By Tom Cupples, Ed.D., CISSP, CGRC, PMP, CAICO-PI, CAICO-PA, CCP, CCA, Sec+, Net+, Security Controls Assessor & Senior Cybersecurity Trainer at CISO Global, Inc.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a compliance requirement that all Department of Defense (DoD) Contractors (aka, the Defense Industrial Base) will soon have to meet. See my blog Why is CMMC a Big Deal? for more information about the legal implications of CMMC. The CMMC official mandate is expected to be released from rulemaking in the first quarter of 2024 and be in full implementation in the first quarter of 2026.
What is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) has existed for many years.
However, it has matured within its tenure. The current version of the CMMC is 2.0, released in November 2021. In the latest version of the model, the original five-level model hierarchy was collapsed into three distinct levels: Foundational, Advanced, and Expert. The purpose of the update was to simplify the process of becoming certified and the understanding of the appropriate level for certification for each organization.
What does this mean for your organization?
Suppose your organization is currently in a contract or plans to bid on a contract with either the DoD or a contractor of the DoD (subcontractor). In that case, your organization needs to be assessed and gain CMMC certification at the contract level the organization intends to service. As the infographic below shows, those only handling FCI can self-attest to their readiness. Those handling CUI must have a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) and repeat it every three years.
So now what?
Number 1: Make sure you properly scope your boundary
Your boundary must be scoped per the DoD Level 1 scoping guidance found here: CMMC Assessment Scoping Guide (Level 1) or the Level 2 scoping guidance found here: CMMC Assessment Scoping Guide (Level 2), depending on the level needed for the contract.
Understanding the scoping process and properly scoping your Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) boundary is crucial. The boundary should only include the people, technology, and facilities necessary to process, store, and/or transmit these protected datasets. There are many benefits to narrowing the scope, including reducing the cost of securing the boundary, the cost of the assessment, and the cost of operation and maintenance.
Number 2: Understand the type of data that your organization processes, stores, and/or transmits.
The type of data your organization processes, stores, and/or transmits determines which type of resources are allowed access to the FCI/CUI data and specifies any types of handling and labeling.
CMMC is concerned with two types of data: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). There are important distinctions between each as demonstrated by the following regulation and order.
- Federal Acquisition Regulation Clause 52.204-21 states that FCI is “Information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” In layman’s terms, it is information about contracts between the US DoD and its contractors and subcontractors.
- Executive Order 13556 established CUI as “Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.” In layman’s terms, any data that must be controlled due to laws, regulations, or executive orders but has not reached the level of becoming Classified National Security Information.
CUI can be categorized by referencing the two publicly available CUI registries: the National Archives and Records Administration (NARA) CUI Registry and the DoD CUI Registry. Categorizing CUI must be tied to the scoping process. Once you determine what type of CUI you are processing storing, and/or transmitting, you can verify your scope. There are many caveats to categorization; therefore, familiarity with the CUI Registries is essential.
Number 3: Select a DoD-approved third-party service provider.
Per the DoD and the Cyber AB (formerly the CMMC Accreditation Body), any third-party services used to provide security services within an organization’s CMMC boundary should be FedRAMP Moderate Equivalent or above or can demonstrate compliance with CMMC 2.0.
CMMC has taken a slow road to implementation. As a result, many third-party service providers have not yet become compliant. It is important to ensure that the third-party services you are implementing can provide minimum compliance. Otherwise, becoming certified at Level 2 will be hindered, possibly causing more expense than necessary. A good start in selecting the correct third-party service provider is to reference FedRAMP.gov.
Before selecting third-party services, organizations should decide whether an on-premises deployment versus a cloud deployment may be more appropriate. In some cases, it can be easier and more secure to manage services within the system boundary on-premises rather than using cloud services. A deep understanding of the implications of compliance should inform the decision to choose a third-party service provider.
Number 4: Conduct a self-assessment.
A gap assessment must be conducted prior to engaging a C3PAO for an official CMMC Level 2 assessment. The 110 controls of NIST Special Publication 171 revision 2 are the guiding standard for CMMC. However, it is best to understand the manner in which a CMMC Level 2 assessment is conducted by referencing the CMMC Level 2 Assessment Guide.
If you are unsure of the process and/or whether you will meet the CMMC Level 2 Assessment standards, you would be well advised to engage an outside firm qualified to perform CMMC gap assessments. This could be either by sending your employees to the same training mandated by the CyberAB for assessors before taking their respective exams or by engaging a third-party vendor to act as an advisor for the assessment. While the CyberAB dictates that only C3PAOs and the assessors employed by them are approved and accredited by the CyberAB, a gap assessment can be accomplished using any qualified CMMC compliance vendor.
CISO Global is a certified CyberAB Licensed Training Provider (LPT). We have certified instructors who can train those seeking Certified CMMC Professional and/or Certified CMMC Assessor certifications. CISO is engaged in becoming a C3PAO to provide assessments to organizations seeking certification; however, we have very experienced assessors, some of whom are certified by the CyberAB to do official assessments that can assist you in preparing for your mandated certification at CMMC Level 2.