Since the beginning of 2022, much has changed – and more is likely to change – with the scope of the Department of Defense (DoD) CMMC levels and security requirements.
In an effort to streamline processes and help defense contractors, CMMC dropped the initial five levels to three.
But what are those changes and why should you be concerned?
In this article, we will explain what the CMMC framework is, the various levels and security domains, and a summation of the intent behind each CMMC control family.
The Cybersecurity maturity model certification framework was born as a result of a realization by DoD that the Defense Industrial Base (DIB) ability to self-assess was failing and DIB members were overwhelmingly unprepared and not appropriately resourced to handle a compliance program.
The CMMC model started as a result of Executive Order 13556 signed by President Obama in 2010, directing all Federal agencies to safeguard their Controlled Unclassified Information (CUI).
CMMC compliance at its core is not about compliance but a program that has been established to provide proactive protection measures against Advance Persistent Threat types such as:
Nation states – targeting military technologies for a competitive edge on the battlefield.
Terrorist and other non-governmental organizations – targeting to learn ways to defeat our countermeasures on the battlefield.
Criminals – targeting to steal our IP and disrupt economic activity.
DoD has recently streamlined the CMMC process calling it CMMC 2.0. This resulted in the elimination of CMMC levels 2 and 4 leaving only three levels (Levels 1, 2, and 3) under the new CMMC framework to streamline the maturity processes.
DoD Contractors that have the DFARS 7012 in their DoD contracts are required to meet the additional safeguards defined within the 7012 clause as well as 48 CFR 52.204-21 referred to the Federal Acquisition Regulation clause.
CMMC Level 1 is intended to implement basic cyber hygiene to meet 17 foundational CMMC requirements intended to protect Federal Contract Information (FCI). These requirements are derived from the National Institute for Standards and Technology (NIST) Special Publication 800-171. NIST SP 800-171 defines the requirements and objectives for DoD Contractors to implement.
CMMC Level 2 under CMMC 2.0 program aligns with NIST 800-171 110 security controls designed to protect CUI. This level is designed to achieve advanced cybersecurity practices to deter and prevent Advanced Persistent Threats (APTs) and non-state actors from compromising Defense Contractors’ information systems.
CMMC Level 3 will be reserved for the most sensitive types of CUI that could cause the most damage to U.S. national security interests. Although the cybersecurity requirements haven’t been finalized or released as of yet, CMMC 3 is considered to be an expert implementation of a subset of requirements derived from NIST SP 800-172.
CMMC level 1 security controls provide good cyber hygiene when handling FCI. DoD prime contractors and subcontractors are required to perform annual self-assessments and self-attestation that they meet these basic control to be admitted to the CMMC program and reach higher-level controls.
This control grants role-based user and group control privileges, secure configuration baselines following CIS, DISA STIGs, Microsoft, etc., and helps to prevent data loss using best practices.
Along with secure configuration baselines from the previous step, IA details Identity and Access Management (e.g., Microsoft Active Directory, Single Sign-on Tools).
Involves using an IT Asset Management System as well as providing a Data Destruction Policy, Procedures, and Tool to Destroy FCI.
Monitors, tracks, and limits physical and digital controls to Authorized Personnel to Access Information Systems to Prevent Unauthorized Access of FCI.
All controls from the previous level plus Content Filtering on Firewalls and Applications and Role-Based Access Control, for example.
Performs Vulnerability Scanning, System Patching, Change Control Processes and Approvals, and Anti-malware configuration and deployment.
CMMC Level 2 addresses the protection of Controlled Unclassified Information (CUI), which the National Archives and Record Administration (NARA) defines as:
Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.
Contractors who have CMMC Level 2 compliance require a CMMC Level 2 certification. This CMMC assessment must be conducted by a Certified Assessor and a CMMC Third-Party Assessment Organization (C3PAO).
All controls from the previous level with the addition of items such as content filtering on firewalls and applications, separation of duties and limiting portable storage devices, and ensuring the portable device is encrypted when storing CUI, for example.
This part of the process informs privileged users of security risks associated with elevated Permissions and how to use them properly.
It also provides security related training to those performing cybersecurity functions, and insider threat training and reporting procedures to all personnel.
Create a secure configuration that retains adequate logs to perform monitoring, including best practices, individual account tracing, and reviewing and updating log events for effective management.
Details the steps to create and maintain security baselines, enforce the use of security impact analysis, and prevent unauthorized installation and use of software via secure configurations.
All controls from the previous level with the addition of items such as: verifying the Identities of Users, Processes, and devices before granting access to information systems and storing/transmitting passwords using FIP 140-2 Validated Encryption.
Involves building and deploying an IR Team capable of monitoring, detecting, analyzing, and reporting cybersecurity events and incidents.
Implements control tools, processes, and personnel conducting maintenance; sanitize and verify equipment when moving offsite, and scan media and programs for malicious code before connecting to Internal Information Systems.
Involves proper methods to handle CUI such as marking and limiting access to system media containing CUI to authorized personnel only, enforcing encryption on all media containing CUI, and maintaining accountability of its location and custodian at all times.
Screen and perform background checks on individuals prior to authorizing access to Information systems containing CUI and ensure its protection before and after personnel actions.
All controls from the previous level with the addition of items such as protecting and monitoring physical facilities and supporting sites that manage information systems and ensure policy and procedures of the handling of CUI at alternative work sites.
Involves taking steps to implement a Risk Management Board against organizational assets within the organizational security boundary which routinely scans for vulnerabilities across all assets and remediates them in a timely fashion.
Create a system security plan outlining how you are and will meet each security control, perform control assessments at least annually or when a major change to the IS occurs, and develop, assign, monitor, and close-out plan of actions and milestones.
All controls from the previous level with the addition of items such as: deploying a secure architecture using security engineering principles to promote a cybersecurity-conscious organization, and ensuring CUI is encrypted using FIPS-validated cryptography when in transit and at rest.
All controls from the previous level with the addition of items such as monitoring organizational assets (e.g., Network Traffic, Cloud Logs, Computer Logs, User and Application Logs to Identify Unauthorized Use of Any Asset).
The CMMC level 3 assessment guide focuses on Advanced Persistent Threat (APT) mitigation and is used for the DoD’s highest levels.
Please note that CMMC Level 3 has not been finalized as of November 22, 2022, and the below standards are referring to NIST 800-172 which DoD indicated it will derive from to establish CMMC enhanced security controls.
As such, the following are the proposed level three controls:
Controlling information flows between connected domains using secure transfer mechanisms.
Utilizing practical exercises that align to current threat scenarios to make it unique to your operating environment.
Establish and maintain an authoritative repository of information system components such as an asset management tool, configuration management database, change management, etc.
Establish automated or manual processes and procedures to prohibit systems and services from connecting unless they are known, authenticated, in a properly configured state, or in a trust profile.
Establish an operational Security Operations Center and create and maintain a ready IR team that can be deployed in an acceptable time period.
Perform individual personnel screening and reassess individual positions and access to CUI need-to-know frequently.
Employ and require cybersecurity personnel to be involved in all parts of the system development lifecycles to ensure secure architectures, controls, monitoring capabilities, response, and recovery functions are implemented.
Perform (usually annually or bi-annually) penetration testing that uses your threat profile as well as the use of automated scanning and manual testing tools by subject matter experts.
Employ a diverse approach to software, hardware, and services to reduce the risk of malware propagation.
Verify the correctness of assets using verification techniques such as configuration checks, cryptographic signatures, and trusted capabilities that provide assurance and trustworthiness that they employ secure protocols and practices.
As of March 2022, the DoD has streamlined its requirements and eliminated both CMMC level 4 and CMMC level 5 requirements, reducing it to three levels for more effective processes.
Determining what level your company is required to be at requires a review of your existing contracts and your future pipeline. If any of your current contracts process, store, or transmit CUI within your corporate infrastructure you are required to seek certification at level 2.
However, if CUI is not present in your environment nor do you have a contractual obligation you are then required to seek certification at level 1. Again, CMMC certification level 1 only requires that you self-certify and enter your score in the U.S. Government’s Supplier Performance Risk System.
For those organizations seeking a CMMC certification at level 3, it will be very clear during the acquisition process this will be required. However, assessment guidance and resources to certify organizations at this level are not available at the time of this writing.
CMMC implementation requires a detailed action plan, an intermediate cyber hygiene level, and expert CMMC consultants to roll out and remain compliant.
for a complete list of standards for each level, and then reach out to us for any further questions or help to upgrade the cybersecurity program for your organization.