This year, the Department of Defense issued the official version of the Cybersecurity Maturity Model Certification (CMMC), which outlines cybersecurity regulations that must be adhered to by all DoD contractors.
These measures have been put in place in order to verify that there is an appropriate level of cybersecurity present in all businesses that have contracts with the DoD. The certification will cover cyber hygiene and the protection of controlled unclassified information (CUI).
This certification covers each level of cyber hygiene from Basic Cybersecurity Hygiene through Advanced and the qualifications required to meet each level. The level of cybersecurity your business is required to achieve depends on which contracts you service and how you use and store CUI.
All DoD contractors are expected to be prepared for audits to begin later this year, where third-party auditors will determine the cyber hygiene level your business has obtained. The level of cybersecurity within the CMMC that your business achieves will determine which government contracts you are allowed to bid on.
The Five Levels of the CMMC Framework
Within the CMMC there are five levels of cyber hygiene which DoD contractors can meet. The CMMC level that your business obtains will dictate the type of contracts that you will be able to obtain. For example, by only attaining the Level 2 certification, your business will not be able to bid on a Request for Proposal (RFP) which specifies Level 3 or higher. The level you need to achieve also depends on how much Controlled Unclassified Information (CUI) your business handles or stores.
Level 1: Basic Cyber Hygiene
This is the baseline level that all contractors will be required to meet. The requirements you must meet to obtain this level of cyber hygiene are equivalent to those found in FAR 52.204-21, which handles Federal Contractor Information.
Level 1 features 15 requirements and focuses on basic safeguarding and managing of the user and device identification and authentication, as well as physical access, visitor access, protection from malicious code, and system scanning.
Level 2: Intermediate Cyber Hygiene
This builds on level 1 with the addition of 55 cyber hygiene requirements. To qualify for Level 2, business practices must be considered acceptable cybersecurity best practices, processes must be documented, and systems must be resilient to basic threat actors.
Other practices that would be involved in qualifying for Level 2 are security awareness training for staff, risk assessment and management, and security continuity.
Level 3: Good Cyber Hygiene
In order to be compliant with Level 3, businesses must meet a further 58 requirements in addition to those in level 2. This is also the minimum required level of cyber hygiene for businesses who handle CUI.
Qualifications for Level 3 include coverage of all NIST 800-171 controls, multi-factor authentication, proper procedures for communicating threat information to stakeholders, and an Information Security Continuity Plan.
Level 4: Proactive
There are 26 proactive cyber practices in level 4 which protect CUI against Advanced Persistent Threats (APTs). In order to be fully compliant with level 4, a business must continually review the effectiveness of its procedures and proactively take corrective measures when necessary while ensuring that the findings of reviews are communicated with the relevant people.
Requirements for Level 4 include practices such as network segmentation, threat hunting, and Data Loss Prevention technologies.
Level 5: Advanced/Progressive
To qualify for Level 5, businesses must have highly advanced cybersecurity practices that are continually improved on an organizational scale. Your systems should be resilient to even the most advanced threat actors.
Some practices that your business will be expected to implement to achieve Level 5 cyber hygiene are cyber maneuver operations, autonomous initial response actions, and 24×7 SOC.
Can Businesses Still Self-Certify Under The New CMMC Regulations?
Under the new CMMC regulations, it will no longer be possible for businesses to self-certify like contractors were able to do before with NIST 800-171. In order to determine the certification levels of all DoD contractors, the DoD will be authorizing independent third-party auditors to begin assessing businesses seeking certification from the middle of 2020 onwards.
As you prepare for an audit to determine your level of CMMC, it is wise to work with a Managed Service Provider who is well-versed in the new CMMC regulations and DFARS compliance. A partner like Corsica Technologies will be able to help you attain the level of cybersecurity that your business will need in order to continue bidding on certain government contracts.
Not only will utilizing the services of a Managed Service Provider mean that you will be able to obtain the compliance levels necessary to ensure your business does not lose out on valuable contracts, but it will also serve to protect your business from the growing cybersecurity threats that are concerning for all business.
With an ever-growing risk from cybercriminals, there is an obvious risk to all businesses which could be very costly if the threat is not correctly managed and mitigated. This issue becomes considerably more significant when you also consider the dangers of a security breach while you are handling such complex and sensitive data.
For more information, check out Corsica Technologies’ guide on cyber requirements for DoD contractors.