The CMMC: The Basics

As noted in our previous article on this topic, the CMMC aims to strengthen security controls and practices to help protect sensitive DOD data held by contractors and their supply-chain partners. In particular, contractors that handle Controlled Unclassified Information (CUI) will be impacted by the new certification. 

The CMMC also incorporates maturity processes designed to streamline cybersecurity activities and help ensure they are “consistent, repeatable, and of high quality.” Implementation of these components is mapped across five levels to create a five-tier maturity ranking. 

All DOD contractors and subcontractors who expect to handle CUI information must:

• Earn at a minimum a Level 3 maturity to qualify to win a defense contract 
• Meet both the practice and process maturity criteria within a given level to achieve that level of maturity

The DOD plans to begin incorporating CMMC requirements into RFIs and RFPs in late 2020. DOD expects contractors and subcontractors that are interested in pursuing the RFIs and RFPs with CMMC requirements to get audited and certified before the contract award. Starting in 2021, all DOD contractors and subcontractors will need to be CMMC-compliant to qualify to win federal contracts. 

Now is the time to start planning how you can achieve the specific level of maturity based on the types of sensitive DOD data your organization handles – or expects to handle in the future. The first step will be to map the gaps between your existing security processes, practices, and controls with requirements for the CMMC maturity level you are seeking to achieve. 

Read on for a high-level overview of the practice and process requirements for each CMMC maturity level, based on the CMMC v1.02 and appendices.

The CMMC will assess up to 171 security practices across 17 security domains, as well as rank the maturity of contractors’ security processes across five levels.  These practices and processes are drawn from multiple standards, most prominently the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. CMMC practices span a broad range of capabilities, from basic cyber hygiene at Level 1 to highly sophisticated controls designed to repel advanced persistent threat (APT) attacks at Level 5.

Level 1 

The lowest CMMC level covers foundational security safeguards that most DOD contractors will already be familiar with. The practices are almost identical to those specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”). 

These 17 practices lay down a foundation for basic cybersecurity that protects sensitive data, safeguards external endpoints, controls logical and physical access, and manages data across its lifecycle. The CMMC also specifies that organizations implement business processes and technologies to protect against malicious code, including periodic scans of files from external sources. 

Notable requirements: Level 1 creates a foundation for higher CMMC rankings and must be completed by all certified organizations.

Additional requirements include: 

• Establish, implement, and control access requirements
• Ensure media are sanitized
• Limit physical access
• Monitor and control communications at system boundaries 
• Manage and monitor for information system flaws and malicious content

Get started: Review all 15 safeguarding requirements from 48 CFR 52.204-21 rules. These requirements form the bulk of practices stipulated for Level 1. 

Level 1 requires that a contractor perform, but not document, specified practices. The CMMC recognizes that an organization may only be able to perform practices “in an ad-hoc manner,” possibly without documentation, so it does not assess process maturity for Level 1.

Level 2

Level 2 is a bridge between Levels 1 and 3 and consists primarily of security requirements specified in NIST 800-171, as well as a handful of practices outlined in other standards. Because this level represents a progression to Level 3, which prioritizes protection of CUI, a subset of Level 2 practices pertains to CUI. Level 2 is also designed to help contractors protect Federal Contract Information (FCI), establish a plan of action and milestones (POAM), and strengthen mitigation capabilities. Additionally, at this level contractors are expected to establish a security awareness and training program to educate users on current cybersecurity threats, data-management practices, and prevention of social-engineering campaigns such as phishing. 

Notable requirements: Level 2 stipulates that organizations implement the technologies and processes for monitoring networks and systems to identify potential indicators of compromise or threats, as well as establish processes for monitoring users. Other requirements include: 

• Enhance and enforce access controls 
• Establish a formal incident-response plan 
• Implement and perform auditing procedures 
• Establish a security awareness training program
• Establish configuration baselines 
• Protect and control media 
• Perform regular backups and recovery tests
• Document a system security plan and periodically conduct risk assessments 

Get started: Review NIST 800-171 to identify Level 2 practices that have not been implemented. 

At Level 2, organizations must “establish and document practices and policies to guide the implementation of their CMMC efforts.” Documentation enables staff to perform practices in a repeatable manner, which can help ensure that they are sustained during a disruption or security incident. The level of detail in a documented practice can vary from a handwritten desk procedure to a formal standard operating procedure (SOP).

The CMMC defines a policy as a high-level statement that stipulates requirements for a specific activity. The statement should define the purpose and scope of the policy, as well as the roles and responsibilities related to specific activities. Policy should be supported with procedures to achieve the intent of the activity, including regulatory compliance. 

Level 3

Level 3 requires that contractors demonstrate “Good Cyber Hygiene” as a means to protect CUI. This level includes all 110 security and control requirements specified by NIST SP 800-171 Rev 1, in addition to practices from several other standards. 

Level 3 stipulates that organizations enhance security controls to safeguard systems and communications related to information sharing, CUI at rest, remote devices, and network connections. At this level, organizations are also required to proactively perform periodic risk assessments and risk-mitigation planning, as well as use sandboxing to block potentially malicious email. 

Notable requirements: Level 3 introduces security safeguards for mobile devices, including access control and encryption of CUI on portable devices and platforms. Other requirements include: 

• Classify assets and implement data-handling procedures for CUI data 
• Enhance authentication and encryption requirements for network and remote access 
• Establish and implement system and security alerts 
• Centralize audit-logging capabilities 
• Perform and manage configuration and change management activities
• Enhance perimeter security 
• Implement secure architectural designs and software development techniques
• Test incident-response plans

Get started: Review existing measures to safeguard CUI stored on mobile devices, as well as CUI housed on the network and cloud services. 

Level 3 specifies that contractors establish and support a plan to manage activities for implementing security practices. This can include information on initiatives, goals, project plans, resourcing, training, and stakeholder involvement. 

For process maturity, contractors must prove they can effectively resource activities and assess adherence to policies and procedures. At Level 3, the contractor establishes and maintains a plan to achieve domain activities, including the ability to inform senior leadership of domain’s security status.

The plan typically includes a mission statement, strategic goals, relevant standards and procedures, project planning, and adequate resources to support domain activities. It also specifies that employees have the skills and knowledge to support all activities, that relevant stakeholders are involved, and that adequate funding is available.

Level 4

Level 4 focuses on protection of CUI from APT attacks and includes a subset of the enhanced security requirements from NIST SP 800-171B. This ranking indicates that contractors have updated their protection activities to keep abreast of the fast-evolving tactics, techniques, and procedures (TTPs) used by APT actors. Level 4 requires the use of TTPs in incident response, threat-intelligence monitoring, supply chain risk management, threat hunting, and isolation of physical and logical assets. The CMMC model offers recommendations for handling CUI in situations where this information is at significant risk of exposure. 

Notable requirements: At Level 4, contractors are expected to develop and manage a system security plan as well as a roadmap that details future cybersecurity improvements. The roadmap will help contractors improve their overall security posture based on priorities, costs, and implementation time. Other requirements include: 

• Automate the identification of unauthorized assets on the network 
• Enhance access controls including remote-access and access review procedures
• Enhance and limit communications at system boundaries
• Evaluate employee security awareness via simulated social engineering tests 
• Conduct periodic penetration tests
• Manage supply chain risks
• Leverage threat-intelligence sources to proactively monitor for threats 

Get started: Identify CUI stored in your systems and make sure that the security controls and processes are in place to adequately protect this information.

At Level 4, activities must be reviewed and measured for effectiveness. The contractor should define measurement criteria, regularly assess activities, and evaluate the results. All domain activities should be reviewed for effectiveness against the plan defined in Level 3. These activities include system performance, review of accomplishments and results of the process, identification and assessment of significant deviations from the plan, and establishment of corrective action. A Level 4 contractor is expected to review and document activities for effectiveness and disclose potential issues to the organization’s executives. 

Level 5

Level 5 focuses on strengthening protection of CUI from APTs and institution of practices to increase the maturity and effectiveness of the contractor’s cybersecurity capabilities. Also required are a 24/7 security operations center (SOC) and the ability to dispatch an incident-response team to any location within 24 hours. Five of the 16 practices specified in Level 5 are drawn from NIST 800-171B. 

Notable requirements: Level 5 contractors must be able to analyze system behavior to detect system commands and scripts that indicate malicious activity. Analyzing system use and behavior helps organizations identify intrusions that use trusted operating systems, software, or scripts to perform malicious activities. Other requirements include: 

• Forensic analysis in investigation of security incidents
• Critical operational systems meet availability and redundancy expectations 
• Monitoring of networks and systems for malicious behavior
• Operational exercises to test incident-response capabilities 
• Periodically perform full disaster-recovery tests
• Enhance existing security controls using a defense-in-depth approach across all CMMC families

Get started: Review existing security programs to determine what controls have been implemented to protect against APTs. 

A CMMC Level 5 contractor must demonstrate that it has implemented standardized processes across the organization. Standard domain processes help define consistent activities and allow functional units to tailor practices to fit their needs. These processes can include practice activities, process flows, inputs and expected outputs, and performance metrics for process improvement. Organizations should document lessons learned from planning and performing, and submit the documentation to the organization’s process-asset library, which should include all procedures for domain activities.