This blog is part of a series of posts to highlight how our flagship cybersecurity product, Covalence, can help our customers attain their compliance goals. Whether it’s to mitigate risks, maintain a cyber insurance policy, or fulfill a contractual requirement, we know how important it is for businesses to adhere to industry-standard compliance frameworks.
The right cybersecurity solutions can empower organizations to achieve and maintain compliance with numerous frameworks, including the Cybersecurity Maturity Model Certification (CMMC).
Introducing the CMMC
Since January 2020, the Department of Defense (DoD) has promoted CMMC as the path toward securing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) when hosted outside of the department by members of the Defense Industrial Base (DIB) and their subcontractors.
Once CMMC is implemented, certain contractors that hold sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
CMMC 2.0, the latest iteration of the framework, is broken into three increasingly stringent levels that will align and evolve with existing federal regulations or compliance standards:
- Level 1 (L1) aligns with 15 basic safeguarding requirements specified in FAR 52.204-21
- Level 2 (L2) aligns with 110 security requirements specified in NIST SP 800-171
- Level 3 (L3) will be based on a subset of security requirements specified in NIST SP 800-172
The level of certification and type of assessment will be determined by the type of information held by DIB contractors.
When will CMMC be implemented?
The road to publication has been long and fraught with iteration and version changes. The process has been further complicated by an exhaustive certification process for Third Party Assessment Organizations (C3PAOs), a currently incomplete rulemaking period, and a short post-rulemaking implementation period.
This has left many small and mid-sized organizations confused about the requirements and how the certification will impact their ability to do business within the DIB.
Field Effect will continue to monitor the situation and support our customers and partners with their CMMC journeys.
Key elements of the CMMC
Level 2 certification aligns with NIST SP 800-171
The vast majority of small to mid-sized businesses will only need to attain CMMC Level 2.
Many companies are familiar with NIST SP 800-171 because of the Supplier Performance Risk System (SPRS) submissions they've been required to submit. It’s worth noting that a perfect 110 score will now be mandatory, meaning that all 110 security requirements specified in NIST SP 800-171 will have to be implemented.
The good news is that your organization will be able to leverage your compliance with NIST SP 800-171 to work towards obtaining a CMMC Level 2.
According to the US Department of Defense:
“The Department is pursuing development of acceptance standards between CMMC and other cybersecurity standards and assessments, to include between CMMC Level 2 (Advanced) and the NIST SP 800-171 DoD Assessment Methodology for the high assessment confident level, as well as CMMC Level 2 and the GSA Federal Risk and Authorization Management Program (FedRAMP).”
Self-assessments may be allowed
The Department of Defense states that “Once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis”.
What about companies not based in the United States?
There will be a path forward for non-US companies. Much of the information surrounding the CMMC rollout is US-centric, however, international enterprises will also need to get certified.
While what that will look like has not been published, the DoD has stated that it intends to “establish a framework to address application of CMMC to non-US companies”.
The clear intent is not to exclude international enterprises from the DIB.
How Covalence helps secure CUI
Covalence, our holistic cybersecurity solution, helps check and support many NIST SP 800-171 security requirements thanks to its:
- Malware detection and real-time blocking capabilities
- Ability to identify unauthorized access to devices and applications
- Ability to perform cloud and network monitoring
- Data mining techniques and audit record reduction
Because CMMC Level 2 leverages the NIST SP 800-171 security requirements, Covalence will play an important role for any company achieving this level of certification.
How you approach the CMMC process will be unique to the individual organization, only you can determine the resources, effort, and urgency. More generally, now is the time to put effort into achieving compliance with all security requirements and to start engaging with C3PAOs to ensure you are well on your way to compliance and have a post-rulemaking audit slot (if needed).
To learn more about CMMC and how Covalence can simplify your certification, reach out to our team. We can also provide you with a NIST SP 800-171 Mapping Guide which details how Covalence supports individual NIST SP 800-171 security requirements.
