What Is CMMC Compliance?

CMMC Compliance

CMMC, stands for Cybersecurity Maturity Model Certification. It is a framework designed to assess and enhance the cybersecurity posture of companies working with the U.S. Department of Defense. The CMMC acts as a framework to better assess and improve the cybersecurity posture of the Defense Industrial Base Sector. The purpose of the CMMC compliance is to ensure that appropriate levels of cybersecurity practices and processes are in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information that reside on the Defense Industrial Base (DIB) network.

CMMC Compliance Levels

The CMMC compliance establishes five certification levels (cybersecurity maturity model certification). Which demonstrate the maturity and reliability of a company’s cybersecurity infrastructure. Ensuring the safeguarding of government information on the contractor’s information system. The levels are cumulative meaning that as they ascend, compliance with the lower levels if required.

Within the CMMC there are 17 domains, made up of 43 capabilities. The CMMC is divided into 171 practices. The technical activities required within any given capability requirement. And 5 processes, which measure the maturity of the organization’s institutionalization. The practices and processes are parallel to one another. Therefore, an organization must meet the requirements for the level they seek in both the practice and the process realms. If not, the contractor will be certified on the lowest level that they achieve in either process or practice.

Not all contractors need to achieve a level 5 CMMC compliance. It depends on the sensitivity of the DoD information that said contractor will work with, and the range of cyber threats associated with the information.

CMMC Compliance Levels and Descriptions

Level 1 – Basic Cyber Hygiene

Processes: performedPratices: basic cyber hygiene
N/AL1 focus on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).

Level 2 – Intermediate Cyber Hygiene

Processes: documentedPratices: intermediate cyber hygiene
L2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts.
Documentation of practices enables individuals to perform them in a repeatable manner.
Organization develop mature capabilities by documenting their processes and then practicing them as documented.
L2 serves as progression from L1 to L3
Consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references.
Because this is a transitional stage, a subset of the practices reference the protection of CUI.

Level 3 – Good Cyber Hygiene

Processes: managedPratices: good cyber hygiene
L3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation.
The plan may include information on missions, goals project plans, resourcing, required training and involvement of relevant stakeholders.
L3 focus on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references to mitigate threats.
It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

Level 4 – Proactive

Processes: reviewedPractices: proactive
L4 requires that an organization review and measure practices for effectiveness.
Additionally, organizations at L4 are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
L4 focuses on protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800 171B, as well as other cybersecurity best practices.
These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics techniques and procedures (TTPs) used by APTs.

Level 5 – Advanced/Progressive

Processes: optimizingPractices: advanced/proactive
L5 requires organizations to standardize and optimize process implementation across the organization.L5 focuses on the protection of CUI from APTs.
The additional practices increase the depth and sophistication of cybersecurity capabilities.

Enhancing DoD Contractor Security: From DFARS to CMMC

Prior to CMMC, DFARS clause 252.204-7012 stipulated that the contractors were tasked with implementing, monitoring, and certifying the security of their technology systems and any sensitive Department of Defense information stored on or transferred by those systems. Therefore contractors are still responsible for implementing key cybersecurity capabilities. But CMMC provides the Department of Defense with additional security assurance in the form of a third-party assessment of contractors’ compliance with specific mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats from adversaries.

By requiring CMMC certification, the Department of Defense aims to enhance the cybersecurity posture of its supply chain. Providing greater assurance that contractors possess the necessary capabilities to protect sensitive information from evolving cyber threats. This approach helps standardize cybersecurity requirements across the defense industrial base and ensures a consistent level of security readiness among contractors.

Next Steps for Contractors CMMC Compliance

Contractors need to get familiarized with the CMMC’s technical requirements and ready themselves for both certification, and long-term cybersecurity agility. Contractors should evaluate their practices, procedures and gaps, and take action to patch any identified vulnerabilities.

Sepio offers valuable assistance to DoD contractors in their journey towards achieving CMMC compliance. Sepio’s platform helps organizations navigate the complexities of CMMC requirements. Ensuring coverage across various practices, including those up to level 5.

As the leader in Rogue Device Mitigation (RDM), Sepio’s Asset Risk Management (ARM) platform provides ultimate visibility into all peripherals, uncovering hidden hardware attacks operating over network and USB interfaces (USB attacks).

Sepio is the only company in the world to undertake physical layer visibility. Sepio calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices, automatically blocking any hardware attacks.

Feel free to contact us to further discuss the benefits of Sepio and how we can help you achieve CMMC compliance.

Know more about cybersecurity compliance on:
GDPR security compliance
cybersecurity regulatory compliance gaps
cybersecurity compliance in the financial sector
NIST compliance

October 5th, 2020