A Guide to the Cybersecurity Maturity Model Certification (CMMC)

Graphic: In this guide, we'll explain what the cybersecurity maturity model certification, or CMMC, is and how you, as a DoD contractor or subcontractor, can achieve compliance in two different ways.

Table of Contents

• What is the cybersecurity maturity model certification (CMMC)?
• What is federal contract information (FCI) and controlled unclassified information (CUI)?
• What is cyber maturity?
• What are the CMMC domains and levels?
• Who is required to have a CMMC certification?
• How do I know which CMMC level is required?
• How do I achieve CMMC compliance?
• Trenton Systems' CMMC compliance
• Additional resources

I'm about to rattle off some statistics about cybercrime, but I invite you to stick with me.

An estimated $600 billion - that's almost 1 percent of global GDP - is lost to cybercrime globally each year, according to a 2018 report by the Council for Strategic and International Studies (CSIS) and McAfee.

That's $155 billion more than in 2016.

In 2016, the United States economy lost between $57 billion and $109 billion to malicious cyber activity, according to a 2018 report by the Council of Economic Advisers.

Fifty-seven billion dollars is nearly the GDP of Costa Rica, and $109 billion is just below the GDP of Morocco.

Still with me? Now, what if I told you that, according to a 2019 analysis by Juniper Research, losses to cybercrime data breaches are expected to exceed $5 trillion by 2024?

That's more than the GDP of Japan, which has the third-largest GDP in the world.

It's devastating, right? So many billions, and eventually trillions, of dollars lost due to cybercrime, much of which can be identified, targeted, and compromised before the enemy can even execute.

For obvious reasons, the United States Department of Defense (DoD), and the defense industrial base (DIB) that supports it, is an appetizing target for independent and state-sponsored hackers and cybercriminals.

It's a major reason why the DoD has developed the cybersecurity maturity model certification (CMMC), the purpose of which is to enhance cybersecurity practices across both the DoD and the DIB.

Graphic: The cybersecurity maturity model certification (CMMC) will be used to assess the level of cybersecurity protections that DoD contractors and subcontractors have in place.

What is the cybersecurity maturity model certification (CMMC)?

The cybersecurity maturity model certification (CMMC) is a computer protection assessment and verification standard for defense contractors providing products and services to the United States Department of Defense (DoD).

Developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment, university-affiliated research centers (UARCs), federally funded research and development centers (FFRDCs), and industry, the purpose of the CMMC is to ensure that the more than 300,000 companies comprising the defense industrial base (DIB), which regularly store and transmit sensitive DoD data, have cybersecurity controls in place to protect such controlled unclassified information (CUI) from cyberattacks.

The first iteration of the CMMC, version 1.0, was released to the public on January 31, 2020. You can download the most recent version of the CMMC below.

CMMC 2.0 was announced in November 2021. Learn more about the latest update here. 

The DoD announced the CMMC in January at a press conference, during which Under Secretary Ellen Lord said that the DoD plans to publish as many as 10 requests for information (RFIs) with CMMC requirements by June 2020 and their corresponding requests for proposals (RFPs) by September 2020.

The CMMC requires that defense contractors and subcontractors undergo external security audits conducted by independent, third-party, CMMC-accredited organizations to verify compliance with DoD cybersecurity standards. These CMMC third-party assessment organizations (CP3AOs) will be accredited by the CMMC Accreditation Body, which works directly with the DoD.

During their audits, these third-party assessment organizations will use a multi-tiered scoring system to assign DoD contractors and subcontractors a specific cybersecurity hygiene classification, and in turn, relay the results of the audits to the DoD, informing it of any potential security risks related to the potential, unwanted dissemination of CUI.

Graphic: Both FCI and CUI are stored and transmitted on computer systems belonging to DoD contractors and subcontractors. The CMMC aims to enhance the digital protections of both types of information.

What is federal contract information (FCI) and controlled unclassified information (CUI)?

Controlled unclassified information (CUI) is defined by the DoD as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

In simpler terms, CUI is data or material created by or for the U.S. government that is not considered “classified” but is still sensitive enough to warrant protection.

Protection of federal contract information (FCI), defined as “information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments,” is also part of the CMMC.

DoD contractors and subcontractors will be required to meet a minimum of CMMC Level 1 if they possess FCI but not CUI. If they possess CUI as well, they must meet at least CMMC Level 3.

Keep reading to learn more about the CMMC levels.

Graphic: Cyber maturity levels can range from basic protection, such as username-and-password validation and antivirus software, to more dynamic, state-of-the-art security measures.

What is cyber maturity?

Cybersecurity maturity is the state of a business’ or organization’s cybersecurity effectiveness, usually existing within the framework of a specific cybersecurity maturity model.

As the name implies, a cybersecurity maturity model is the actual framework used to determine the developmental effectiveness of a business’ or organization’s cybersecurity controls. It uses progressive, domain-specific maturity levels or tiers to accomplish this goal. In other words, as levels or tiers increase, so, too, does the efficacy of cybersecurity within a business or organization.

In essence, cybersecurity maturity models provide businesses and organizations with a goal-oriented path to better, more advanced cybersecurity controls, which range from basic username-and-password validations and antivirus software packages to much more advanced, dynamic, and state-of-the-art security measures.

The CMMC, specifically, establishes several cybersecurity processes and practices across five levels, each of which is cumulative, meaning that businesses and organizations must demonstrate adherence to the previous level before achieving the next.

Graphic: The CMMC contains 17 technical domains, as well as five maturity processes and 171 total practices distributed across five levels.

What are the CMMC domains and levels?

The CMMC incorporates 17 technical domains, 14 of which originate from the already established Federal Information Processing Standards (FIPS) 200 and NIST SP 800-171.

The CMMC adds three new domains: Asset Management, Recovery, and Situational Awareness.

The 17 CMMC domains are as follows:

1. Access Control - organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
2. Asset Management - organizations must identify and document assets and manage asset inventory.
3. Awareness and Training - organizations must ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, executive orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems, as well as ensure that organizational personnel
are adequately trained to carry out their assigned information security-related duties and responsibilities.
4. Audit and Accountability - organizations must create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity, as well as ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
5. Configuration Management - organizations must establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles, as well as establish and enforce security configuration settings for information technology products employed in organizational information systems.
6. Identification and Authentication - organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Incident Response - organizations must establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities, as well as track, document, and report incidents to appropriate organizational officials and/or authorities.
8. Maintenance - organizations must perform periodic and timely maintenance on organizational information systems, as well as provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
9. Media Protection - organizations must protect information system media, both paper and digital, limit access to information on information system media to authorized users, as well as sanitize or destroy information system media before disposal or release for reuse.
10. Physical Protection - organizations must limit physical access to information
systems, equipment, and the respective operating environments to authorized individuals protect the physical plant and support infrastructure for information systems; provide supporting utilities for information systems, protect information systems against environmental hazards; and provide appropriate environmental controls in facilities containing information systems.
11. Personnel Security - organizations must  ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and employ formal sanctions for personnel failing to comply with organizational security policies and
procedures.
12. Recovery - organizations must manage backups and information security continuity.
13. Risk Assessment - organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission
of organizational information.
14. Security Assessment - organizations must periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
15. Situational Awareness - organizations must implement threat monitoring.
16. System and Communications Protection - organizations must monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems, as well as employ architectural designs, software development techniques, and systems engineering principles that promote
effective information security within organizational information systems.
17. System and Information Integrity - organizations must identify, report, and correct information and information system flaws in a timely manner; provide protection from malicious code at appropriate locations within organizational information systems; and monitor information system security alerts
and advisories and take appropriate actions in response.

Each of these domains is important to the compliance process. You can find a complete list of the capabilities and practices associated with each domain in a handy table located in Appendix A of the CMMC Appendices.

In addition, each of the 17 CMMC domains contains five maturity processes and 171 practices distributed across five levels.

Graphic: The five CMMC certification levels

The five levels, maturity processes, and practices are summarized as follows:

• Level 1: Basic Cyber Hygiene (17 practices)
  • Processes (Performed): Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
  • Practices (Basic Cyber Hygiene): Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding of requirements specified in 48 CFR 52.204-21.
• Level 2: Intermediate Cyber Hygiene (72 practices)
  • Processes (Documented): Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
  • Practices (Intermediate Cyber Hygiene): Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI.
• Level 3: Good Cyber Hygiene (130 practices)
  • Processes (Managed): Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
  • Practices (Good Cyber Hygiene): Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
• Level 4: Proactive (156 practices)
  • Processes (Reviewed): Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
  • Practices (Proactive): Level 4 focuses on the protection of CUI from advanced persistent threats (APTs) and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.
• Level 5: Advanced/Progressive (171 practices)
  • Processes (Optimizing): Level 5 requires an organization to standardize and optimize process implementation across the organization.
  • Practices (Advanced/Progressive): Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

For a complete list of practices for each domain and at each level, refer to pages 16-26 of CMMC v1.02.

Graphic: If you're a DoD contractor or subcontractor, you'll need to eventually achieve some level of CMMC compliance to win, or provide products and services to those winning, DoD contracts.

Who is required to have a CMMC certification?

Any DoD contractors or subcontractors storing or transmitting FCI or CUI will be required to obtain a CMMC certification prior to bidding on future DoD contracts.

DoD businesses must be able to meet a minimum of CMMC Level 1 for FCI or a minimum of CMMC Level 3 for CUI.

How do I know which CMMC level is required?

The CMMC level required for a specific contract will be specified on the DoD's RFIs and RFPs.

CMMC requirements began appearing on DoD RFIs in June of 2020. Expect to see the requirements in the RFP process by September 2020.

As mentioned before, whether you're a military prime or a smaller subcontractor, some level of compliance will eventually be necessary to win or participate in certain DoD contracts. 

Companies that solely produce commercial-off-the-shelf (COTS) products do not require a CMMC certification.

Graphic: Contractors and subcontractors can achieve compliance through in-house means or by partnering with companies specializing in CMMC compliance.

How do I achieve CMMC compliance?

Previously, contractors and subcontractors could certify their FCI and CUI cybersecurity practices and the information systems housing this information themselves.

With the introduction of the CMMC certification, this is no longer an option; therefore, businesses and organizations storing or transmitting FCI or CUI must either establish CMMC compliance using in-house means or hire a cybersecurity company capable of ensuring CMMC compliance.

Many contractors and subcontractors have the resources necessary to achieve compliance without outside help, but if you’re unable to achieve CMMC compliance in-house, there are a few companies and resources that can help ensure you’re on the right track:

• A-Lign
• PivotPoint Security
• Hyper Vigilance
• SysArc
• Dun & Bradstreet’s and QOMPLX’s CMMC Pre-Assessment Tool
• Focal Point’s CMMC Assessment

Graphic: We at Trenton Systems are on track to achieve CMMC compliance.

Trenton Systems’ CMMC compliance

Trenton Systems is working toward obtaining the Cybersecurity Maturity Model Certification through the Office of the Under Secretary of Defense for Acquisition & Sustainment.

We recognize the economic and national security risks associated with the loss of both FCI and CUI. Our intent is to incorporate CMMC accreditation into our manufacturing operations while continuing our ongoing and active support of the Defense Federal Acquisition Regulation Supplement (DFARS).

For more information on CMMC, visit the Office of the Under Secretary of Defense for Acquisition and Sustainment’s CMMC web page or view the additional resources below.

Additional resources

• Latest CMMC Updates
• CMMC FAQs
• CMMC Overview PDF
• CMMC Version 1.02 PDF
• CMMC Downloads Page
• FIPS 200
• NIST SP 800-171
• DFARS