What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It’s designed to ensure the security of controlled unclassified information (CUI) and federal contract information (FCI) in the Department of Defense (DoD) supply chain. It’s based on the NIST 800-171 standards and is divided into three levels.
Who’s in the Scope?
CMMC is required of any individual in the DoD supply chain, including contractors who interact exclusively with the Department of Defense and any and all subcontractors. This affects not only the prime contractor but all the subcontractors.
Therefore, if you’re in the DoD’s supply chain or a subcontractor, you probably need to do some work to ensure you meet the requirements of the DoD.
CUI?
All controlled unclassified information (CUI) falls into one of two categories: CUI Basic or CUI Specified. CUI Basic does not have specific handling or dissemination controls. CUI Specified, has additional requirements defined in US Laws, regulation and government wide policies. As for example US ITAR and EAR are CUI Specified.
The controls for any CUI Basic categories are the same, but the controls for CUI Specified categories can differ from CUI Basic ones and each other. A CUI category may be CUI Specified, and vice versa. If dealing with CUI that falls into a CUI Specified category, review the controls for that category in the CUI Registry.
What Is NIST SP 800-171?
NIST SP 800-171A is a framework all suppliers with a defense contract to the Department Of Defence (DoD) in the US must comply with as of the DFARS 252.204-7012, 7019, 7020 clauses. Suppliers must register a score of how well they comply with NIST SP 800-171 in a Supplier Performance Risk System (SPRS).
A complete lack of a SPRS score, or a falsified score, will result in consequences. The DoD noted in a memo sent to its contracting officers in June 2022:
“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments, foregoing remaining contract options, and potentially terminating the contract in part or in whole.”
This was the task I was assigned; to design a compliant environment to sustain business operations.
What Do CMMC and NIST 800-171 Have To Do With Each Other?
CMMC 2.0 Level 2 controls are aligned with NIST 800-171, which groups security controls into 14 domains.
Both regulations also focus on protecting controlled unclassified information (CUI) and Audit and Accountability standards, as well as helping organizations establish Identity and Access Management policies.
CMMC Certification
During the project, Cybersecurity Maturity Model Certification (CMMC) started to mature; CMMC is basically the certification that all suppliers must have to be able to bid on contracts with the DoD in the future. The actual CMMC certification is performed by a CMMC Third-Party Assessment Organizations (C3PAOs) assessor.
CMMC, as of now in Version 2.0, contains three levels:
- Level 1 (Foundational) score of 17 is required.
- Level 2 (Advanced) score of 110 is required.
- Level 3 (Expert) score of 110+ is required (adding NIST SP 800-172).
What Are the CMMC Requirements for Subcontractors?
CMMC will be required to all DoD suppliers in the supply chain including the contractors supply chain.
Therefore, if you have been flow down contractual requirements such as FAR 52.204-21 or DFARS 252.204-7012 you need to ensure you can be assessed against NIST 800-171. Be also aware if you get DFARS 252.204-7019/-7020 you are required to register your scoring in DoD SPRS system.
Requirements for certification itself, which is administered by the CMMC-Accreditation Body (Cyber-AB), are the same regardless of a company’s role as a prime contractor or subcontractor.
The prime contractor determines the subcontractor’s required certification level based on the information that will flow to the subcontractor or supplier during the contract. This could mean the subcontractor only needs to conform with CMMC Level 1, even if the prime contractor has a CMMC Level 2.
The Assessment
So, to continue the story, as we were nearing project completion, we arranged for a third-party assessment to evaluate how well the architecture was conforming with the requirements. The customer goals were set at CMMC Level 2 as the target.
A CMMC assessment is a deep dive assessment, where everything is inspected in detail; if your policies say X, then we need a screen share or a recent screenshot showing the setting in the system. If you have a procedure, the auditor wants to see the administrator perform it and ensure it’s followed.
The scoring is in binary; it’s either fulfilled or failed.
The Takeaways
- Be extremely clear; if the requirements say “program, protocol, ports,” program, protocol, and ports shall be listed.
- Changes to documentation/environment done during the audit is fail unless it’s not done via the documented change process.
- Preparations for a smoother assessment can be done by preparing screenshots of the settings in the control; make sure to get the date in the picture and that it’s max. 30 days old.
- The organization doesn’t understand the control and can’t answer it before the assessment, will result in non-confirmative.
- Asset inventory – this is step one; no asset inventory list, and the assessment can’t start.
- The total asset inventory list shall contain:
- Responsible
- Classification
- Information class Marking with information class, e.g., CUI
- Criticality
- List all critical assets. Hardware, systems, etc., even if a system is redundant, it’s redundant for a reason: its criticality.
- The total asset inventory list shall contain:
- Baseline configurations need to be kept to track changes in the environment.
- Baseline shall consist of, but not be limited to, hardware, firmware, software, and configuration. Changes from that baseline shall be recorded to track changes.
- List use cases that show what the users are allowed to do in the environment.
- Example: Send information on a USB drive:
- What drive is approved?
- How shall it be sent?
- Encryption password shall be sent via?
- Example: Send information on a USB drive:
- Training material shall be customized to the organization; not just what’s required, but what’s needed.
- Implement that training is recurring annually, mandatory, and a record is kept.
- Privileged responsibilities training shall be performed recurringly.
Conclusions
If you’re going for a real CMMC assessment, it’s important to understand that this type of assessment is different from others, and it can have a real impact; it requires you to prove that you not only have policies in place but also follow them in practice. In other words, it’s not enough to simply write a policy and be done with it.
If you’ve started the journey with NIST 800-171, you already have most parts of other frameworks such as but not limited to NIST CSF, ISO 27001/27002, and DORA in place.
References
- NIST SP 800-128 Assessment guide https://csrc.nist.gov/publications/detail/sp/800-128/final
- DFARS 252.204-7012 https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
- DFARS 252.204-7019 https://www.acquisition.gov/dfars/252.204-7019-notice-nistsp-800-171-dod-assessment-requirements.
- DFARS 252.204-7020 https://www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements.
- NIST SP 800-171 r2 https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- NIST SP 800-171A https://csrc.nist.gov/publications/detail/sp/800-171a/final
- CMMC Level 2 Scoping Guidance https://dodcio.defense.gov/Portals/0/Documents/CMMC/Scope_Level2_V2.0_FINAL_20211202_508.pdf
- Controlled Unclassified Information (CUI) https://www.archives.gov/cui
- CUI Categories https://www.archives.gov/cui/registry/category-list
- DoD memo https://www.acq.osd.mil/dpap/policy/policyvault/USA000807-22-DPC.pdf