Understanding the Cybersecurity Maturity Model Certification (CMMC)

Long-standing information security best practices, frameworks, and regulations are a reliable means for ensuring that networks are resilient, and information remains secure. Still, oftentimes organizations and individuals will have their own interpretation of such security practices but that may not be good enough. This is changing for organizations doing business with the United States Department of Defense (DoD) through the Cybersecurity Maturity Model Certification (CMMC).

CMMC’s background

Introduced in early 2020 and currently at version 2.0, the CMMC takes the guesswork out of security oversight. CMMC is a follow-on to the NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The intent of the CMMC is to help ensure that controlled unclassified information at the federal level – referred to as CUI – is adequately protected from attack and unauthorized access across the thousands of DoD’s Defense Industrial Base (DIB) suppliers/contractors. In other words, the CMMC helps protect the DoD’s information assets.

CMMC addresses the security basics

CMMC brings all DIB contractors, and depending on the information accessed, their subcontractors under the same umbrella of security oversight and accountability. The CMMC is made up of various security capabilities mapped across 17 unique domains and allows suppliers to meet one of five levels of security practices and processes. Certification is required to be able to bid on applicable DoD contracts.

The 17 CMMC domains are as follows:

1. Access Control (AC)
2. Assessment Management (AM)
3. Audit and Accountability (AU)
4. Awareness and Training (AT)
5. Configuration Management (CM)
6. Identification and Authentication (IA)
7. Incident Response (IR)
8. Maintenance (MA)
9. Media Protection (MP)
10. Personnel Security (PS)
11. Physical Protection (PE)
12. Recovery (RE)
13. Risk Management (RM)
14. Security Assessment (CA)
15. Situational Awareness (SA)
16. Systems and Communications Protection (SC)
17. System and Information Integrity (SI)

The NIST 800-171 standard makes up the CMMC certification levels 1 through 3. Levels 3 through 5 incorporate additional security measures required of organizations working on DoD projects that represent higher levels of risk. The five levels of CMMC certification are as follows:

Level 1 is essentially a demonstration of basic security practices. Levels 2 through 5 require both security practices and processes. The desired/optimal level of certification is up to the organization desiring to do work with the DoD. These certifications apply the same to both large companies and small companies and a level 1 certification will likely be sufficient for most contractors and subcontractors working with the DoD.

CMMC auditing and scoring

Accredited assessors will perform CMMC audits and certifications will be valid for three years. As with other audits and certifications, it would behoove your organization to perform a self-assessment for pre-audit before attempting the formal CMMC certification process.

It’s important to note that, for certification levels 2 through 5, scoring is cumulative. For example, to attain a level 4 certification, the organization must meet all the requirements in levels 1 through 4. Additionally, for levels 2 through 5 if an organization desires, say, a level 3 certification but does not meet the level 3 requirements, they will still receive a level 2 certification. In other words, the organization will be certified in the lowest level it achieves.

How CMMC addresses authentication

As it relates to authentication, the Identification and Authentication (IA) domain of CMMC specifically addresses passwords and multifactor authentication. For level 1 certification, users, processes, or devices must have their identities authenticated before being allowed access to the organization’s information systems.

Level 2 certification takes these basic password requirements several steps further by requiring the enforcement of minimum password complexity, character changes for new passwords, and the prohibition of password reuse (all easily enforceable with Specops Password Policy). Additionally, level 2 allows for temporary password use as long as the password is changed immediately. Level 2 also requires the storage and transmission of passwords only when they are protected by encryption. Finally, password obfuscation must be used to protect login credentials at level 2.

CMMC level 3 requires the use of multifactor authentication for local and network access of privileged accounts and network access for non-privileged accounts. Level 3 also requires security controls to prevent authentication replay attacks for both privileged and non-privileged accounts at the network level. Finally, level 3 requires the prevention of identifier (association of a user ID to a specific person or entity) reuse as well as the disabling of identifiers after a period of inactivity.

CMMC is here to stay

Information security practices such as the CMMC are intended to keep sensitive assets protected, prevent incidents and breaches from occurring, and, when they do, minimize their impact. Clearly, the CMMC is about information security best practices that might already be expected, especially for organizations doing business with the DoD. Businesses that already have a mature security program should have no problem meeting or exceeding the requirements of CMMC. Even smaller organizations with limited technical resources should still be able to meet CMMC level 1 requirements with minimal expenditures in security expertise and technical controls.

Additional Reading:
CMMC FAQ
https://www.acq.osd.mil/cmmc/faq.html

CMMC Accreditation Body
https://www.cmmcab.org

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final