The CMMC framework relies on a maturity model, in which contractors will be assessed against 5 levels of cybersecurity preparedness. The focus of the requirements of each level is on ensuring that sensitive defense information is protected from theft, corporate espionage, and hackers.
Each of the 5 levels is built upon the last, so that compliance with level one, for instance, is a necessity to achieve level two. It could well be that different contractors need only reach a certain minimum level in order to work on a particular project, but at the moment the way in which this will work is still being developed.
Details on the individual levels are available, however, so let’s run through each in turn.
Level 1: Basic Cyber Hygiene
The first level is for organizations to put in place “basic cyber hygiene” practices. These include using antivirus software and providing staff training to ensure that passwords and other authentication details are secure. This level is generally focused on protecting Federal Contract Information (FCI), defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
In reality, any organization which has already been awarded DoD contracts will likely be compliant with this level. It constitutes a very low bar for contemporary firms, whether they work in the information sector or not, and appears to be a “placeholder” for new firms just beginning to look at their cybersecurity tools and processes.
Level 2: Intermediate Cyber Hygiene
Level two is where the requirements of the CMMC really begin. This level introduces a new type of data called Controlled Unclassified Information (CUI). CUI is defined by the DoD as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information.
Level two requires that organizations document certain “intermediate cyber hygiene” practices in order to protect CUI. It is based on, and is largely a re-statement of, the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. As such, any firm that can prove they have achieved compliance with this earlier framework should be able to meet this requirement.
In practice, compliance with NIST 800-171 r2, and therefore with level two of the CMMC, requires that firms have the following in place:
Access Control: Who has access and are they supposed to?
Awareness and Training: Did you train your staff about CUI?
Audit and Accountability: Do you know who is accessing CUI?
Configuration Management: Are you following the RMF guidelines to maintain secure configurations and manage change?
Identification and Authentication: Are you managing and auditing access to CUI?
Incident Response: What happens when there is a data breach?
Maintenance: How are processes maintained?
Media Protection: How are backups, external drives, and retired equipment handled?
Physical Protection: Who can access the place where your CUI lives?
Personnel Security: Is your staff trained to identify insider threats?
Risk Assessment: Have you done a risk assessment? Do you have scheduled pentesting exercises?
Security Assessment: How do you verify the security procedures are in place?
System and Communications Protection: Are your communications channels secure?
System and Information Integrity: Is the process to address new vulnerabilities or system down situations defined?
Level 3: Good Cyber Hygiene
Level three of the CMMC takes the requirements of Level two further, and is based on an extension of the NIST 800-171 r2 standards. To be fully compliant with this level, organizations must have in place 47 security controls.
Again, for most firms already working with CUI, achieving this level need not be difficult. However, it is important to recognize that in order for your organization to be accredited, you will need to document the security procedures you already have in place. As we pointed out above, there is no self-certification in CMMC. Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements.
Level 4: Proactive
Level four of the CMMC tool introduces the requirement for organizations to be proactive in measuring, detecting, and defeating threats. These audit processes involve looking at historical data on the threats you have been exposed to, and how your organization responded to them.
In reading the CMMC guidelines, it’s clear that level four is intended to be the minimum level for prime contractors working with CUI. It replicates some of the requirements of DFARs, whilst also putting these into a framework in which they can be worked towards.
It’s also clear that level four is designed to allow organizations to deal with the threats presented by government-sponsored hackers. This level requires that organizations are able to respond to the changing tactics, processes, and capabilities of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors and seems to be a fairly direct reference to the types of espionage carried out by China and Iran.
Level 5: Advanced/Progressive
Level five is the final level of the CMMC and defines those organizations that are Advanced/Progressive/State-of-the-Art in cybersecurity. The CMMC defines 30 extra security controls – over level four – that need to be put in place in order to achieve level five. These largely relate to the ability of organizations to respond to changing threat landscapes through auditing and managerial processes, rather than extra technical requirements.
Whether level five will become the standard for DoD contractors is unclear. At the moment, many smaller firms will find it difficult to meet the requirements of this level, if only because they lack the human resources necessary to continually scan for new threats. Nevertheless, this level contains a number of recommendations that are valuable as a vision of what the future of defense cybersecurity could (and perhaps should) look like.