4 Steps to Becoming CMMC Compliant
As a DoD contractor, you are probably wondering how to prepare for the cybersecurity maturity model certification. Understanding the Cybersecurity Maturity Model Certification (CMMC) compliance process will help your business maintain security and continue to earn government contracts.
Since launching the world's first hosted FTP service in 2001, FTP Today has been heavily focused on file security and privacy. Since we focus on compliance-ready software, it’s crucial that we and our customers understand any new compliance regulations.
In this article, we cover a number of steps you should take in order to prepare yourself and your organization to be compliant with the cybersecurity maturity model certification.
1. Ensure You are NIST 800-171 Compliant
The best first step you should take is to become compliant with NIST 800-171. CMMC draws from other government publications to compile the security controls for each maturity level. NIST 800-171 is one of those key publications. So, if you start by ensuring your compliant NIST 800-171 controls, you’re already a step ahead when it comes to earning your CMMC.
Because CMMC isn’t being implemented until this summer, many contractors likely have questions about the relationships between CMMC and other compliance standards provided by the government.
CMMC will not replace any current compliance regulations. However, it can be seen as organizing and prioritizing data security controls to form the different maturity levels. CMMC and security publications like NIST 800-171 work hand-in-hand to ensure that data is protected.
2. Plan Accordingly with the Timelines for CMMC
When it comes to security controls, it’s best to plan ahead. You want to be confident that on the day CMMC goes into effect, the wheels are already in motion for you to qualify for your target maturity level. Let’s look at the timeline for CMMC to gain an understanding of how to start planning for compliance.
- January 2020: At the start of the year, the first wave of CMMC information was released. This includes information on CMMC level, the requirements for those levels, and training materials for independent assessors and Third Party Assessment Organizations (3PAOs).
- February-May 2020: Throughout the first two quarters of the year, CMMC assessors are being trained on how to make their assessments and the requirements for each CMMC maturity level.
- June-September 2020: This summer, the first round of CMMC audits will begin. Only a selected number of contractors will be assessed in this initial round. This will begin the process by which contractors’ RFPs and RFIs are approved based on the CMMC maturity level certification that the company holds.
- October 2020 and the Future: All contractors and subcontractors will only be approved for Department of Defense contracts if they hold the appropriate CMMC maturity level certification.
Based on this timeline, it’s important that you begin to work toward a CMMC maturity level this summer, with plans to maintain compliance into the future.
3. Become Familiar with Third-Party Assessment Organizations
Third-Party Assessment Organizations, or 3PAOs, will play a key role in the CMMC compliance process. Your organization on your own will not be able to self-certify. While you can put all the security controls in place and run an internal assessment that you’re in alignment with CMMC measures, you need an official 3PAO to sign off on your CMMC maturity level.
These independent assessors will evaluate your organization for compliance with your target maturity level’s requirements. While this type of assessment can’t be conducted until the summer, it’s helpful to become familiar with your 3PAO options now. In fact, because there's so much overlap between NIST compliance and CMMC compliance requirements, many 3PAOs that assess for NIST compliance will likely become auditors for CMMC, as well.
As a note, some high-level assessments may have to be conducted by the DoD itself. If your organization falls into this category, you will coordinate with DoD assessors, or assessors from the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
4. Identify the Level of Compliance Needed for Your Organization
There are five maturity levels for CMMC compliance. Each level builds on the foundation of the previous level, increasing cybersecurity measures as maturity levels increase. Moving forward, DoD contracts will be awarded to companies based on the whether or not they have the appropriate CMMC maturity level. So, a government agency will determine which level of security need and select contractors who have that same level.
To make sure you’re winning the right government contacts and have the necessary security measures in place, let’s look more closely at the different CMMC levels.
Level 1: Basic Cybersecurity Hygiene
All government contractors must earn at least CMMC Level 1 to qualify for government contracts. This level includes the most basic security controls needed to protect data, and Level 1 is the foundation for all of the other security levels. Each one builds upon the security controls covered by the previous level.
There are two types of data that government contractors handle: Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CUI is more sensitive and is not protected by Level 1 security controls. However, all contractors use FCI, which is less sensitive. To protect FCI, Level 1 has 17 practices that come from Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21.
Level 2: Intermediate Cyber Hygiene
Level 2 builds on the security controls from Level 1. Contractors that have earned this level move closer to the security controls needed to protect CUI, but they are still putting measures in place to mature their security efforts.
To earn this level, you must have 72 specific security practices in place. In addition to the FAR regulations from Level 1, you must also adopt 48 practices outlined in NIST SP 800-171 and 7 additional practices that support intermediate cyber hygiene.
Level 3: Good Cyber Hygiene
Reaching Level 3 means you have the basic security requirements in place to protect CUI. On top of the security controls required for Level 1 and Level 2, you need to adopt all of the practices listed outlined in FAR, NIST SP 800-171, and 20 additional good cyber hygiene practices. This is a total of 130 controls.
Level 4: Proactive
When you earn the Level 4 designation, you not only have advanced security controls in place to protect CUI; you’re also proactive in maintaining these controls. With this level of proactivity, you’re better able to protect CUI against new and advanced threats.
Level 4 covers 156 practices, drawing from the 130 controls from previous levels, and adding 11 practices from Draft NIST SP 800-171B and 15 additional practices that demonstrate your proactivity.
Level 5: Advanced / Progressive
Government agencies with the most sensitive data are likely to work exclusively with Level 5 contractors. Level 5, the most advanced CMMC level, requires contractors to have 171 security practices in place. These come from the previous levels, from NIST SP 800-171 r1, NIST SP 800-171B, and 11 practices that demonstrate how advanced their security controls are.
Over the coming months, we expect there will be numerous updates prior to CMMC’s launch this summer. To keep up with the latest updates, frequently visit their website for new information.
As we noted above, the first and most important step to becoming CMMC compliant is ensuring you are NIST compliant. To help with step one of the process be sure to check out our Complete Guide to the NIST Cybersecurity Framework which walks you through all NIST compliance requirements and the steps to achieve it.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.