A practical guide to CMMC
- By Andrew Whelchel, CISSP-ISSAP, CCSP
- Jul 13, 2021
The pandemic forced corporate America to turn to remote work for survival, but the private sector wasn’t alone. State and Federal organizations scrambled to balance productivity with the health and safety of employees. The public sector – notoriously behind in the technology race – faced the challenge of securing an enormous remote workforce. The Defense Industrial Base (DIB) sector alone is massive, with more than 100,000 companies and subcontractors working under contract for the Department of Defense at any given time. And while there are advantages to having an extensive network, security is also an issue, especially in today’s blended work environment.
Meanwhile, remote work has increased network attacks at the DoD. According to CSIS data, breaches and attacks raise national security issues, but they also have a clear economic cost – an estimated $600B might be lost every year to cybercrime. Recently, the government implemented new security requirements for external vendors, known as cybersecurity maturity model certification (CMMC). Generally, CMMC marks a shift away from attestation and toward auditable evidence regarding contractor security. This can be confusing, given its another acronym to understand and follow. So, here’s a practical guide that outlines everything federal agencies need to know.
Meeting CMMC Standards
Previously, contractors were required to secure their operations when working with the DoD and assess their performance. Under the new standards, contractors are still responsible for managing security, but external assessments are now a part of the process. In addition, the CMMC consists of five security levels that build on one another, ranging from basic cyber hygiene to proactive and advanced progressive security controls. So, for example, a company that meets Level 4 will already have met the standards for Levels 1 through 3.
What CMMC Level Do Contractors Need?
In general, Level 3 clearance serves as a baseline for security, and it will often be enough to secure contracts. To meet Level 3, a company must have a management plan designed to conduct operations with cyber hygiene best practices in mind, including NIST 171 standards. The NIST 171 standards are security requirements aimed at protecting controlled unclassified information (CUI). CUI is typically defined as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.”
Demonstrating full NIST 171 compliance can be challenging to maintain, especially when assets reside on-premises and in the cloud. However, automation and risk-based assessment of access requests can streamline the access management process in the face of dissolved network boundaries. It accomplishes this by extending governance uniformly throughout the IT ecosystem, making it easy to meet compliance requirements consistently. Likewise, implementing risk-based data governance helps provide consistent controls no matter where the data resides.
Costs and Labor
Extra security also means extra costs, so agency leaders need to keep that in mind. The external assessment comes in the form of third-party auditors, or C3PAOs, required under the CMMC framework. Hiring the auditors and going through the audit process will add additional expenses and time investments to your operations. Some estimates show that the typical assessment audit program will cost between $20,000 and $40,000. However, continuous monitoring and tracking of controls provide the evidence auditors will require, minimizing employee time invested.
Of course, it isn’t easy to manage subcontractor access and guarantee that they are appropriately scoped and accessed. It can also be a challenge to ensure their access is removed when they leave. Because all DoD contractors and subcontractors will need to be CMMC compliantby Oct. 1, 2025, it’s recommended that prime contractors begin working with their subcontractors to develop the relevant compliance programs. That doesn’t have to be a challenge, however. Vendor access management solutions can oversee contractor access to sensitive materials and manage their access throughout the vendor-subcontractor lifecycle.
Finally, meeting the evidentiary burden of the CMMC requirements can be difficult. You’ll need to prove that you’re constantly and consistently meeting the requirements. That process can be labor-intensive if the proper evidence isn’t readily available or adequately tracked. That’s why it’s in your best interest to automate your evidence collection. Continuous monitoring and tracking of controls provide the evidence auditors will require, minimizing employee time invested.
Complying With CMMC Security Requirements
Several prominent data breaches in the last few years, including the Office of Personnel Management breach in 2015, have made CMMC standards necessary. Add to that the growth of cloud computing and the recent shift to blended work environments, and it’s clear the standards are vital for the future of data security. Getting ahead of the shift and finding ways to meet the requirements will be critical for contractors hoping to continue working in the federal sphere. Luckily, the various tech solutions mentioned within can help to make it easy to do this!