Cybersecurity Maturity Model Certification (CMMC) 2.0
Doing business with the Federal government has always had its share of requirements and regulations, especially when it comes to storing, processing, or transmitting any sensitive data. In fact, organizations doing business with the Federal government involving sensitive data are well acquainted with the cybersecurity controls they must implement based on controls from well-known frameworks such as the National Institute of Standards and Technology Special Publications (NIST SP) 800-53 and NIST SP 800-171. However, in the last several years these controls (and the method by which organizations must demonstrate compliance have drastically changed, culminating in the Cybersecurity Maturity Model Certification (CMMC) Framework.DoD Assessment Methodology - Using the DoD Assessment Methodology Lantego can work with your key staff to identify and improve existing security controls, guide your self-assessment, create your System Security Plan (SSP), your Plan of Actions and Milestones (POAM), and ensure your proper submission to SPRS.
The CMMC Model - CMMC 2.0
The current version of the CMMC was released in November of 2021 and is version 2.0. This version has been released by the DoD under the Advanced Notice of Proposed Rulemaking process and is available for inspection on their website: https://www.acq.osd.mil/cmmc/index.html. CMMC 2.0 was a significant change from CMMC 1.0 The key changes of version 2.0 largely removed the new elements of the DoD Assessment process introduced by CMMC 1.0. Namely,
3-Tiered Model – Transitional levels 2 and 4 removed. New levels renamed Foundational (1), Advanced (2) and Expert (3).
Removal of Delta Requirements – CMMC 2.0 eliminates all maturity process requirements and all CMMC unique security practices. CMMC 2.0 is back to requiring 110 NIST SP 800-171 security practices at level 2 and additional NIST SP 800-172 practices at level 3.
·Removal of Required 3rd party assessments for some CMMC levels – All Foundational Level (1) assessments may now be performed as annual self-assessments; Advanced Level (2) assessments will be performed by C3PAOs every three years, and Expert Level (3) assessments will require a government-led assessment every three years.
POA&Ms Allowed – The DoD has indicated that the selective use of POA&Ms will be allowed. POA&Ms are allowed but there are a few restrictions:
Requirement prohibition – POA&Ms may not include any security requirements that, if not implemented, could lead to significant exploitation of the network, or exfiltration of DoD CUI (e.g., 5-point controls from the DoD Assessment Methodology) or any security requirements that, if not implemented, have a specific and confined effect on the security of the network and its data (e.g., 5-point controls from the DoD Assessment Methodology). In other words, only 1-point items from the DoD Assessment Methodology are considered for inclusion in the POA&M.
Limited requirement count – There is likely to be a minimum number or percentage of requirements (not met) listed in the POA&M.
Limited time frame – POA&Ms will likely have a limited time frame of 180 days. All items listed in the POA&M at the conclusion of the assessment must be addressed and reviewed by a C3PAO within 180 days or the assessment results in a failed certification.
CMMC Levels
The CMMC levels are hierarchical in that in order to achieve a specific CMMC level the organization must demonstrate compliance with the practices at that level and all practices of the CMMC levels below. The CMMC levels are designed to increase the ability of the organization to address the risks associated with the storage, transport, or processing of CUI within information systems. See Figure 2.1.
The CMMC framework consists of three levels. These levels are as follows:
Level 1: Fundamental – This level is required of any environment that stores, processes, or transmits FCI data. There are 17 requirements corresponding to the basic controlling requirements from FAR 52.204.21.
Level 2: Advanced – This level is required of any environment that stores, processes, or transmits CUI data. There are 110 requirements corresponding to NIST SP 800-171.
Level 3: Expert - This level is required of any environment that stores, processes, or transmits CUI data that takes on additional controls due to address the risk from Advanced Persistent Threats (APTs). This level is not yet detailed by the Federal government, but it will contain the 110 requirements corresponding to NIST SP 800-171, plus a subset of the requirements from NIST SP 800-172.
CMMC Certification Steps
Organizations that have determined the need for CMMC assessment will need to have a plan for achieving this assessment. The organizational CMMC assessment plan will need to address timelines, budgets, resources, and project phases and project artifacts. Each of these elements of a CMMC assessment plan are discussed in this chapter.
As the CMMC assessment is likely to be a critical credential for most all organizations within the DIB, proper project planning is a must.
CMMC Certification Project Planning
The first phase of the CMMC assessment preparation project is to plan this project. Planning may include educating the team on the CMMC process to ensure everyone involved is well educated and prepared. The planning aspects of this phase include identifying the CMMC objective and establishing a budget for the project.
CMMC workshop (optional) - For those organizations for which the CMMC model is new and could benefit from an educational workshop, conducting a familiarity training is a good way to acclimate the team. A CMMC workshop should be attended by all of those at the assessed organization who will be involved with the CMMC assessment preparation project. The topics to be covered should include sensitive information (FCI, CUI), regulations affecting the controlling of sensitive information, and the DoD assessment methods for ensuring those controls are in place.
Identify objective - For the CMMC assessment project the objective is clearly to achieve a specific CMMC level. The organization should determine the CMMC level requirement based on the language of the proposal(s) to which they plan on responding, sensitivity of the data they will be handling, or the types of projects they hope to handle in the future. There is an increased cost of achieving the higher levels of CMMC assessment levels. Organizations generally should target the minimum CMMC assessment level as defined in their current or near-term contracts dictated by the type of sensitive data processed within the organization.
Establish budget - An approved budget will be necessary to ensure the success of this project. The costs of the CMMC assessment preparation project are based the organization size and complexity, current cybersecurity maturity, and the scope of the assessment.
CMMC Project Resources and Scope
Project Resources - Resources for the project may be internal of external. Scoping the project involves the selection and definition of the systems processing sensitive information that are to be assessed. The identification of the requirements is based on the defined systems and the CMMC assessment level. These resources can be internal or external, but care should be taken to ensure that the resources have the necessary experience and bandwidth to be successful. The experience required to pull off a successful CMMC assessment project include experience in applying the government regulations from which the CMMC model is based (e.g., NIST SP 800-171, 800-171A, 800-172), experience developing and integrating cybersecurity policies, standards, and processes, and experience in interfacing with cybersecurity auditors.
Project Scope - One of the more difficult and important elements of CMMC assessment preparation is the identification and definition of the systems to be assessed. The identification of these systems starts with the identification of the sensitive information that must be protected. Once this sensitive information is identified, the organization must determine the boundaries of the systems and system components that store, process, or transmit this information. It is within those boundaries that the required controls must be implemented.
CMMC Readiness Assessment
The organization should now seek a readiness assessment of the existing controls within the assessed enclaves to determine their sufficiency to meet the CMMC requirements. The readiness assessment should mimic a the official CMMC assessment in terms of the level of analysis, requirements, and available assessment guidance. The readiness assessment team may find it useful to follow the RIIOT method of data gathering or simply the Examine, Interview, Test techniques within the NIST SP 800-171 and CMMC assessment guides.
The assessed organization should perform an assessment of their current controls against the CMMC model and CMMC assessment guidance. These CMMC program documents specify the CMMC assessment requirements at the assessed organization’s target level. It is important to follow the guidance provided as this will be the ruler by which the assessed organization is ultimately measured.
Remediate CMMC Control Gaps
The final phase of the CMMC assessment preparation project is to remediate the identified control gaps in the assessed organization. Start with the identified gaps from the previous phase (POA&M) and allocates the assignment of these tasks to the available resources for the project. Next implement the necessary changes to bring the controls up to the level required for the CMMC assessment.
Assign remediation resources - Grouping the project tasks into the categories can improve the project management through more efficient utilization of project resources by matching project resource skill sets to appropriate tasks.
Implement remediation – With the appropriate resources assigned the CMMC assessment preparation project moves into the revision or creation of controls to address the identified gaps.
Integration of processes: Where possible the assessed organization should utilize available technology within the CMMC enclaves for example, existing: a ticketing system, shared file servers, automated workflow, automated inventory systems, or other processes and technologies can be leveraged to implement well integrated remediation efforts.
Track remediation through evidence – It is important that the remediation efforts are produce evidence that will be available for the assessors during the CMMC assessment effort. The work done to tag and categorize this evidence will have large payoffs in supporting the ultimate CMMC assessment. The project manager of the CMMC assessment preparation should organize and archive evidence as part of the project wrap up.
