The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB) and its supply chain. The DoD announced in the middle of 2019 that it is creating a cybersecurity assessment model and certification program. Several versions of CMMC were publicly released since that time: 0.4. 0.6, 0.7, and CMMC 1.0 and 1.02.
As the image below details, Level 4 requires organizations to practice "Proactive Cyber Hygiene", while having "reviewed" security processes and methods for "reducing risk of Advanced Persistent Threats (APT)s and increasing protection of CUI". For contractors in the DoD, Level 4 compliance may be more uncommon than Level 3, as it will be contractually required far less in RFPs and is seen as more of a transitional step to Level 5. It is also an increase in responsibility and likely cost.
In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) as self attestation for DFARS 252.204-7012 compliance. This request from contracting authorities was post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts. Defense Contract Management Agency (DCMA) has recently increased its efforts to audit companies as well.
CMMC contrasts DFARS 7012 by forcing the requirement before award, or at 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a Level certification of 1 to 5, 5 being the most secure. Levels are cumulative, meaning a Level 4 certified organization will need to meet the practices found in Levels 1, 2, 3, and 4.
FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
According to The Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 5 upon proposal and all listed Subcontractors must meet CMMC Level 2. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).
Access a more detailed explanation and overview of CMMC, as well as history and background here.
Practices found in CMMC Levels 1-3 called out an aggregated 130 Practices and 51 Processes that lead to Level 3 compliance. Level 4 specifically includes 26 additional technical practices derived from multiple sources such as NIST 800-171, CERT Resilience, CIS Controls v7.1, and more. See the Practices and Processes below:
Scott Edwards, President of Summit 7 and national security/compliance speaker, spoke on the importance of the Incident Response (IR) Domain and stated "Incident Response is something that I almost want to call the core of CMMC Level 4".
Upon CMMC Level 3 compliance, or the implementation of the appropriate 130 Practices, you'll need to implement the additional 26 shown in the accordion section above.
A few ways to meet new practices and additional resourcing requirements (software, hardware, personnel, outsourcing) are:
For more information on recommendations for remedying these technical practices, watch this clip from the CMMC Level 4 webinar from the Summit 7 Team.
SIEM solutions to meet Incident Response requirements:
Summit 7 Preferred: Microsoft Azure Government Sentinel
Solutions for meeting Incident Response requirements specific to a SOC:
Summit 7 Preferred: Microsoft Azure Sentinel for alerting and Microsoft Cloud Access Security (MCAS) broker for the CASB
Risk Management port scanning solutions:
Summit 7 Preferred: Qualys Vulnerability Management System
Threat indicator and threat hunting subscriptions to meet System and Information Integrity requirements:
Summit 7 Preferred: Microsoft's Azure Sentinel supports input from MISP Project
Summit 7 has architected a solution set to help organizations achieve CMMC Level 4 compliance that is developed for Office 365 GCC High and Azure Government. To discuss with our team and develop your roadmap for Level 4, complete the form below.
If you still have questions about CMMC Level 4, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.
Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance: