In order to achieve CMMC compliance, organizations must implement a comprehensive set of cybersecurity measures. CMMC, which stands for Cybersecurity Maturity Model Certification, is a framework designed to assess and enhance the cybersecurity posture of companies working with the U.S. Department of Defense. Essentially, the CMMC acts as a framework to better assess and improve the cybersecurity posture of the Defense Industrial Base Sector. The purpose of the CMMC compliance is to ensure that appropriate levels of cybersecurity practices and processes are in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information that reside on the DIB’s network.
The CMMC compliance establishes five certification levels. Which demonstrate the maturity and reliability of a company’s cybersecurity infrastructure, to guarantee the safeguarding of government information on the contractor’s information system. The levels are cumulative meaning that as they ascend, compliance with the lower levels if required.
Within the CMMC there are 17 domains, made up of 43 capabilities. The CMMC is divided into 171 practices. The technical activities required within any given capability requirement. And 5 processes, which measure the maturity of the organization’s institutionalization. The practices and processes are parallel to one another. Therefore, an organization must meet the requirements for the level they seek in both the practice and the process realms. If not, the contractor will be certified on the lowest level that they achieve in either process or practice.
Not all contractors need to achieve a level 5 CMMC compliance. It depends on the sensitivity of the DoD information that said contractor will work with, and the range of cyber threats associated with the information.
CMMC Compliance Levels and Descriptions
|Level 1||Processes: performed||Pratices: basic cyber hygiene|
|N/A||L1 focus on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).|
|Level 2||Processes: documented||Practices: intermediate cyber hygiene|
|L2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts.|
Documentation of practices enables individuals to perform them in a repeatable manner.
Organization develop mature capabilities by documenting their processes and then practicing them as documented.
|L2 serves as progression from L1 to L3|
Consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references.
Because this is a transitional stage, a subset of the practices reference the protection of CUI.
|Level 3||Processes: managed||Practices: good cyber hygiene|
|L3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation.|
The plan may include information on missions, goals project plans, resourcing, required training and involvement of relevant stakeholders.
|L3 focus on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references to mitigate threats.|
It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.
|Level 4||Processes: reviewed||Practices: proactive|
|L4 requires that an organization review and measure practices for effectiveness.|
Additionally, organizations at L4 are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
|L4 focuses on protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800 171B, as well as other cybersecurity best practices.|
These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics techniques and procedures (TTPs) used by APTs.
|Level 5||Processes: optimizing||Practices: advanced/proactive|
|L5 requires organizations to standardize and optimize process implementation across the organization.||L5 focuses on the protection of CUI from APTs.|
The additional practices increase the depth and sophistication of cybersecurity capabilities.
Enhancing DoD Contractor Security: From DFARS to CMMC
Prior to CMMC, DFARS clause 252.204-7012 stipulated that the contractors were tasked with implementing, monitoring, and certifying the security of their technology systems and any sensitive DoD information stored on or transferred by those systems. Therefore contractors are still responsible for implementing key cybersecurity capabilities. But CMMC provides the DoD with additional security assurance in the form of a third-party assessment of contractors’ compliance with specific mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats from adversaries.
Next Steps for Contractors CMMC Compliance
Contractors need to get familiarized with the CMMC’s technical requirements and ready themselves for both certification, and long-term cybersecurity agility. Contractors should evaluate their practices, procedures and gaps, and take action to patch any identified vulnerabilities.
Sepio offers valuable assistance to DoD contractors in their journey towards achieving CMMC compliance. Sepio’s solutions helps organizations navigate the complexities of CMMC requirements and ensures coverage across various practices, including those up to level 5.
As the leader in Rogue Device Mitigation (RDM), Sepio’s Asset Risk Management (ARM) platform provides ultimate visibility into all peripherals, uncovering hidden hardware attacks operating over network and USB interfaces.
The only company in the world to undertake physical layer visibility fingerprinting, Sepio calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices, automatically blocking any hardware attacks.
Feel free to contact us to further discuss the usage and benefits of Sepio and how we can help you achieve CMMC compliance.