In 2020, spurred by increased cyberattacks, the U.S. Department of Defense began working on a streamlined cybersecurity certification process for all defense industrial base contractors. This process, called the Cybersecurity Maturity Model Certification, or CMMC, presents a set of guidelines for cybersecurity hygiene that must be upheld by any vendors or contractors working with the DOD. As of June 2021, the actual process currently sits in the Pentagon for an internal review, which is considered routine for any cybersecurity program of this size.
What is CMMC?
The Cybersecurity Maturity Model Certification, also called CMMC, provides all contractors working with the U.S. Department of Defense with standard cybersecurity safeguards they can put in place across their organization. The high level of security protects the federal government’s Controlled Unclassified Information, or CUI, from cyberattacks. CUI varies from weaponry and blueprint logistics to equipment performance indicators.
Since there are so many CUI variations, the DOD has created five levels of CMMC certification. For the first two levels, defense industrial base contractors must adhere to basic cyber hygiene. This usually involves simple practices such as installing antivirus software or having staff members go through regular password changes. The final three levels heavily deal with CUI and must adhere to several more in-depth cybersecurity guidelines. They must be able to detect and prevent targeted cyberattacks and must have a full mitigation plan in place should an attack occur.
What is a CMMC Audit?
Any defense industrial base contractor working on the DOD supply chain must take part in a CMMC audit. This audit will assess their organization’s cybersecurity hygiene and ensure it’s up to par with their certification level. An organization must pass the CMMC audit to continue working with the DOD.
Who Performs the CMMC Audit?
As the DOD officially begins rolling out the CMMC certification process in 2021, sanctioned CMMC auditors will be identified who will be able to ensure the contractor’s cybersecurity hygiene applies to their desired level of certification.
There are a few key focus areas for these auditors. They will first confirm the certification level of the organization. The level, typically identified in contract terms, coincides with the organization’s specific involvement with the CUI.
The auditors will examine the organization’s System Security Plan and evidence to determine if they meet the appropriate requirements.Additionally, an auditor may test controls to validate effectiveness, and interview responsible individuals to recover additional details.The process integration audit is the final and most important stage since an organization cannot be fully certified before implementing cybersecurity into every department of their business.
How Do I Prepare for the CMMC Audit?
Preparation depends on your organization’s designated certification level. If your organization doesn’t work with CUI, then you would just have to prove basic cyber hygiene to your auditor. But, if your organization deals with CUI, then there are many additional security measures you must put in place before certification.
The National Institute of Standards and Technology provides a list of requirements that CMMC was built on. Since their NIST 800-171 requirements are widely accepted as cybersecurity standards, there’s a good chance most have already been implemented across the organization. However, as the organization’s certification rises, so too does the number of additional CMMC control requirements .
The CMMC Accreditation Body has a list of Registered Provider Organizations, or RPOs, that have indicated they are willing to provide training, consultation, and support for any organization going through their first audit process.