The Department of Defense (DoD) announced in the middle of 2019 that it was creating a cybersecurity assessment model and certification program. Since that time, several draft versions of Cybersecurity Maturity Model Certification (CMMC) were publicly released: 0.4. 0.6, 0.7, and CMMC 1.0 (1.02). CMMC, is the next stage in the DoD's efforts to properly secure its supply chain, most often referred to as the Defense Industrial Base (DIB) by CMMC officials.
As the image below represents, meeting Level 3 requires organizations to practice "Good Cyber Hygiene", while actively "managing" security processes. CMMC officials, including Katie Arrington of the Office of the Under Secretary of Defense (OUSD), have publicly stated the majority of defense contractors will need to certify at Level 1 on the outset. Nevertheless, most prime contractors and many of their subs in the DIB will need to meet Level 3, as it most closely aligns to the preexisting requirements of DFARS 7012. This is especially true for organizations that more regularly handle Controlled Unclassified Information (CUI) or interact with more sensitive data sets.
In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) as self attestation for DFARS 252.204-7012 compliance. This request from contracting authorities was post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts. Defense Contract Management Agency (DCMA) has recently increased its efforts to audit companies as well.
CMMC contrasts DFARS 7012 by forcing the requirement before award, or at 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. Levels are cumulative, meaning a Level 3 certified organization will need to meet the practices found in Levels 1, 2, and 3.
FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
According to OUSD, the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 4 upon proposal and all listed Subcontractors must meet CMMC Level 2. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).
Access a more detailed explanation and overview of CMMC, as well as history and background here.
To pass a Level 3 audit, companies will be assessed on their ability to meet and demonstrate all practices (130 broken down below) to address Levels 1, 2, and 3. This will include technical architecture and solutions, along with written policies.
CMMC and DFARS 7012 collectively consists of three basic requirements:
As Scott Edwards, President of Summit 7, stated in a previous presentation on CMMC Level 3 "If you're NOT NIST 800-171 compliant, go back and do that. You can't tackle CMMC if you are not NIST compliant; it's also just practicing basic cyber hygiene".
Upon NIST 800-171 compliance, there are an additional 10 technical and 10 procedural practices to implement to achieve CMMC Level 3 compliance.
A few examples:
To start with a proper understanding of L3, watch this 20 min excerpt from the most watched CMMC Level 3 discussion on YouTube.
SIEM solutions to meet incident response requirements:
Summit 7 Preferred: Microsoft Azure Government Sentinel
Resilient data backup and restoration solutions meeting FedRAMP Moderate standards and able to backup Office 365 GCC High:
Summit 7 Preferred: AvePoint and Azure Backup
Summit 7 Preferred: OpenDNS
SPAM and Email protections:
Summit 7 Preferred: Office 365 GCC High Exchange Online Protection and ATP
Summit 7 has architected a complete solution set to help organizations achieve CMMC Level 3 compliance. The set is developed within Office 365 GCC High and Azure Government as part of the initiative to protect the warfighter and keep the Defense Industrial Base secured. You can learn more about it here.
If you still have questions about CMMC Level 3, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.
Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance: