Protecting Controlled Unclassified Information (CUI) in nonfederal Systems and Organizations
Providing Products or Services to DoD Agencies?
This CMMC Roadmap is for You.
OVERVIEW OF THE CMMC PROGRAM
The Cybersecurity Maturity Model Certification (CMMC) framework developed by the DOD enhances cyber protection standards for companies in the Defense Industrial Base (“DIB”). CMMC is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department with increased assurance that contractors and subcontractors meet these requirements.
The framework aims at assessing and enhancing the cybersecurity posture of the Defense Industrial Base suppliers, which encompasses a set of security requirements and controls, particularly as it relates to controlled unclassified information (“CUI”) and Federal Contract information (FCI) within the supply chain.
The concept of a CMMC framework arose in response to:
first: a series of high-profile breaches of DoD information. A significant loss of sensitive data from the DIB sector increases the risk to national security, and the DoD has fallen victim to breaches.
Second: many suppliers were not truly complying with requirements and falsely attested their compliance. Because until now, the Department of Defense contractors themselves have been responsible for monitoring and certifying their information systems security of any DoD data that they generate, transmit, or store.
As a result, security across the contracting sphere became less effective and elevated security risks cyber threats.
These caused DoD to reevaluate its reliance on the security controls in NIST 800-171 as sufficient to thwart the increasing and evolving threat, especially from nation-state actors.
Under the new model described by the CMMC, defense contractors will still maintain the responsibility for implementing their cybersecurity measures. But the systems they put in place are subject to audits by third-party assessors. The audits check that the contractor complies with the framework’s mandatory practices, capabilities, and procedures.
The framework has three key features:
- Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
- Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
What is Cybersecurity Maturity Model (CMMC) Program?
CMMC Program is:
- A unifying standard for the implementation of cybersecurity across the DIBs (Defense Industrial Bases) and verification of the defense contractors’ cybersecurity preparedness and effectiveness.
- A set of characteristics, attributes, indicators, or patterns that represent the progression of increased capabilities necessary to protect the data
- A set of security requirements for the protection of the FCI and CUI in non-federal organizations
What Does CMMC Program Do?
- It promotes cybersecurity maturity.
- It defines a set of security practices and aligns them with the type and sensitivity of the information that needs to be protected.
- It measures cybersecurity maturity with levels and provides assurance of compliance to the DoD.
- It adds a certification element to verify the implementation of practices related to achieving a cybersecurity maturity level.
- It requires a trained independent assessment conducted on a Defense Contractor’s cybersecurity posture.
- It provides assurance that the DIB can protect sensitive information within a complex supply chain, which Accounts for information flow down to subcontractors.
CMMC Used by the DOD
- to enforce DFARS cybersecurity requirements and allow only contractors with a valid CMMC certification to do business with the DOD.
- to provide guidance for the DIB contractors to implement and achieve a specific CMMC level.
- to serve as a verification mechanism to assess and to ensure that appropriate levels of cybersecurity practices and processes are in place to protect FCI and CUI residing on the DIB and partners’ networks.
CMMC Used by the DIB
- as an implementation standard and guidance to implement cybersecurity requirements within their organizations.
- to qualify to bid on and be awarded DoD contracts
What is CMMC Compliance?
CMMC compliance is a tiered system of compliance measures intended to evaluate the organization’s cybersecurity maturity and serve as a condition of contract award with the DOD or work with the defense contract supply chain.
The CMMC compliance is intended to describe an organization’s preparedness against key security issues.
What is CMMC Certification?
CMMC Certification is a requirement for all organizations within the supply chain to the United States Department of Defense (DoD), whether a prime contractor, sub-contractor, or sub-tier supplier.
CMMC certification ensures that an organization has achieved the minimum threshold of cybersecurity necessary to be entrusted with the types of information they receive or handle.
What Are the Tiers of CMMC Compliance?
CMMC Assessment requirements are tiered by the sensitivity of information shared with the contractor.
There are three tiers of certification in the CMMC 2.0 model. Each higher-level tier contains the requirements of previous tiers.
1. CMMC level 1, “Foundational”
Foundational level is the most basic level of compliance. This includes basic security practices, including having access controls, implementing identity controls, and performing password protection. A level 1 organization is not likely to have a complete security strategy; rather, they will simply know the basics of security.
2. CMMC level 2, “Advanced”
This level is a reasonably advanced level of security compliance. Organizations working with Controlled Unclassified Information (CUI) will need to achieve this level of compliance and to follow the 110 best security practices aligned with NIST SP 800-171.
3. CMMC level 3, “Expert”
Expert level is the highest level of certification and what most organizations should ultimately aspire to. Organizations should be practicing advanced and progressive cyber hygiene, continually optimize their security processes, and analyze their network traffic.
Achieving CMMC Level 3 will require an organization to follow a set of 110+ practices based on NIST SP 800-172. It will also require government-led audits, as opposed to the third-party audits necessary for achieving Level 2.
Depending on the contract, a different CMMC level may be required. An organization that’s interested in dealing with controlled information will want to get a Level 2 certificate at a minimum. Before applying for CMMC certification, an organization may want to investigate the contracts that they are interested in working on. Each contract will deal with different levels of information and, consequently, different certification requirements.
How do you get CMMC certified?
Contractors of all sizes should consider consulting a third party to get an independent assessment of where the company stands and where it needs to be. An important issue for companies that do commercial and government work is whether they need to institute a compliance program that extends across their enterprise or maintain a separate environment related only to their DoD work.
Infoguard CMMC Advisory Services
Infoguard CMMC Advisory Services support DIB organizations through the journey of becoming CMMC Certification ready. From determining where CMMC requirements apply to your organization, to identifying the gaps that need to be addressed, to creating remediation plans, to supporting and performing remediation services, Infoguard can help you become prepared to complete a CMMC Assessment.
- Scope the situation
First, Infoguard will help you identify and scope any federal information in your custody that falls into one of the CUI categories. The scope includes the people, processes, and technologies in your organization that store, process, or transmit CUI or provide security and administration to the CUI in your care. - Identify CUI Boundary
Define the CUI data path, and identify all critical assets (e.g., applications, support services, systems, endpoints, data centers, cloud services) that are in scope.
Categorize discovered critical assets into CUI Boundary as defined by the CMMC Accreditation Board - Identify the CMMC level and security controls you need
Depending on the contract, a different CMMC level will be required.
Each CMMC level has an assigned set of requirements that must be fully implemented in order to achieve the corresponding level. Infoguard will assist in identifying the CMMC level and controls you need to comply with, supplemented by best-practice configuration requirements for the hardware, software, and networks involved. We’ll document the security safeguards you have in place, mapping each mechanism for securing and protecting the CUI to the relevant security controls. - Review and define your security architecture
We’ll evaluate the current architecture of your CUI-related systems and recommend any modifications needed to reduce the scope and meet the requirements of CMMC. - Assess your compliance with the CMMC security controls
We start by assessing your current state of compliance with the identified security controls and identify CMMC gaps. We then plan and conduct a self-assessment, which will include compliance and vulnerability testing of technical controls and evaluation of security policies, procedures, and administrative controls through interviews, reviews, and inspections. - Supply chain evaluation
Prime contractors who manage programs that include subcontractors should conduct a risk assessment to understand how a failure on the part of a subcontractor may impact their ability to perform on a contract. Contractors should be proactive in identifying weaknesses or points of reliance within their supplier population and establish procurement and contracting plans to mitigate the effects of non-compliant suppliers. - Develop remediation strategy and roadmap
The Remediation Strategy and Roadmap provides a prioritized and well-planned approach to resolving all exceptions and discrepancies identified in the Gap Assessment. It provides specific recommendations and approaches for remediating individual practice gaps and identifies specific activities that need to be performed or completed to address process requirements, and policies.
The Remediation Strategy and Roadmap takes a strategic approach that, in addition to the gaps identified, considers your current strengths and capabilities, the industry you are in, and the technical and administrative solutions already in place. - Provide remediation support
The Remediation Support depends on your internal capabilities and the scope of the remediation effort itself. Infoguard can provide technical oversight, project management support, direct participation in the design of required infrastructure changes, implementation of security controls, policy building, documentation development, and System Security Plan creation.Remediation support areas will include but not limited to •CMMC training •Development of CMMC Policies •Development of the System Security Plan (SSP) •Development of the Incident Response Plan (IRP) •Development of the Configuration Plan •Development and Implementation of a Risk Management Plan •Conducting a Risk Assessment •Conducting Vulnerability Scanning and Penetration Testing - Plan for continuous compliance
A CMMC certificate will be valid for three years, after which it must be renewed. Organizations will be required to either complete an annual self-assessment or a triennial 3rd party assessment. We will assist you in creating a continuous monitoring strategy that will support continuous compliance in the years to come.