CMMC has become one of the looming issues for defense contractors as the Pentagon looks to fortify, not only its own networks, but those of the defense industrial base. In this op-ed, Johann Dettweiler, director of operations at TalaTek, a risk management firm, offers a frequently asked questions on how business leaders should think about this program.
What is Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification (CMMC) is the latest Department of Defense-mandated security framework for those seeking to provide services to the agency. Once fully rolled out, all DoD-contracting organizations must be compliant with CMMC standards and those who are not may find themselves shut out of DoD business.
The first version of the CMMC requirements was released in late January. The gist of the program is that an organization can get certified at one of five levels from level 1: basic cyber hygiene to level 5: advanced/progressive. Each of the five levels has an increasing number of practices and processes that an organization must implement to be considered in compliance with that level.
What are the different levels of CMMC and the approximate time it will take to achieve each level?
The five levels are: level 1: basic cyber hygiene, level 2: intermediate cyber hygiene, level 3: good cyber hygiene, level 4: proactive, and level 5: advanced/progressive. Each level builds on the level below it, adding processes and practices to make each level successively more secure. Each level has the same 17 practices; level 2 adds 55 practices, level 3 adds 58 practices to that, and so on.
Level 1 is relatively easy to achieve. It requires the initial 17 practices and only has limited documentation requirements. A small organization should be able to implement these practices in a matter of weeks, and an assessment at this level would probably only take two to three weeks. Although currently no independent auditors have been licensed/accredited to provide assessment services within the CMMC framework, guidelines for auditors are in the works.
A level 3 certification is far more complex. It has 130 practices to be implemented and requires organizations to have policies and procedures in place and prepare a resource plan for the 17 CMMC domains and between three and 10 additional plans, such as a system security plan, contingency plan, incident response plan, etc. The amount of effort it will take an organization to achieve level 3 certification depends on whether it is starting from scratch—it has no documentation, little to no IT security—or if it is somewhat mature and already has documented policies and procedures, implemented security requirements, and other framework certifications among other initiatives.
Another thing to note is that level 3 includes all 110 NIST 800-171 requirements. If an organization stores, processes, or transmits Controlled Unclassified Information (CUI), it is already mandated to have all NIST 800-171 requirements implemented and all policy and procedures documented, so it already has met 85 percent of the level 3 compliance requirements. If that’s the case, getting to a level 3 readiness might only take a few weeks to a month. However, if an organization is starting from the beginning, it should allot conservatively four to six months. And in reality, it could take upwards of one year to be fully ready.
Levels 4 and 5 are meant for highly mature organizations. One of the deal breakers that will prevent many small organizations from achieving this level of certification is the requirement to have a 24/7 system monitoring, such as a Security Operations Center. This can be cost prohibitive for many small organizations. However, for organizations that already have 24/7 monitoring, they will also likely be fairly mature in their documentation and other aspects, so it may not take them very long to achieve this level.
The difference between a level 4 and level 5 certification is only a single additional process and 15 additional practices, so I would suggest going the distance and achieving a level 5 certification. However, the same can’t be said for the differences in technological requirements between levels 3 and 4; level 4 requirements are much greater than those for level 3.
How do businesses know which level of CMMC compliance they should prepare for?
It depends on whether organizations want to do certain types of business with the government.
If your organization processes, stores, or transmits control of unclassified information (CUI), we recommend you prepare for level 3, because you already have to implement 800-171 requirements. CMMC level 3 includes all 110 requirements of 800-171, plus an additional 20 practices.
Unlike level 3, levels 1 and 2 do not include all of 800-171’s requirements. So, businesses that only process federal contract information and don’t expect to deal with CUI could aim for these levels.
At the Holland & Knight CMMC Impact on GovCon Summit conference on January 28, Chief Information Security Officer for Assistant Secretary for Defense Acquisition Katie Arrington alluded to level 2 as serving as a stepping stone for organizations to get to a level 3 certification and stated that she does not expect to see many solicitations that require a level 2 certification.
In light of this, organizations should consider level 2 to be basically a temporary step on their way to achieving level 3, as level 2 doesn’t offer sufficient CUI protections and doesn’t meet the current 800-171 requirements.
Johann Dettweiler is director of operations at TalaTek, a risk management firm based in Oakton, Virginia.