The Cybersecurity Maturity Model Certification (CMMC) is a security framework implemented by the US Department of Defense (DoD) to improve protection of the defense industrial base. Like other security frameworks, the CMMC has a collection of controls for processes and practices with the goal of achieving a certain level of cybersecurity maturity. The main purpose of the CMMC is to provide assurance to the DoD that a company holding federal contracts has the appropriate measures in place to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), and to account for how that information flows. It’s also a powerful framework that can apply to anyone looking to boost their security posture.
If you’re reading this because CMMC may apply to your clients, great. If you’re reading this because you’re not sure what CMMC is, even better. You will gain a better understanding of CMMC and possibly what it portends for the future of self-attestation of compliance.
CMMC is a scalable framework, so dependent upon the sensitivity of data involved, a federal contract will require specific CMMC controls be in place. At the moment, the CMMC has five levels. The higher the level, the more controls required. And because they are cumulative, CMMC Level 3 would demand implementing everything in the preceding two as well.
- CMMC Level 1: Basic cyberhygiene—focused on safeguarding Federal Contract Information (FCI)
- CMMC Level 2: Intermediate cyberhygiene—serve as a transition step in cybersecurity maturity
- CMMC Level 3: Good cyberhygiene—protect Controlled Unclassified Information (CUI)
- CMMC Level 4: Proactive—protect CUI and reduce risk of advanced persistent threats (APTs)
- CMMC Level 5: Advanced/progressive—protect CUI and reduce risk of APTs
How Is CMMC different from other security frameworks?
The biggest difference is that it does away with self-attestation. With standards like NIST 800-171, you could self-attest you were following the appropriate controls and standards and win a federal contract. CMMC changes this by requiring that anyone seeking a federal contract with the DoD must receive certification from an approved CMMC third-party assessment organization (C3PAO).
You can easily perform self-assessments by leveraging resources made available by the Office of the Under Secretary of Defense for Acquisition & Sustainment. However, you will still need to engage a C3PAO to receive CMMC certification of the appropriate level to win a federal contract. During the audit by a C3PAO, they should be able to help identify any gaps that will prevent receiving certification. If you or your clients are subject to CMMC, engaging with a C3PAO is going to be unescapable. The earlier you start, the more flexibility you will have in implementing any recommendations.
There is currently a grace period to allow CMMC to become fully implemented, but in the future federal DoD contracts will not be awarded without the appropriate certification.
Why is CMMC important to MSPs?
For MSPs, CMMC is no different than any other set of standards or frameworks—it contains an established baseline of best practices, and controls and processes that must be implemented. In fact, most of the controls in CMMC are mapped directly to NIST 800-171. So if you have already been building your managed services around NIST 800-171, you should look at CMMC as an opportunity to help you stand apart.
For MSPs that have not traditionally implemented NIST or other security frameworks because it wasn’t a requirement for you clients, this is an opportunity to own risk and reap the rewards. If you decided to implement the controls within CMMC Level 3—even if you don’t receive certification—you will have a more mature cybersecurity posture, a larger portfolio of services you can offer to clients, and improved scalability.
If you have made it this far and think CMMC doesn’t apply to you since you don’t support these types of clients, CMMC has the potential to work down the hierarchy from federal to state and local governments. When NIST 800-53 was originally released in 2005 as recommended security controls for federal information systems, it was intended for federal information systems. In August 2017, federal was removed to indicate that it may be applied to any organization. Many state governments, local municipalities, insurance providers, and public and private entities of all types have required NIST 800-53 controls and processes be followed for years.
One day, CMMC, or an evolution of it, may be just as prevalent as NIST 800-53. With the heightened public awareness concerning the risk cybersecurity threats pose, it’s likely we may eventually see self-attestation as a relic of the past.
This guest blog is courtesy of N-able. Author Lewis Pope is the head security nerd at N-able. You can follow him on Twitter (@cybersec_nerd), LinkedIn (thesecuritypope) and Twitch (cybersec_nerd). Read more N-able guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.