5 cmmc levels and certification

The United States Department of Defense (DOD) has upped its security game in a big way starting in 2020. The government agency, which provides military forces for national security, released a new certification—The Cybersecurity Maturity Model Certification (CMMC)—at the end of January 2020 that aims to decrease the impact of cybersecurity risks that threaten the defense industry.

More and more, information security and cybersecurity efforts in organizations all over the world are impacted by a growing web of connected vendors. In turn, it has become hypercritical that organizations not only understand how mature their vendors’ security programs are but also have a hand in making them better. Otherwise, they run the risk of a compromise that (on paper) was not their organization’s fault.

And that’s the basis of the CMMC cybersecurity requirements. With the CMMC, the DOD is doubling down on knowing where its vendors’ security programs stand and is using the certification as its audit framework.

If you work with the DOD as a vendor, this is on the horizon. It will change your relationship with the DOD and the way your organization needs to handle its security measures.

Here is what we know about the CMMC levels and requirements so far.

What is the CMMC, Anyway?

This is the government’s way of keeping tabs on the security of its potential defense vendors related to Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It provides a mechanism for the DOD to ensure their vendors are ready (security-wise) to work with the department. It focuses on certifying the “maturity levels” and “capability” of each DOD vendor’s security processes, practices, and methods. It also helps set goals and priorities for them to make improvements.

The DOD will not be conducting the audits, either. A network of certified third-party assessors (C3PAOs) will be tasked with vetting the security of each of its potential vendors. Each of its 350,000 vendors will need one of these assessments. Additionally, there are Registered Provider Organizations, such as FRSecure, that employ Registered Practitioners that are certified to assist organizations in preparing for CMMC levels certification. The CMMC Accreditation Body (CMMC-AB) has also been very clear that a C3PAO cannot provide any coaching or assistance to an organization that it will be conducting the audit on. RPOs are able to provide that coaching and assist in preparation as needed.

cmmc accreditation body

The framework of the certification combines several known security best practices and regulatory standards (like NIST SP 800-171 as well as 46 other CMMC practices) and is made up of 17 domains.

  • Access Control (AC)
  • Asset Management (AM)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PP)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (CA)
  • Situational Awareness (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

The DOD will add CMMC levels to each RFP. Any vendor that is bidding on the RFP must possess the appropriate level certification at the time the contract is awarded. This does not mean that if an RFP states CMMC Maturity Level 5 and you do not have that level that you cannot be a subcontractor for the RFP—it means you will only have access to information that corresponds with the CMMC level you are certified at.

The potential does exist that if you are providing Commercial Off-The-Shelf (COTS) solutions, as defined by FAR 2.101, you will not be required to obtain a CMMC levels certification.

COTS include any item of supply (including construction material) that is:

  • A commercial item (item that can be sold, leased, or licensed to the general public);
  • Sold in substantial quantities in the commercial marketplace; and
  • Offered to the government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and

There are 5 Maturity Levels (ML) to the CMMC. For all CMMC levels, your organization must be able to show sufficiency based on a least 2 of the forms of objective evidence from:

  • Interviews – a written or spoken interview with the person implementing, performing, or supporting the function or process related to the CMMC practice.
  • Evidence Review (preferred method is demonstration) – this could include documentation such as policies or it could be actual procedures conducted that support the function or process related to the CMMC practice. The evidence must be produced by people that implement or perform the process.
  • Testing – any testing/demonstration must pass the requirements and criteria for the function or process related to the CMMC practice. All testing/demonstrations must be observed by the Certified Assessor (CA) and the assessment team.

A reminder that the requirements for each ML are simply the minimum to achieve certification for that ML. Organizations can, and should, do more to properly secure their data than what their CMMC levels require. Most organizations will need either an ML1 or ML3 certification.

cmmc levels and requirements

ML 1 Performed: Basic Cyber Hygiene

There are 17 practices across 6 domains (AC, IA, MP, PE, SC, SI) in level 1 that are equivalent to all practices in FAR 48 CFR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

This ML focuses on the basic safeguarding of information and basic cyber hygiene. While organizations obtaining this level must be able to protect FCI, their practice implementation will only be required to be conducted in an ad-hoc manner and there is no requirement to produce documentation or have their process maturity analyzed.

ML 2 Documented: Intermediate Cyber Hygiene

A step up from ML 1, ML 2 focuses on intermediate cyber hygiene. There are 72 practices across 15 domains (AC, AT, AU, CM, IA, IR, MA, MP, PS, PE, RE, RM, CA, SC, SI) and 2 processes in this ML. Organizations looking to obtain this ML will need to focus on documenting their processes with the expectation that they practice their documented processes accordingly and repeatedly.

Starting in ML2, and continuing with all subsequent levels, the requirement to pass is that organizations must produce documentation. This means you must show your policies are formally documented and adopted. This ML only grants organizations access to FCI and acts as a transitional step for organizations looking to contribute on contracts with Controlled Unclassified Information (CUI).

ML 3 Managed: Good Cyber Hygiene

ML 3 contains 130 practices across all 17 domains and 3 processes. This is the first level that permits access to CUI and as such focuses on protecting Controlled Unclassified Information (CUI).

In this level, there is a higher emphasis on mitigating threats. Organizations obtaining ML 3 certification are, for example, not only expected to show documentation of practices and demonstration that they are followed, but that the practices are properly resourced. This requirement applies to all 130 practices.

Organizations within ML 3 are also required to establish, maintain, and resource a plan demonstrating the management of activities used for practice implementation.

ML 4 Proactive: Reviewed

ML 4 contains 156 practices and 4 processes. Once the plan is in place, the next step is to test and measure its effectiveness. ML 4 requires the organization to review and measure its security practices—finding gaps where it can consistently make improvements or correct inefficiencies. The ultimate goal of this level is to increase the protection of CUI and start reducing the risk of Advanced Persistent Threats (APTs).

ML 5 Advanced/Progressive: Optimizing

ML 5 contains all 171 practices and 5 processes. This is the level where optimization occurs. Organizations in this level have a plan, consistently work to find and fix inefficiencies in it, and standardize and implement the plan and practices across the whole organization. The emphasis here is also to increase the protection of CUI from APTs.

Where You Fit

The level your organization fits into will indicate the number and which kinds of practices the security program will be required to follow, and how they are validated. The practices build on each other. ML 1 contains 17 security controls, and ML contains 171, including all of the practices from levels 1-4.

The goal is to help organizations move from basic data safeguarding to reducing APTs, but ultimately, your level as an organization will determine how (or if) you can do business with the DOD.

How Will My Organization be Impacted by CMMC?

Effectively, if you are a manufacturer, farmer, or any other organization working with the DOD, this needs to be on your radar. It is anticipated that 350,000 vendors down the supply chain of the DOD will be impacted by these security requirements.

While none of the current requests for proposal with the DOD contain CMMC levels requirements, the DOD is expected to include CMMC levels requirements in 15 in 2021—slowly increasing the number of contracts that contain CMMC levels requirements over the next 5 years. By 2026, every request for proposal the DOD initiates will have some level of CMMC requirement.

What Do I Need to Do from a Security Standpoint?

Get Ahead of It

If you want to work with the DOD moving forward, this needs to be something your organization proactively considers.

The actual requirements will not begin for quite some time for a lot of organizations:

  • FY 2021 expectations
    • 899 ML1
    • 149 ML2
    • 452 ML3
  • Growing to the following for FY 2025
    • 28,709 ML1
    • 4,785 ML2
    • 14,355 ML3
    • 28 ML4
    • 28 ML5

However, it is important to remember that good security practices are all about being prepared. So is audit prep.

More importantly, though, major changes in security programs often require changes in thinking and behavior at the organizational level. This is not something that happens overnight. To create a culture where security becomes the focus, you will need time.

While time feels like a luxury now, the sooner you begin making these changes, the easier it will be when the time for compliance comes. And remember, certification requires evidence that practices and procedures have been implemented for a “significant” period of time.

Do not think you can purchase a policy deck a month before the CA is set to arrive and pass the assessment? Not likely.

Asset Management

At the end of the day, good security practices come with doing the basics right. No fancy technology or software alone can get your program where it needs to be. A risk assessment is a great start to helping guide your practices, but it is not a silver bullet. Asset management is another important security practice that can help you prepare for the CMMC requirements long-term.

Do the basics right first.

You can’t secure what you don’t know you have, and your security measures should directly impact your most valuable assets (as well as the risk associated with them). Asset management is one of the most basic things you can do to improve your security program. It sets the stage for everything moving forward—including your risk assessment.

Start by tracking and categorizing resources within your organization. A good asset management practice gives businesses an understanding of the existence, access, location, and function of their important assets.

There are three types of assets that organizations need to keep tabs on.

asset management

Hardware

Think of the things you would put a label on. This may include computers, printers, tablets, hard drives, servers, and more.

Software

Software is an asset, and it is important to manage the purchase, licensing, implementation, maintenance, and disposal of software applications.

Data

A lot of organizations fail to realize that data is an important asset that needs the same (if not more) management as the more tangible ones. Imagine if all the data in your organization were to suddenly disappear. Would it put you out of business? Data is an incredibly powerful asset that should be managed accordingly.

Conduct a Risk Assessment

After you understand what your most important assets are, measuring the risk of compromise to those assets is the next step. The most efficient way to be proactive about your organization’s security is to perform a risk assessment, which are required to be conducted annually for ML3 and up.

Risk assessments give you a baseline of your security program—a snapshot of your current state. Understanding this baseline is important because it tells you what gaps you have and how you can mend them, particularly as you look to enter into RFPs with the DOD that might require you to level up.

Risk assessments are meant to be barometers of change. Implementing new practices and procedures into your security program helps improve your ability to avoid and mitigate risk. And, ultimately, that is what the DOD is trying to do with the CMMC, too.

So, get out in front of these new requirements by getting a risk assessment (especially one mapped to similar or the same controls that the CMMC assessment contains). You may not know what level you will need to be for the kinds of contracts you will apply for with the DOD yet. However, the more you understand the strengths and weaknesses of your own organization’s security and where the most room for improvement is, the more likely it will be that you will be prepared when the C3PAO assessment comes.

Plus, it will help you build stronger security practices and policies in the meantime, which is never a bad thing.

Conclusion

By 2026, every request for proposal the DOD puts out will have a CMMC levels requirement.

So, yes, you likely have quite a bit of time before the CMMC requirements are implemented into the contracts you will submit a bid for. But, if you can get an early understanding of what assets your organization has, and how well (or not-so-well) you secure them, it should give you time to make the adjustments that will get you on the right track to the CMMC level you need to achieve. A good asset management practice and a comprehensive, regulation-mapped risk assessment are the best ways to get that jump-start.

The easiest way to prepare for these new requirements is to be proactive about your security. Start with understanding what your most critical hardware, software, and data assets are. Then, conduct a risk assessment so you know what the likelihood of something bad happening to those assets are, and work to change and implement practices that can help minimize that likelihood.

By doing those things, you will be able to consistently work towards making noticeable improvements to your organization’s overall security practice and put yourself in a good position to level up in the CMMC framework for when the time it becomes required rolls around.


If you’d like to learn more about building a strong security program, asset management practices, risk assessments, or just improving your overall security posture in advance of CMMC requirements, reach out to us by visiting frsecure.com.

cybersecurity resources

Brad Nigh on Linkedin
Brad Nigh
Principal Security Consultant at FRSecure
Brad is a passionate information security expert with 19+ years of overall IT experience, including 9+ years of IT management and leadership experience working in 24/7 environments that required top tier technical skills, and efficient project management. In addition, Brad has years of experience working in highly regulated industries that are required to comply with PCI-DSS, HIPAA, HITECH, Sarbanes-Oxley, OCC, and various state regulatory requirements. At FRSecure Brad leads the Consulting Services practice serving businesses of all sizes, in all industries by cooperatively solving the complex issues surrounding information security.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *