Introduction
As the risk landscape intensifies, organizations are becoming laser-focused on ensuring cyber security and resilience across their ecosystem of partners, vendors, and suppliers. Against this backdrop, the US Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) in January 2020 to safeguard sensitive information spread across its extended enterprise.
What is CMMC?
The CMMC is a set of uniform requirements for DoD contractors, subcontractors, and vendors and aims to protect Controlled Unclassified Information (CUI) across the ecosystem.
CUI is any data that is generated or processed by the government or on behalf of the government. The CMMC framework establishes standard processes and practices for assessing the capabilities of a third-party DoD partner, contractors, vendor, and supplier, and it also extends to sub-contractors. The process requirements are based on the CERT Resilience Management Model (CERT- RMM), which underscores its focus on resilience.
In 2023, the Department of Defense submitted new proposed rules for CMMC to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. CMMC 2.0 includes some key changes to the original framework and aims to protect the defense industrial base’s (DIB) sensitive unclassified information from advanced persistent threats (APTs). It is expected to simplify compliance, lower assessment costs, improve accountability, and more.
Who is Covered Under the CMMC Framework?
The CMMC framework applies to any contractor or supplier that conducts business with the DoD. Any organization that wants to work with the DoD and is likely to handle CUI will have to get a CMMC certification. This includes:
- Suppliers across every level of the end-to-end supply chain
- Small businesses
- International suppliers and partners
- Commercial item contractors
- Sub-contractors
- Higher education institutions that perform basic and applied research under contract
Exemptions
Only those organizations that produce Commercial – Off-The-Shelf (COTS) products are exempt from getting the CMMC certification.
What are CMMC Requirements?
The CMMC framework comprises a set of standardized processes and practices for evaluating a DoD vendor’s security and resilience posture and capabilities. The certification process comprises 5 levels and each level is based on and builds upon the previous one.
CMMC Certification Levels:
The 5 CMMC certification levels are:
levels | Description | Requirements |
---|---|---|
Level 1 | Basic Cyber Hygiene |
|
Level 2 | Intermediate Cyber Hygiene |
|
Level 3 | Good Cyber Hygiene |
|
Level 4 | Proactive Cyber Defense |
|
Level 5 | Advanced or Progressive Cyber Defense |
|
Level-Wise Accreditation
Each level carries a certification, and organizations that wish to achieve the certification must meet the required specifications across 43 capabilities and 17 capability domains.
Capability Domains
The 17 capability domains specified by the CMMC framework pertain to critical focus areas that help improve organizational security and resilience. These include:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
What is the Timeline for CMMC Certification?
DoD vendors have till 2025 to get CMMC accredited. They can seek a specific level of accreditation for their entire organizational ecosystem or for specific parts of their network where sensitive data is stored or processed, which require protection.
All future DoD Request for Proposals will specify the maturity level or CMMC certification the vendor has to be at in order to qualify for the bid. A comprehensive assessment of the business and the DoD data it handles is an essential first step for any organization that wants to be CMMC certified.
What is the CMMC Accreditation Process?
The certification process has been designed by the DoD in coordination with the CMMC Accreditation Body (CMMC-AB). Together, they have formulated a standardized process to create a pool of accredited CMMC Third Party Assessment Organizations and assessors who can manage the CMMC evaluation and certification process across levels.
Unlike NIST 800-171, which works on a self-assessment model, CMMC certification involves a third-party audit process. However, organizations that are already operating according to the standards set by the NIST 800-171 are in a stronger position.
To obtain their CMMC certification, interested organizations must follow these basic steps:
- The organization must assess and identify the level of CMMC certification required
- It should conduct a pre-assessment exercise with a self-assessment module
- It must identify an accredited C3PAO for the formal assessment process
- The assessment made by the C3PAO will be reviewed by the CMMC-AB reviewer
- The organization will have 90 days in which to make any corrections or rectify any lapses identified during the formal assessment
- Once the assessment meets the specified requirements for the level, the CMMC-AB issues a CMMC certificate of compliance that is valid for three years
Contractors need to pay for their CMMC assessments and cannot perform self-certifications. The assessment costs depend upon various factors, for example, the target CMMC levels. According to DoD, certain cybersecurity contracts can incur "allowable costs", which can help contractors pay for upgrades.
How to Achieve CMMC Compliance?
Organizations that want to achieve the CMMC certification must ensure cyber hygiene across their networks with an equal focus on people, processes, and technology. Some other focus areas while preparing for CMMC certification include:
Current Cybersecurity Maturity Levels
An organization can only achieve CMMC certification if its infrastructure is well protected against cyber attacks and it is resilient. This requires a comprehensive evaluation of the existing organizational cybersecurity maturity level, involving assessing processes, data storage and handling practices, policies and procedures, and the overall cybersecurity posture. Organizations must take a comprehensive view of their security infrastructure to establish the most effective security practices.
Comprehensive Cyber Risk and Resilience Program
It is important to have well-defined processes for the identification, assessment, mitigation, and management of cyber risks. Organizations must also have robust incident response plans as well as a recovery strategy in place so that the impact of any threats can be minimized, and the business can recover quickly. Implementing a technology-based solution can help streamline processes with automated workflows, reduce time, cost, and effort, and provide actionable insights in a timely manner.
Consolidated Compliance
Given the fraught risk environment modern enterprises operate in, there are multiple regulatory requirements to be complied with. Centralized and consolidated management of an organization’s compliance practices, along with harmonization of controls, can provide a top-level view of IT risk and compliance, reduce the cost of compliance, and maximize compliance efficiency.
Structured Self-Assessments
Organizations must be able to conduct IT compliance surveys and self-assessments easily. They should be able to analyze assessment results and base future decisions on the insights gained from them.
Intelligent Issue Remediation Plan
AI/ML-powered workflows for investigating, documenting, and resolving compliance issues help to accelerate and streamline the issue management and remediation process, thereby improving overall compliance posture and cyber hygiene.
How Does MetricStream Help with CMMC Compliance?
MetricStream provides a simplified approach to implement the CMMC framework that helps organizations get CMMC certifications easily and quickly. Its centralized data model, along with harmonization of controls across various relevant IT standards and compliance requirement, simplify compliance with a “test once, comply with many” approach. Organizations can leverage pre-packaged content and integration with CMMC requirements, controls, and mappings to get their program up and running quickly. MetricStream provides comprehensive, holistic visibility of the organizational compliance posture with automated workflows for IT compliance management and powerful reports and dashboards.
MetricStream provides:
Centralized IT Compliance Environment
Organizations can create and maintain a centralized repository that helps them map controls for CMMC compliance with organizational assets, risks, processes, and business units. This centralized approach, coupled with access-controlled environment, enables effective monitoring of IT compliance processes, efficient assessment of control deficiencies, and streamlined remediation management.
Harmonization of Compliance Requirements
By harmonizing controls across IT regulations and frameworks, organizations can save significant costs and effort associated with CMMC compliance management. They can leverage the MetricStream GRC library to dynamically link IT regulations with Unified Compliance Framework (UCF) control statements.
Streamlined IT Compliance and Controls Assessments
Organizations can schedule automatic IT Compliance and Controls assessments using pre-defined criteria and checklists. MetricStream streamlines the entire process by providing user-friendly interfaces for performing control tests, attaching evidence, and scoring, tabulating, and reporting results.
Systematic Self-Assessments and Surveys
MetricStream enables organizations to conduct IT compliance surveys, certifications, and control self-assessments in a systematic manner with pre-defined templates and schedules. The data from surveys and assessments can be easily aggregated and analyzed to gain valuable insights for better-informed decision-making.
Efficient Issue and Remediation Management
With MetricStream, organizations can implement well-defined processes for efficiently documenting, investigating, and resolving IT compliance and control issues. They can leverage AI-powered capabilities to classify issues and get action plan recommendations. The solution allows to track the entire issue and remediation management process until issue closure, providing transparency to relevant stakeholders.
With MetricStream, you can:
- Demonstrate compliance with CMMC to the Department of Defense (DOD) and customers successfully
- Achieve operational efficiencies by harmonizing controls across multiple standards and frameworks
- Improve decision-making by obtaining holistic, real-time visibility into the organizational IT compliance posture
- Stay agile by staying on top of changes in regulatory standards and controls
To learn more about how MetricStream can help with IT compliance management, request a personalized product demo.
As the risk landscape intensifies, organizations are becoming laser-focused on ensuring cyber security and resilience across their ecosystem of partners, vendors, and suppliers. Against this backdrop, the US Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) in January 2020 to safeguard sensitive information spread across its extended enterprise.
The CMMC is a set of uniform requirements for DoD contractors, subcontractors, and vendors and aims to protect Controlled Unclassified Information (CUI) across the ecosystem.
CUI is any data that is generated or processed by the government or on behalf of the government. The CMMC framework establishes standard processes and practices for assessing the capabilities of a third-party DoD partner, contractors, vendor, and supplier, and it also extends to sub-contractors. The process requirements are based on the CERT Resilience Management Model (CERT- RMM), which underscores its focus on resilience.
In 2023, the Department of Defense submitted new proposed rules for CMMC to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. CMMC 2.0 includes some key changes to the original framework and aims to protect the defense industrial base’s (DIB) sensitive unclassified information from advanced persistent threats (APTs). It is expected to simplify compliance, lower assessment costs, improve accountability, and more.
The CMMC framework applies to any contractor or supplier that conducts business with the DoD. Any organization that wants to work with the DoD and is likely to handle CUI will have to get a CMMC certification. This includes:
- Suppliers across every level of the end-to-end supply chain
- Small businesses
- International suppliers and partners
- Commercial item contractors
- Sub-contractors
- Higher education institutions that perform basic and applied research under contract
Exemptions
Only those organizations that produce Commercial – Off-The-Shelf (COTS) products are exempt from getting the CMMC certification.
The CMMC framework comprises a set of standardized processes and practices for evaluating a DoD vendor’s security and resilience posture and capabilities. The certification process comprises 5 levels and each level is based on and builds upon the previous one.
CMMC Certification Levels:
The 5 CMMC certification levels are:
levels | Description | Requirements |
---|---|---|
Level 1 | Basic Cyber Hygiene |
|
Level 2 | Intermediate Cyber Hygiene |
|
Level 3 | Good Cyber Hygiene |
|
Level 4 | Proactive Cyber Defense |
|
Level 5 | Advanced or Progressive Cyber Defense |
|
Level-Wise Accreditation
Each level carries a certification, and organizations that wish to achieve the certification must meet the required specifications across 43 capabilities and 17 capability domains.
Capability Domains
The 17 capability domains specified by the CMMC framework pertain to critical focus areas that help improve organizational security and resilience. These include:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
DoD vendors have till 2025 to get CMMC accredited. They can seek a specific level of accreditation for their entire organizational ecosystem or for specific parts of their network where sensitive data is stored or processed, which require protection.
All future DoD Request for Proposals will specify the maturity level or CMMC certification the vendor has to be at in order to qualify for the bid. A comprehensive assessment of the business and the DoD data it handles is an essential first step for any organization that wants to be CMMC certified.
The certification process has been designed by the DoD in coordination with the CMMC Accreditation Body (CMMC-AB). Together, they have formulated a standardized process to create a pool of accredited CMMC Third Party Assessment Organizations and assessors who can manage the CMMC evaluation and certification process across levels.
Unlike NIST 800-171, which works on a self-assessment model, CMMC certification involves a third-party audit process. However, organizations that are already operating according to the standards set by the NIST 800-171 are in a stronger position.
To obtain their CMMC certification, interested organizations must follow these basic steps:
- The organization must assess and identify the level of CMMC certification required
- It should conduct a pre-assessment exercise with a self-assessment module
- It must identify an accredited C3PAO for the formal assessment process
- The assessment made by the C3PAO will be reviewed by the CMMC-AB reviewer
- The organization will have 90 days in which to make any corrections or rectify any lapses identified during the formal assessment
- Once the assessment meets the specified requirements for the level, the CMMC-AB issues a CMMC certificate of compliance that is valid for three years
Contractors need to pay for their CMMC assessments and cannot perform self-certifications. The assessment costs depend upon various factors, for example, the target CMMC levels. According to DoD, certain cybersecurity contracts can incur "allowable costs", which can help contractors pay for upgrades.
Organizations that want to achieve the CMMC certification must ensure cyber hygiene across their networks with an equal focus on people, processes, and technology. Some other focus areas while preparing for CMMC certification include:
Current Cybersecurity Maturity Levels
An organization can only achieve CMMC certification if its infrastructure is well protected against cyber attacks and it is resilient. This requires a comprehensive evaluation of the existing organizational cybersecurity maturity level, involving assessing processes, data storage and handling practices, policies and procedures, and the overall cybersecurity posture. Organizations must take a comprehensive view of their security infrastructure to establish the most effective security practices.
Comprehensive Cyber Risk and Resilience Program
It is important to have well-defined processes for the identification, assessment, mitigation, and management of cyber risks. Organizations must also have robust incident response plans as well as a recovery strategy in place so that the impact of any threats can be minimized, and the business can recover quickly. Implementing a technology-based solution can help streamline processes with automated workflows, reduce time, cost, and effort, and provide actionable insights in a timely manner.
Consolidated Compliance
Given the fraught risk environment modern enterprises operate in, there are multiple regulatory requirements to be complied with. Centralized and consolidated management of an organization’s compliance practices, along with harmonization of controls, can provide a top-level view of IT risk and compliance, reduce the cost of compliance, and maximize compliance efficiency.
Structured Self-Assessments
Organizations must be able to conduct IT compliance surveys and self-assessments easily. They should be able to analyze assessment results and base future decisions on the insights gained from them.
Intelligent Issue Remediation Plan
AI/ML-powered workflows for investigating, documenting, and resolving compliance issues help to accelerate and streamline the issue management and remediation process, thereby improving overall compliance posture and cyber hygiene.
MetricStream provides a simplified approach to implement the CMMC framework that helps organizations get CMMC certifications easily and quickly. Its centralized data model, along with harmonization of controls across various relevant IT standards and compliance requirement, simplify compliance with a “test once, comply with many” approach. Organizations can leverage pre-packaged content and integration with CMMC requirements, controls, and mappings to get their program up and running quickly. MetricStream provides comprehensive, holistic visibility of the organizational compliance posture with automated workflows for IT compliance management and powerful reports and dashboards.
MetricStream provides:
Centralized IT Compliance Environment
Organizations can create and maintain a centralized repository that helps them map controls for CMMC compliance with organizational assets, risks, processes, and business units. This centralized approach, coupled with access-controlled environment, enables effective monitoring of IT compliance processes, efficient assessment of control deficiencies, and streamlined remediation management.
Harmonization of Compliance Requirements
By harmonizing controls across IT regulations and frameworks, organizations can save significant costs and effort associated with CMMC compliance management. They can leverage the MetricStream GRC library to dynamically link IT regulations with Unified Compliance Framework (UCF) control statements.
Streamlined IT Compliance and Controls Assessments
Organizations can schedule automatic IT Compliance and Controls assessments using pre-defined criteria and checklists. MetricStream streamlines the entire process by providing user-friendly interfaces for performing control tests, attaching evidence, and scoring, tabulating, and reporting results.
Systematic Self-Assessments and Surveys
MetricStream enables organizations to conduct IT compliance surveys, certifications, and control self-assessments in a systematic manner with pre-defined templates and schedules. The data from surveys and assessments can be easily aggregated and analyzed to gain valuable insights for better-informed decision-making.
Efficient Issue and Remediation Management
With MetricStream, organizations can implement well-defined processes for efficiently documenting, investigating, and resolving IT compliance and control issues. They can leverage AI-powered capabilities to classify issues and get action plan recommendations. The solution allows to track the entire issue and remediation management process until issue closure, providing transparency to relevant stakeholders.
With MetricStream, you can:
- Demonstrate compliance with CMMC to the Department of Defense (DOD) and customers successfully
- Achieve operational efficiencies by harmonizing controls across multiple standards and frameworks
- Improve decision-making by obtaining holistic, real-time visibility into the organizational IT compliance posture
- Stay agile by staying on top of changes in regulatory standards and controls
To learn more about how MetricStream can help with IT compliance management, request a personalized product demo.