organization's weakest link. Increasingly, the weakest link is the cyber supply chain. Third-party vendors and business associates such as cloud service providers (CSPs) or technology firms have long struggled to establish a credible cyberdefense to protect sensitive and confidential information they process for their clients.
To aid with this and to ensure cyberresilience in its supply chain, the US Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) framework in 2020. The latest version of this standard is CMMC 2.0.1
The CMMC framework is of relevance not only to the DoD but other federal and state government agencies, and organizations that provide services to government agencies. Further, since the CMMC is built on the US National Institute of Standards and Technology (NIST) family of standards, the CMMC applies to any organization that has leveraged NIST standards for its cybersecurity program. The CMMC establishes cybersecurity certification requirements, so achieving CMMC certification brings credibility to any organization's cybersecurity program. Senior executives will benefit from studying the CMMC standard and considering raising the bar of their NIST-based program by achieving CMMC certification.
The latest version of the CMMC framework, CMMC 2.0, is a comprehensive framework that includes cyberprotection standards that aim to protect the Defense Industrial Base (DIB) from being damaged by advanced persistent threats (APTs). The CMMC 2.0 framework includes several updates to the CMMC 1.0 model that address the following topics:
- Safeguarding sensitive information such as US Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
- Enhancing accountability while minimizing barriers to comply with DoD requirements
- Dynamically enhancing DIB cybersecurity to meet evolving threats
By incorporating CMMC 2.0 standards into acquisition programs, the DoD ensures that contractors and subcontractors will meet its cybersecurity requirements.
The DIB is the target of increasingly frequent and complex cyberattacks by adversaries and non-state actors. Made up of hundreds of thousands of small, medium and large organizations, the DIB expands globally, including across the United States. It is a top priority of the DoD to dynamically enhance DIB cybersecurity requirements to protect against these evolving threats and safeguard the information that supports and enables US military services and operations such as the exchange of sensitive information. The CMMC is a key component of the DoD's expansive DIB cybersecurity effort.
It is a top priority of the DoD to dynamically enhance DIB cybersecurity requirements to protect against…evolving threats and safeguard the information that supports and enables US military services and operations such as the exchange of sensitive information.
"CMMC 2.0 will dramatically strengthen the cybersecurity of the Defense Industrial Base," said Jesse Salazar, US Deputy Assistant Secretary of Defense for Industrial Policy. "By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyberthreats while minimizing barriers to compliance with DoD requirements."
The changes reflected in CMMC 2.0 will be implemented through the CMMC rulemaking process.2 Enterprises will be required to comply once the forthcoming rules go into effect. The DoD intends to pursue rulemaking in both Part 32 of the US Code of Federal Regulations (CFR) and the US Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the CFR.3
The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.
FCI and CUI Are a CMMC Priority
FCI is defined as information not intended for public release; that is, information that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not provided by the government to the public (such as that which exists on public websites).4 Simple transactional information such as that necessary to process payments is also defined as FCI.
The CMMC model is designed to protect FCI and CUI that are shared with contractors and subcontractors of the DoD to support contract acquisition and performance.
CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.5
The DoD's intent under CMMC 2.0 is that if a DIB enterprise does not process, store or transmit CUI on its unclassified network, but does process, store or handle FCI, then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior enterprise official.
CMMC only applies to DIB contractors' unclassified networks that process, store or transmit FCI or CUI.
The Structure of CMMC 2.0
CMMC 2.0 is aligned with US National Institute of Standards and Technology (NIST) standards, specifically NIST Special Publication (SP) SP 800-171 Rev 2, Protecting CUI in Nonfederal Systems and Organizations, and NIST SP 800-172, Enhanced Security Requirements for Protecting CUI. The DoD's requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.
The CMMC 2.0 standard is organized into 3 specific levels:
- Level 1 Foundational—Represents the entry level for the CMMC 2.0 framework and includes 17 practices.
- Level 2 Advanced—Includes 110 practices aligned with SP 800-171 Rev 2. Level 2 may include:
- CUI (non-prioritized acquisitions)
- CUI (prioritized acquisitions)
- Level 3 Expert—Includes more than 110 practices based on SP 800-172 and is the highest level.
Level 1 applies to organizations that process FCI but not CUI. Level 2 organizations process both FCI and CUI and require the implementation of additional cybersecurity capabilities. In addition, Level 2 organizations must meet all security requirements specified in SP 800-171 Rev 2.
CMMC 2.0 Assessment and Certification
DIB organizations are fully responsible for obtaining the necessary CMMC certification, including coordinating and planning their participation in the CMMC assessment.
Level 1 and a subset of organizations at Level 2 can demonstrate compliance with CMMC 2.0 requirements through self-assessments. Self-assessments associated with Level 1 and a subset of Level 2 programs (e.g., CUI, nonprioritized acquisitions) will be required on an annual basis.
Third-party and government-led assessments, associated with some Level 2 (e.g., CUI, prioritized acquisitions) and all Level 3 programs, will be required on a triennial basis. The assessment requirements will be applicable to the impacted organizations and their associated contractors.
Once CMMC 2.0 is fully implemented, the DoD will only accept CMMC assessments that are provided by an authorized and accredited CMMC Third-Party Assessor Organization (C3PAO) and conducted by certified CMMC Assessors.
Under certain circumstances, the DoD allows enterprises to make Plans of Action and Milestones (POA&Ms) to earn their CMMC certifications.
After completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD. As part of the CMMC 2.0 implementation, the DoD will approve all CMMC Accreditation Body (AB) conflict-of-interest-related policies that apply to the CMMC ecosystem.
Conclusion
CMMC 2.0 is organized into 3 levels. Level 2 (advanced) will be equivalent to SP 800-171. Level 3 (expert) will be based on a subset of SP 800-172 requirements.
Cybersecurity professionals and senior executives across industries should take note of the CMMC 2.0 framework. This is the cybersecurity standard for this decade and beyond. Organizations across industries can leverage CMMC 2.0 requirements to improve their cyberdefense posture and establish a more credible, evidence-based security program.
The future demands active cyberdefense. The threats faced by enterprises will require leaders to rethink and reimagine cybersecurity. Forward-thinking organizations should target CMMC 2.0 certification at the appropriate level based on the risk to their businesses and associated assets.
Endnotes
1 Acquisition and Sustainment, Office of the Under Secretary of Defense, "Securing the Defense Industrial Base: CMMC 2.0," US Department of Defense, USA, 2021
2 Acquisition and Sustainment, Office of the Under Secretary of Defense, "CMMC FAQs," US Department of Defense, USA, 2021
3 Acquisition and Sustainment, Office of the Under Secretary of Defense, "About CMMC," US Department of Defense, USA, 2021
4 Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, and The Johns Hopkins University Applied Physics Laboratory LLC, Baltimore, Maryland, USA, "CMMC Glossary and Acronyms Version 2.0," December 2021
5 Ibid.
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “CMMC and CUI: Rocket Fuel” episode of the ISACA® Podcast.
Uday Ali Pabrai, CISSP, CMMC PA, CMMC PI, CMMC RP, HITRUST CCSFP, MSEE, Security+
Is the chief executive of ecfirst, a CMMC Third-Party Assessor Organization (C3PAO) candidate and and a CMMC Licensed Partner Publisher (LPP), Licensed Training Provider (LTP) and Registered Provider Organization (RPO). Pabrai has successfully delivered thousands of cyberdefense solutions globally. His career was launched with the Fermi National Accelerator Laboratory, the US Department of Energy's nuclear research facility. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms and has been a keynote and featured speaker at cybersecurity conferences worldwide. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. He can be reached at Pabrai@ecfirst.com.