CMMC and What You Need to Know

Following the much anticipated final draft of the Cybersecurity Maturity Model Certification (CMMC) V1.0, released January 31st, 2020, many contractors are hastening to improve their security standards. If your organization has not yet engaged in CMMC preparation activities, you have fallen behind the pack. Within the next few months, the Department of Defense will begin using the CMMC audit standards in determination of awarding business.

One of the most overarching aspects of the new certification is that even traditionally non-defense companies will need to show compliance with the practices and processes set forth by the CMMC Model. It is conservatively estimated that 200,000-350,000 contractors, even custodial companies, bookkeepers, caterers, and small IT firms will need to hold a CMMC. This follows from the conclusion Pentagon officials reached that one of their greatest cybersecurity risks derive from the second and third-tier contractors who work in tandem with the DOD. With this in mind, when it comes to awarding business, cybersecurity is set to be the “fourth critical measurement” for business, behind quality, cost, and schedule.

So what exactly is the CMMC and what are the requirements for certification?

The CMMC measures the maturity of an organization’s cybersecurity processes and practices across five levels covering seventeen domains, as shown in Figure 1.  The domains are broad categories of critical security functions such as Access Control, Identification and Authentication, Incident Response, etc. much like the control families from the NIST 800-53 security controls standard.  The seventeen domains are further broken down into 43 capabilities and 171 practices, essentially more granular security controls.

Figure 1: Maturity Levels and Domains of the CMMC

Each level specifies a certain set of processes and practices that have to be implemented across the domains.  The levels build on each other, and thus in order to achieve a higher CMMC level, your organization must demonstrate compliance in the preceding levels. The levels range from very basic safeguarding of Federal Contract Information, to continuous monitoring with optimized practices and efficient processes.  The table below summarizes the focus and requirements of each level.

Level Focus Process Requirements Practice Requirements
1 Safeguard Federal Contract Information (FCI) Requires that an organization performs the specified practices. Implement 17 practices to provide Basic Cyber Hygiene
2 Transition step to protect Controlled Unclassified Information (CUI) Requires that an organization establish and document practices and policies Implement the 17 Basic Cyber Hygiene practices, plus an additional 55 practices for a total of 72 practices to provide Intermediate Cyber Hygiene
3 Protect CUI Requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. Implement all the practices from Levels 1 and 2, plus an additional 58 practices for a total of 130 practices to provide Good Cyber Hygiene
4 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires that an organization review and measure practices for effectiveness. Implement all the practices from Levels 1, 2, and 3, plus an additional 26 practices for a total of 156 practices to provide Proactive cybersecurity practices
5 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires an organization to standardize and optimize process implementation across the organization Implement all the practices from Levels 1, 2, 3 and 4, plus an additional 15 practices for a total of 171 practices to provide Advanced/Progressive cybersecurity practices

Qmulos has created a sorted and filterable spreadsheet of all the discrete capabilities and practices required at each level that you can use to assess your organization’s maturity level. 

A screenshot of a cell phone  Description automatically generated
Spreadsheet can be downloaded here or below

As you can see, CMMC covers a broad set of domains with a comprehensive set of policy, procedure, management and technical controls that need to be implemented and assessed regularly.  If you’re feeling a little overwhelmed after reviewing all of those detailed requirements, not to worry – our Splunk premium apps Q-Compliance and Q-Audit are purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements like CMMC. Q-Audit provides prescriptive, out-of-the-box auditing capabilities that satisfy many of the practice requirements from the CMMC Audit and Accountability domain.  Q-Compliance is built upon the same standards and best practices that the CMMC has adopted and we have enhanced it with features specifically for CMMC.  We align specific security controls with the domains, capabilities, and practices from CMMC and use real-time log and event data from Splunk to help you automate the assessment and scoring of your organization’s practices against the maturity levels defined in CMMC.  In addition, we have codified industry best practices into the workflow of the application that will help your organization institutionalize and optimize the processes that improve your cyber posture and protect sensitive information such as Federal Contract Information and Controlled Unclassified Information.

Stay tuned for more details on how Qmulos can help you with CMMC assessments.