The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB) and its supply chain. The DoD announced in the middle of 2019 that it was setting out to create a cybersecurity assessment model and certification program. Several versions of CMMC were publicly released since that time: 0.4. 0.6, 0.7, and CMMC 1.0 and 1.02.
In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) as self attestation for DFARS 252.204-7012 compliance. This request from contracting authorities was post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts. Defense Contract Management Agency (DCMA) has recently increased its efforts to audit companies as well.
CMMC contrasts DFARS 7012 by forcing the requirement before award, or at 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a Level certification of 1 to 5, 5 being the most secure. Levels are cumulative, meaning a Level 5 certified organization will need to meet the practices found in Levels 1, 2, 3, 4, and 5.
FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?
According to The Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 5 upon proposal and all listed Subcontractors must meet CMMC Level 2. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).
Access a more detailed explanation and overview of CMMC, as well as history, schedule for rollout, and its background here.
CMMC Level 5 is the highest achievable Level and adds 15 additional practices to Level 4. This Level requires organizations to practice "advanced" cyber hygiene and optimize security processes and methods. As with Level 4, Level 5 is focused on reducing the risk of Advanced Persistent Threats (APT)s and increasing the protection of CUI. CMMC Level 5 compliance will be less common in Requests for Proposal (RFP)s as compared to Level 1 or Level 3, but DIB suppliers focused on critical technologies and more sensitive programs may see this Level requirement in the future. Achieving Level 5 will require a significant investment of time, energy, and resources for any organization.
CMMC Level 5 includes 171 Practices (all Levels in aggregate) and 85 Processes derived from multiple sources such as NIST 800-171, CERT Resilience, CMMC Working Groups, CIS Controls v7.1, and more. See the Practices and Processes below:
Only eight (8) Domains contain Level 5 requirements, and the below list contains a few of the most significant requirements to address:
Upon achieving CMMC Level 4 compliance, or the implementation of the appropriate 156 Technical Practices, you'll need to implement the additional 15 shown in the accordion section above. The following discussion provides a few ways to meet some of the new practices and additional resourcing requirements (software, hardware, personnel, outsourcing).
Summit 7 has begun the conversation for a solution set to help organizations achieve CMMC Level 5 compliance that is developed for Office 365 GCC High, Azure Government, hybrid scenarios. To start the conversation with our team for achieving Level 5, complete the form in the section below. You can also email email@example.com with specific questions about a CMMC Level 5 solution roadmap.
If you still have questions about CMMC Level 5, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.
Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance: