What DoD Contractors Need to Know About the New Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) is a new requirement from the U.S. Department of Defense (DoD). It mandates that DoD contractors obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet “basic cyber hygiene,” as well as protect controlled unclassified information (CUI) that resides on partner systems.

Why CMMC Formed

The CMMC is a verification mechanism for assessing the cybersecurity posture of contractors in the Defense Industrial Base (DIB). The DoD created the certification to better secure the DIB. The cybersecurity practices and protection of CUI information is already in regulations like Defense Federal Acquisition Regulation Supplement (DFAR) and NIST; however, those standards do not have a third-party attestation to validate the controls effectiveness and provide certification.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) developed this certification to assess and certify a company’s maturity of cybersecurity practices and processes more broadly. This new certification uses many of these standards as a foundation for the framework.

What is the CMMC Comprised Of?

The CMMC is built upon established NIST special publications and DFAR regulations (with some additional sources, such as UK Cyber Essentials and the Australia Cyber Security Centre Essential Eight maturity model). There are 17 practice domains that include 171 practices, or controls, broken down across five levels of progression that measure technical control capability. In parallel, there are five levels of process maturity that measure the extent to which those activities are embedded or ingrained in the operations of the organization (see Figure 1). Organizations seeking certification will be certified at one of these five levels.

Cybersecurity Maturity Model Certification Structure
Figure 1. CMMC model for assigning certification. Ref: CMMC v.1.0 Public Briefing

How are Certification Levels Determined?

The DoD will assess which CMMC level is appropriate for a particular contract and deliver that level in contract Sections L and M of a request for proposal (RFP). The DoD will use the assessment as a “go/no go” evaluative determination. The level of certification required in each contract will depend upon the amount of Controlled Unclassified Information (CUI) a company will handle or process. Independent third-party organizations (C3PAO’s) will evaluate customer’s environments for certification. A company will specify the level of the certification requested and will be certified at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier. As of the date of this publication, no further guidance beyond the briefings and models have been issued by the DoD or the accreditation board that will help help an entity determine what a C3PAO will rate their environment. No organizations have been accredited as an official C3PAO, and training materials are still in development. Updates on this are expected within the next couple of months.

When Will CMMC Compliance be Required?

Approximately ten RFPs are expected to release with an CMMC requirement this June. These will include a mix of CMMC level requirements with another set of RFP’s following in the fall. There is no official number of RFP’s that will require CMMC certification in 2020, but we do know that there is no retroactive requirement for existing contracts. By 2026, all DoD contracts will include a CMMC requirement.

How Can LogRhythm Help My Team with The Cybersecurity Maturity Model Certification (CMMC)?

The beauty of the CMMC for DoD is that it leverages established frameworks that have been in place for organizations for years. LogRhythm already offers various compliance modules that incorporate those frameworks. LogRhythm’s Consolidated Compliance Framework (CCF) includes ISO27001, GDPR, ASD, NIST SP800-53, 800-171, and CSF. Additionally, LogRhythm offers a standalone NIST module, NIST: Compliance Automation Suite, which covers NIST SP800-53, 800-171, CSF, and utilizes our CCF concept. CMMC aligns with over 90 percent of these various NIST controls and only five percent of the remaining CMMC controls have suitable SIEM use cases.

LogRhythm Labs is currently developing an independent CMMC compliance module. This module builds on existing NIST and Consolidated Compliance Framework (CCF) content for those customers that are striving to reach higher levels of compliance.

In the meantime, LogRhythm Labs has created a mapping of NIST controls to the CMMC practices and their associated practice levels. This mapping can help any entity already utilizing NIST frameworks looking for insights into where they stand with CMMC compliance.

Download LogRhythm’s CMMC mapping document here.

Figure 2. Screenshot of the LogRhythm Labs mapping of CMMC practices to NIST