Blog

Working with the U.S. Government: An Overview of the U.S. Cybersecurity Maturity Model Certification

Dec 07, 2022

By Dustin Perkins, CISSP, Senior Governance, Risk and Compliance Consultant for the US Region of CyberCX .

Cybersecurity has proven a growing interest and concern among both the private and public sectors and, for those contracted to do business with the U.S. Department of Defense, this is increasingly important with the protection of potentially sensitive information by those in the private sector. On the heels of Federal Information Security Management Act (FISMA), every government agency is hyper focused on developing a hardened level of cyber hygiene by which to mitigate as much risk as possible. The Department of Defense is fulfilling this requirement in the creation of the Cybersecurity Maturity Model Certification (CMMC).

The CMMC was created as an assessment framework and certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology (NIST). The framework and model were created by the Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)) through existing contracts with Carnegie Mellon University and Johns Hopkins University.

The need for the framework stems from the creation of the Federal Information Security Management Act (FISMA) in 2002 which required each federal agency to develop, document and implement an agency-wide program to provide information security for information systems in use. In 2019, the Department of Defense (DoD) created CMMC to comply with this requirement and to transition from self-attestation to a more structured method to identify and calculate cyber hygiene in private industries currently listed in the Defense Industrial Base (DIB). On November 4th, 2021, the DoD announced the release of CMMC 2.0 which aimed to streamline the method by which accreditation was acquired by those private entities listed in the DIB. The CMMC model will be further streamlined as implementation and adoption grows within both the DoD and private sectors.

Working with the US Government Current State of CMMC v2 – CMMC provides an organizational look at best practices that directly map to NIST Special Publication (SP) 800-171 Rev. 2 and SP 800-172. Adherence to these controls can be identified as aligning with one of three levels within CMMC:

  • Level 1, or Foundational, is focused on safeguarding Federal Contract Information (FCI) within the infrastructure of private industry currently listed as an approved vendor on the DIB. This is the least demanding level at requiring only 59 objectives within 17 practices of FAR (Federal Acquisition Regulation) 52.204-21, cross referenced with NIST SP 800-171 Rev 2. As the name implies, this level provides a foundation of demonstrable cyber hygiene to build more robust cybersecurity Implementations. This level requires a self-assessment and, in turn, does not require a third-party validation or certification to be acquired.
  • Level 2, or Advanced, requires the full adherence and implementation of NIST SP 800-171, and is seen as a baseline target for those wishing to engage in operations with the U.S. Department of Defense via contract. This level requires full adherence to all 110 practices within the framework and, for some contracts, requires an Annual Self-Assessment to acquire and maintain certification. For those organizations that utilize and process critical national security information, a Triennial Third-Party Assessment by a Certified Third-Party Assessing Organization (C3PAO) must be acquired. If CMMC Level 2 is acquired through the utilization of a Plan of Actions and Milestones (POA&M), that document is strictly enforced within 180 days of the initial CMMC assessment.
  • Level 3, or Expert, is reserved for DIB-accredited private organizations that possess contracts permitting the processing and transmission of critical DoD information. This level requires the full implementation of NIST SP 800-172 and MUST be conducted through a triennial government-led assessment process.

How To Get Started:

Working with the US Government2 There are four agreed upon steps on the path toward CMMC accreditation: Gap Assessment, Remediation, Audit and Certification, and Optimization.

  1. Step one requires the organization to assess their current cyber preparedness state against the appropriate level of CMMC accreditation. This will result in a gap analysis documenting the difference between the current cyber preparedness state and the requirements of the CMMC, which can be utilized in step two.
  2. Step two is remediation and includes bridging any deficits found in the gap assessment of step 1 to the standards set out in the appropriate level of CMMC.
  3. Step three is Audit and Certification and the requirements vary by level. Once this level has been met, either by self-assessment, assessment by a C3PAO or a government agency, certification is granted by the CMMC Accreditation Body (CMMCAB).
  4. Step four, following the acquisition of the certification, is the optimization of the cybersecurity posture within the organization is conducted. As CMMC accreditation is typically annual, an ongoing optimization will ensure that any deviations from current and future requirements will be minimal.

If an organization engages in contractual obligations with the Department of Defense, adherence with the CMMC is fast approaching. As cybersecurity takes on a greater role in the effort to mitigate risk and exposure of confidential information, additional programs are likely to be implemented.

 

 

References:

https://www.cyberab.org – Cybersecurity Maturity Model Certification Accreditation Body, Inc.

https://www.acq.osd.mil/cmmc/ – Office of the Undersecretary of Defense – Acquisition and Sustainment

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ – Executive Order on Improving the Nation’s Cybersecurity