Written by Anders Hval Olsen, Security Consultant at mnemonic’s Governance, Risk & Compliance department
The Cybersecurity Maturity Model Certification (CMMC) was introduced in January 2020 by the United States’ Office of the Under Secretary of Defense for Acquisition & Sustainment. This blogpost outlines the core principles of the CMMC framework, and discusses how CMMC differs from other established frameworks when it comes to security practices, maturity definitions and the certification process itself.
It will also present how CMMC will influence both US organisations and international subcontractors of the US defence industry performing everything from software development to human resource services. It is expected that subcontractors that retrieve, process or use sensitive information from the US defence industry will be subject to the requirements defined in the CMMC framework.
The blog post also presents some advice on how to get a head start while we are waiting for the framework to be rolled out.
What is CMMC?
There is no shortage of information security frameworks. Some of the more established frameworks include ISO 27001, NIST SP 800-171, and NIST 800 SP 800-53. These are often accompanied by compliance reports such as SOC 2 or ISAE 3402. If there weren’t’ already enough acronyms, here’s one more: CMMC. This particular acronym however may prove to have a significant impact on the global defence industry.
CMMC is a certification framework that sets out to secure the US defence industry and their associated Controlled Unclassified Information (CUI). Defining CUI could be a blogpost itself, but to keep it short; it is information that is considered to be sensitive, but not so sensitive that it is considered classified. In other words, it is sensitive information that the nation does not depend upon.
The CMMC framework also grants organisations the possibility to certify and attest their information security maturity, much like the ISO 27001 certification.
By the looks of it, the framework might have consequences beyond just the defence industry. The framework consists of a lot of useful content, and there are few limitations in regards to which sectors it might affect - both public and private organisations are on the table. Nevertheless, implementation of the CMMC framework outside the defence industry is a futuristic topic; the US defence industry consist of more than 300,000 organisations, and it is a safe assumption to say that it will take some time to get everyone on-board.
CMMC on a global scale
If you are working for a non-US organisation, the CMMC will still apply to you. One of our key learnings is that CMMC will affect all subcontractors of the US organisation that process or store Federal Contract Information (FCI) and/or CUI as part of their service delivery. FCI is easier than CUI to define, as this primarily includes contractual information not intended for public release.
Five levels of Cyber Security Maturity
One of the key elements that differentiate CMMC from other frameworks is that CMMC has defined five different levels of cyber hygiene. This means that CMMC is not a one-size-fits-all-framework. This approach is refreshing change in the world of information security frameworks. Most frameworks today, especially those you can certify yourself after, are rarely open for tailoring the requirements to the actual needs of the organisation.
The cyber security maturity levels outlined in CMMC are quite straightforward. The lowest levels set the basics requirements to information security, while the higher levels set more mature requirements. Each level defines a set of practices and policies that need to be adhered to. How to adhere to each practice is not yet set in stone, but I suspect that the specific controls used to measure maturity will be similar to what we have seen in NIST SP 800-171 and in NIST SP 800-53.
Each level is further summarised in the table below:
Click to enlarge: Summary of the five maturity levels of CMMC
What roles will CMMC introduce?
The CMMC Accreditation Body (CMMC-AB) have throughout 2020 tried to nourish the public with answers, timelines and other information relevant to the CMMC-framework. Their website introduces the reader to the various roles that will be applicable. These roles differ in scope and include both organisation-wide roles and certifications as well as individual roles and certifications.
The currently published roles are defined below:
A. Third-Party Assessor Organisations (C3PAO) and Assessors – C3PAOs are organisations employing Certified Assessors which are responsible for auditing and certifying provider organisations according to the CMMC requirements.
B. Registered Provider Organisations (RPO) and Registered Practitioners – RPOs are organisations employing registered practitioners and are authorised to represent the organisation as they are familiar with the basic constructs of the CMMC standard with a CMMC-AB provided logo. They will provide non-certified CMMC consulting services.
C. Licensed Partner Publishers (LPP) – LPPs are organisations that create and provide the training materials for CMMC. The training material is used by Certified Instructors for training Certified Professionals and Certified Assessor applicants.
There are also three additional organisation roles, which are published but not yet defined:
D. Licensed Instructors (LI) – LIs are expected to be individuals that are trained and certified to teach assessor applicants the details and rigors of their CMMC assessment practices.
E. Licensed Training Providers (LTP) – LTPs are expected to be either public or private organisations that train Certified Professionals and Certified Assessors.
F. Licensed Software Provider (LSP) – CMMC-AB have not defined the responsibilities of the LSPs, but the name of the role gives us some indication of what it might be.
The current timeline
The timeline for the framework is constantly changing, so the timeline presented here may soon be adjusted. However as of November 2020, the timeline is:
Click to enlarge timeline
How should you prepare for the coming requirements?
There are still a multitude of questions and concerns surrounding the CMMC framework, and we will continue looking into how the framework will hit the global defence industry. Nevertheless, if your organisation processes FCI or CUI today, or are planning to do so in future, then it is very likely that you will be subject to the CMMC requirements and should already be preparing for them.
To give you a head start, here are our recommendations on how to prepare for the CMMC framework:
- Subscribe to the CMMC-AB website to stay updated about the framework, and attend workshops and seminars that relate to CMMC.
- Keep an eye on your national defence industry interest groups and communities to be up to date on any national briefings, meetings or guidelines that relate to CMMC.
- Identify which CMMC level that will be relevant to your organisation, and start reviewing how your current practices reflect the requirements from the chosen CMMC maturity level.
- Flag to the Board of Directors and/or relevant internal stakeholders that there will be a cost to both implementing potential new security controls, and also to the overall certification process.
- Perform a readiness assessment to see how well your organisation has implemented the CMMC-requirements, how well the requirements are documented and if the maturity is sufficient. The figure below shows mnemonic’s methodology in regards to how maturity assessments can be assessed and virtualised.
Click to enlarge: Example of result from a readiness assessment towards the CMMC requirements
If you have any questions regarding CMMC, or if you want to have an open discussion about how CMMC might affect your organisation, feel free to contact me at .