On January 28th, 2020, the Department of Defense released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), which we previously discussed here. As expected, the CMMC relies heavily upon NIST 800-171 and also draws upon other sources and frameworks such as NIST CSF, NIST 800-53, Center for Internet Security controls, and FAR 52.204-21.

There are five levels of CMMC certification, numbered Level 1 through Level 5 — with Level 5 being the highest, and most rigorous, standard. All vendors interacting with Federal Contract Information (FCI) will be required to meet Level 1 as a minimum, while all contracts involving accessing, transmitting, or processing Controlled Unclassified Information (CUI) will need to be at Level 3 or above.

The next major milestone for the DoD in the deployment of the CMMC is the establishment of the CMMC Accreditation Body (AB), which will provide oversight and approval of organizations that wish to perform certification of organizations against the requirements of the CMMC.

2020 CMMC TIMELINE

The current timeline proposed by the Department of Defense is depicted below, with initial RFPs requiring CMMC certifications scheduled for release before the end of calendar year 2020.

2020 timeline diagram showing establishment of the CMMC AB in Q1, release of initial RFIs in Q2, release of a C3PAO directory in Q2, release of a CMMC update in Q3, training for CMMC levels 1-3 in Q3, training for CMMC levels 4-5 later in Q3, and release of initial RFPs in Q4.

The DoD has stated that they expect roughly 10 RFIs and 10 RFPs with CMMC requirements to be released during calendar year 2020 as the initial deployment of CMMC. Following that,

CMMC requirements will be phased in over a 5 year period, with all DoD contracts requiring CMMC certification by 2026.

CMMC VERSION 1.0 OVERVIEW

CMMC CONTROLS

CMMC controls are organized into a total of 17 domains/control families as follows:

1.  Access Control

2. Asset Management

3. Awareness and Training

4. Audit and Accountability

5. Configuration Management

6. Identification and Authentication

7. Incident Response

8. Maintenance

9. Media Protection

10. Personnel Security

11. Physical Protection

12. Recovery

13. Risk Management

14. Security Assessment

15. Situational Awareness

16. System and Communications Protection

17. System and Information Integrity

The majority of CMMC controls map to a number of other security frameworks, such as NIST 800-171 and NIST 800-53.

CMMC LEVELS

The CMMC levels are differentiated in the following fashion:

• Level 1 - at this level, systems and processes must comply with the requirements of FAR 52.204-21.

• Level 2 - at this level, systems and processes must comply with the requirements of 65 NIST 800-171 controls and 7 additional controls from other security frameworks. Level 2 is intended for organizations that are transitioning towards the handling of CUI.

• Level 3 - at this level, systems and processes must comply with the requirements of all 110 NIST 800-171 controls and 20 additional controls from other security frameworks, with an emphasis on threat mitigation.

• Level 4 - at this level, systems and processes must comply with the requirements of all 110 NIST 800-171 controls and 46 additional controls from other security frameworks, with a focus on threat detection and response.

• Level 5 - at this level, systems and processes must comply with the requirements of all 110 NIST 800-171 controls and 61 additional controls from other security frameworks, with an emphasis on protection of CUI from threats posed by Advanced Persistent Threats.

CMMC ASSESSMENT

CMMC assessment and certification will be performed by CMMC Third Party Assessment Organizations (C3PAOs). These organizations serve a similar purpose to Third Party Assessment Organizations (3PAOs) for FedRAMP assessments and must be authorized by the CMMC AB prior to performing assessments and certifications. At this time, no C3PAOs have been authorized by the CMMC AB — initial C3PAO authorization is expected in the second quarter of 2020.

INITIAL CMMC RECOMMENDATIONS

In preparation for assessment and certification against CMMC, we recommend the following steps:

1. Have a comprehensive initial assessment performed against your systems and processes to evaluate compliance with NIST 800-171. If you are able to determine the CMMC level that you will likely be assessed against, include any additional controls in said assessment.

2. Remediate any gaps identified during the assessment.

3. Ensure that you have a comprehensive policy and procedure library.

4. Prepare a System Security Plan (SSP) that documents compliance with the requirements of CMMC.

Leviathan Security Group can provide consulting services in preparation for CMMC and can also provide expert guidance during assessment and certification. Additionally, Leviathan Security Group can provide services for a wide range of cybersecurity and compliance needs, including in-depth software and hardware technical assessments, security and risk advising, and incident response and forensics.

Shea Nangle is the Federal Practice Lead for Leviathan Security Group. In addition to deep Federal security and compliance experience, he has significant experience in PCI DSS, SOC 2, and security maturation for growth stage companies. His research and volunteer activities include operational security and Open Source Intelligence.