Understanding the CMMC Fundamentals
Starting this year, all contractors working for the Department of Defense and subcontractors must pass a CMMC (cybersecurity maturity model certification) audit to ensure controls and processes are in place and working properly to protect controlled unclassified information (CUI). The decision to create, and mandate such a framework is a response from the Department of Defense, in an effort to protect sensitive information, and prevent data theft. It’s estimated cybercrime cost the United States between $57 billion and $109 billion in 2016. The only logical step for the government was to try and reduce this tremendous amount of loss. Once the data was analyzed the government identified controlled unclassified information as data that should have much less exposure. Because the focus of CMMC is to protect CUI, it is important to understand what that consists of.
According to government archives: ‘Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.’
CUI is broken down into 20 different categories:
1. Critical Infrastructure 11. North Atlantic Treaty Organization (NATO)
2. Nuclear 12. Defense
3. Patent 13. Export Control
4. Privacy 14. Financial
5. Procurement and Acquisition 15. Immigration
6. Proprietary Business Information 16. Intelligence
7. Provisional 17. International Agreements
8. Statistical 18. Law Enforcement
9. Tax 19. Legal
10. Transportation 20. Natural and Cultural Resources
In each individual category subcategories and corresponding information exists. Let’s use Critical infrastructure as an example. One of its subcategories is Protected Critical Infrastructure Information its description is: ‘6 USC 131-134, and 6 CFR 29, PCII deals with threats, vulnerabilities, or operational experience that could do harm to the national infrastructure. PCII outlines protective actions for private sector infrastructure information that has been voluntarily shared with government bodies for the purpose of homeland security.’ Each subcategory holds a description providing more information as necessary.
What is NIST 800-171?
"800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems" according to Carnegie Mellon. This focuses on protecting unclassified information in non-federal information systems and organizations.
By implementing these NIST standards, organizations can identify sensitive information and standardize how that information is handled and data is distributed. Policies allow processes to be streamlined while providing risk mitigation enhancing the overall security posterity of organizations and provides a much smoother business experience as policies provide guidance to operation.
The Cybersecurity Maturity Model Certification, or CMMC, is the latest Department of Defense's (DoD) project aimed towards properly securing the Defense Industrial Base (DIB). The CMMC will surround multiple maturity levels that progressively range from basic to advanced. The goal is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
CMMC Level 1 is focused on basic cyber hygiene and ensuring requirements specified in 48 CFR 52.204-21 are applied. Through the practices of CMMC Level 1 organizations lay a more secure base for the rest of the model to be built upon and later operate. At this level and Level 2, organizations could have been given FCI( Federal Contract Information). This specific data is produced typically through work done via third party and is not intended for the public. FCI does not include information generated by the Government for public purposes like public-facing websites. While practices are expected to be performed, at CMMC Level 1 process maturity is not addressed. Because of this an organization at CMMC Level 1 likely has an immature, or inconsistent cybersecurity program.
The focal point of CMMC Level 2 centers around intermediate cyber hygiene. Because level one is understood too set a foundation in level two we begin building upon it by creating a maturity-based progression for organizations to step from Level 1 to 3. This set of practices gives the organization a better ability to protect data, and keep business operational against cyber threats compared to Level 1. At Level 2, organizations are expected to document their standard operating procedures (SOP). The organization should also have documented its policies, as well as the strategic planning to guide the fulfillment of its securities program.
An organization assessed at CMMC Level 3 has shown good cyber hygiene and application of controls of NIST SP 800-171 Rev 1. Any organization that has the need to access CUI or produces CUI should achieve CMMC Level 3. CMMC Level 3 provides the basic ability to protect an organization’s assets and CUI and show controls that are able to last. Because at this level a stronger cybersecurity program is practiced, organization’s face modern attackers (APT’s), and demonstrate a greater ability exist in the current cybersecurity landscape without compromise. At this level, if organizations subject to DFARS(Defense Federal Acquisition Regulation) clause 252.204-7012 will have to meet additional requirements like incident reporting. Process maturity is demonstrated through exemplifying adequate resource activities and review adherence to policy and procedures, this is able to be gauged by their documentation of the process.
CMMC Level 4, an organization has developed a solid and forward-thinking, anticipatory cybersecurity program. The organization has the ability to contour its protections to thwart the ever-changing tactics, techniques, and procedures (TTPs) in use by APTs(advanced persistent threats) today. To show process maturity, a CMMC Level 4 organization is expected to review and document all activities, this, in turn, increases the process’s ability to perform well and informs high-level management of any issues.
CMMC Level 5, an organization has an advanced cybersecurity program that has demonstrated an ability to optimize its cybersecurity ability. These organizations have the ability to optimize their cybersecurity programs in an effort to dissuade APTs. In order to demonstrate process maturity, at this level. Organizations are expected to ensure that process implementation has become standard within the organization.
If I Comply With CMMC, am I Compliant With NIST 800-171?
The short answer is no. Alone, passing a CMMC audit does not imply you are compliant with NIST 800-171. The focus of CMMC is the controls surrounding CUI. CMMC does not have NFO controls that are contained in NIST 800-171. Unlike NIST SP 800-171, CMMC uses five levels of cybersecurity. Along with evaluating the maturity of a company’s controls, the CMMC will also gauge a company’s maturity regarding cybersecurity practices and processes.
Let us Ignyte the way!
At Ignyte we recognize that this process can be difficult, and we want to help in every step of your next audit! Because of the complexity and confusion surrounding this process we developed Ignyte's pre-assessment tool.
Ignyte's pre-assessment tool is designed based on the most current version of the DoD Cybersecurity Maturity Model Certification (CMMC). It covers only CMMC Level 1 (AKA Basic Cyber Hygiene). The CMMC is part of an effort focused on the security and resiliency of the Defense Industrial Base (DIB) sector.
The CMMC streamlines the many cybersecurity standards into one model. The majority of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and the related standards from NIST SP 800-171. The CMMC is organized into 17 "domains" and related processes and practices around cybersecurity.
There are 6 domains associated with Level 1:
● Access Control
● Identification and Authentication
● Media Protection
● Physical Protection
● Systems and Communication Protection
● System and Information Integrity