Cybersecurity Maturity Model Certification (CMMC) Readiness
How Ready Are You for CMMC?
On January 31, 2020, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC). This new framework is to ensure their contractors and suppliers have appropriate cybersecurity frameworks in place to protect data such as Controlled Unclassified Information (CUI), Federal Contact Information (FCI), and other information. The DoD is rolling out the new framework “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).”
In other words, organizations will soon need to certify their CMMC readiness to continue working for or bidding on projects with DoD. The DoD and CMMC Accreditation Board (CMMC AB) will select organizations to undergo their first CMMC assessments in 2020. The DoD will subsequently roll out CMMC requirements to all other contractors beginning in 2021. With any certification comes preparation – and you may need several months to get ready for these new incident response maturity model requirements.
The DoD’s new cybersecurity maturity model features five maturity levels incorporating and adding to the 110 security requirements in NIST SP 800-171 currently required under DFARS 252.204-7012. The five levels range from ‘Basic Cybersecurity Hygiene’ to ‘Advanced/Progressive’. These cybersecurity maturity levels attempt to map the rigor of an organization’s cybersecurity plan to the risk they pose to the interests of national defense. Maturity Level 1 is associated with organizations who pose the least risk and require a baseline security program. Maturity Level 5 organizations pose the highest possible risk to our national defense interests and therefore require the most rigorous security program. Organizations that wish to bid on a DoD contract would need to show that the maturity of their CMMC certification supports the risk associated with the bid.
Certification will require a third-party audit to measure a company’s cybersecurity abilities which will be conducted by a CMMC Third Party Assessment Organization (C3PAO).
How Ready Are You For CMMC Cybersecurity Requirements?
“If you want to work with the DoD I would look at the CMMC model the way it is right now – Level 1 specifically – you should be doing those today.”
– Katie Arrington, CISO, Office of the Under Secretary of Defense for Acquisition
Because the cybersecurity maturity model certification framework is based on well-established standards, you likely comply with at least some of CMMC’s requirements today. If you wish to contract with DoD, you should take the following steps to prepare for CMMC:
- Know Your CMMC Level: Determine whether your organization is a Level 1, 2, 3, 4, or 5 organization. Levels are assigned to organizations based on the risk they pose to the DoD and its mission.
- Evaluate Your Current Compliance: If you are a DoD contractor who poses a risk to CUI you already have obligations to self-assess to NIST Special Publications 800-171. Additionally, CISO of the Office of the Under Secretary of Defense for Acquisition urges all contractors to achieve Level 1 compliance now. An independent gap assessment will help you understand your current-state compliance.
- Evaluate Your Risk: For cybersecurity maturity Level 2, 3, 4, and 5 organizations, CMMC requires a risk assessment. By conducting your gap assessment in conjunction with a DoCRA risk assessment you may prioritize your gaps and design controls that would be demonstrably reasonable against foreseeable risks.
- Plan Your Remediation: By developing a Plan of Action and Milestones (PoAM) and a System Security Plan, you can address your current NIST 800-171 requirements based on risk, and can develop a roadmap toward your eventual CMMC certification.
- Certification: After a beta testing period in 2020, the DoD and CMMC AB will select contractors to undergo CMMC readiness certification. You will work with an auditor (C3PAO) to test your compliance with the new requirements. Upon completion of the certification, you will be permitted to respond to RFPs and to continue your contracted work with DoD.
It is in DoD contractors’ best interest to establish your CMMC readiness, and to prepare for your official certification to maintain your consideration for DoD-related services. You will need to be ready when called. And by preparing for CMMC cybersecurity with DoCRA, you will be able to demonstrate that you’ve addressed risks to CUI reasonably and have an incident response maturity model that aligns with DoD guidelines.
What Does the CMMC Readiness Program Provide?
The program offers an expert team of cybersecurity professionals to help scope, assess, and develop a plan to prepare your organization for the cybersecurity maturity model certification framework. You will have a clear 3-phased plan so you can see where your status and steps required to be ready for certification, plus final reports and deliverables.
1. Determine Requirements & Scope
• Collaborate with you to set readiness requirements – What is your desired level goal?
•Scope for Controlled Unclassified Information (CUI) Where it is stored, used, or transmitted?
2. Assess Controls
• Assess your controls against NIST 800-171
•Assess against CMMC controls at your appropriate maturity level
•DELIVERABLE: Self-Assessment Report that includes all of the controls in NIST 800-11 71 and CMMC with the observed organization’s alignment to the control, as well as any gaps, any evidence that has been identified, and the overall rating of that control’s compliance.
• For Levels 2, 3, 4, and 5 organizations, Cylanda will evaluate gaps in terms risks using DoCRA to both address the risk assessment requirement, and to manage gaps and controls reasonably.
•DELIVERABLE: Risk Assessment that identifies risks associated with controls and gaps. This helps organizations prioritize their risks, and to ensure that their controls are reasonable given the risk they pose to the DoD, the public, and to themselves.
3. Develop Plans
• DELIVERABLE: Develop Plan of Action with Milestones (POAM)
includes the controls that are not considered to be currently compliant, with steps, required resources, and recommended milestones on how that control will become compliant.
•DELIVERABLE: Develop System Security Plan (SSP) provides an overview of the NIST 800-171 and CMMC security requirements and describes the security controls in place or planned for meeting those requirements.
• DELIVERABLE: Roadmap to Certification consolidates all of the above plans and assessments to develop a comprehensive overall roadmap on how the organization can get to an approved certification of compliance.
Let’s talk how you can be ahead of the game on being CMMC cybersecurity-ready and managing risk reasonably.
Reasonable Security is Now Defined
The Sedona Conference – an influential think tank that advices attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.