Achieving Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense Contractors
How C3PAO auditors and DoD contractors can assess and demonstrate CMMC compliance across 17 capability domains with Prevalent.
VP, Product Marketing
April 28, 2020
On January 31, 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v1.0 of the Cybersecurity Maturity Model Certification (CMMC). Developed to serve as a single cybersecurity standard for all DoD acquisitions, CMMC requires that each of the more than 300,000 DoD contractors become CMMC certified beginning in October 2020, with a five-year phase-in and renewals every three years after that.
CMMC requires companies to achieve third-party certification against cybersecurity and information handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.
This blog discusses the levels of CMMC certification available to DoD contractors, how certification content was developed, processes for certification, how contractors can achieve Level 1 certification in particular, and how certified auditors can use the Prevalent Third-Party Risk Management Platform to facilitate the assessment process.
CMMC Certification Levels
There are five levels of CMMC certification ranging from Level 1 (lowest, Basic Cyber Hygiene) to Level 5 (highest, Advanced/Progressive) with increasing requirements and costs for each level. See the graphic below for an explanation of the levels.
Level 1 certification will apply to the vast majority of all DoD contractors, about 285,000, and will require that the company report against 17 no-cost controls which are based on good business practices and standard cyber hygiene.
Level 2 is a transitional level for organizations with the resources to reach for Level 3.
Level 3 certification applies to organizations that are approved to touch controlled unclassified information (CUI) and requires those companies by law to demonstrate certification against all 110 controls in NIST 171. Level 3 certification will apply to about 15,000 contractors to the DoD.
Levels 4 and 5 apply to approximately 0.06% of all DoD suppliers each. Unless a firm is receiving CUI all they need to maintain is CMMC Level 1 certification.
All DoD contractors will need to become CMMC certified by passing an audit. This will validate they have met the appropriate level of cybersecurity to conduct business with the DoD. CMMC assesses against 17 capability domains as noted in the figure above. For a representation of the cumulative certification requirements by level, see the figure below.
Every DoD supplier will need to visit www.cmmcab.org in order to see which cyber 3rd
party audit organizations (C3PAOs) are certified to be auditors. (Note: The auditing process currently requires an onsite component, so the current pandemic may impact the timeline for auditor certification.) Once the supplier audit is complete, the auditor will submit the audit information report to the CMMC accreditation body, and the accreditation body will issue the certification to the business.
How Auditors Can Perform CMMC Assessments for All 5 Levels
CMMC certified auditors can use the Prevalent Third-Party Risk Management Platform with all five levels of CMMC controls questionnaires included. With this access, certified auditors can:
Invite clients into the Prevalent platform to complete standardized control assessments in an easy-to-use, secure tenant
Automate chasing reminders to clients to reduce the time required to complete assessments
Centralize supporting documents submitted as evidence of the presence of controls
Produce a single risk register based on client responses
Issue remediation recommendations for failed controls
CMMC Level 1 Certification in Detail
Auditors and DoD suppliers should consult the specific requirements for demonstrating controls at each certification level as outlined by the Defense Under Secretary for Acquisition and Sustainment. This section of the blog focuses specifically on Level 1 certification only as it pertains to the vast majority of DoD contractors, and should not be considered specific compliance guidance. See below for a summary of 17 CMMC Level 1 practices by domain.
17 Level 1 Practices by Domain
Access Control (AC)
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.1.003 Verify and control/limit connections to and use of external information systems.
AC.1.004 Control information posted or processed on publicly accessible information systems.
Identification and Authentication (IA)
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organization information systems
Media Protection (MP)
MP.1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Physical Protection (PE)
PE.1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.1.132 Escort visitors and monitor visitor activity.
PE.1.133 Maintain audit logs of physical access.
PE.1.134 Control and manage physical access devices.
System and Communications Protection (SC)
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
System and Information Integrity (SI)
SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212 Update malicious code protection mechanisms when new releases are available.
SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
How DoD Contractors Can Perform CMMC Level 1 Self-Assessments
Any DoD contractor can use the Prevalent Third-Party Risk Management Platform to conduct a Level 1 pre-assessment prior to the formal audit. With this access, DoD contractors can:
Assess against the 17 controls required to measure Level 1 compliance
Upload documentation and evidence to support answers to questions
Gain visibility into current compliance status
Leverage built-in remediation guidance to address shortcomings prior to your formal audit
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.