Measuring your Corporate Cybersecurity Program against the CMMC Framework

CMMC framework is the accepted cybersecurity standard that was developed to assess, control, and implement cybersecurity essential processes in the federal services vertical. The proper implementation of this framework allows small and medium-sized enterprises to identify cyber threats and countermeasures that could be taken in a cost-effective manner, to help attain profitable federal government contracts.

The Cybersecurity Maturity Model Certification (CMMC) is a mandatory certification that must be obtained by organizations (contractors and subcontractors) within the federal services industry. The CMMC framework was introduced by the DoD with a motive to ascertain relevant cybersecurity practices and processes that are applied in the protection of Controlled Unclassified Information (CUI) stored on Defense Industrial Base (DIB) networks. Obtaining this CMMC designation allows an organization to bid for contracts with the U.S. Department of Defense (DoD).

The attentiveness of this framework has led organizations in the federal services industry to adopt this standard, as it emphasizes the federal government’s perceptions on cybersecurity essentials. When dealing with sensitive data owned by the federal government, there are strict compliance requirements. In simple terms, no organization is permitted to share or receive DoD information if they are not in compliance with the CMMC framework.

Amongst other cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 27001, and AIA NAS9933, etc., the CMMC framework stands in the front line as it provides a unified framework for various compliance processes. CMMC is a maturity model that helps in protecting data integrity across the U.S. government’s supply chain services. There are five certification levels within the CMMC framework, which mirror the maturity levels of an organization’s cybersecurity infrastructure.

Based on an organization’s certification level, the government determines the capabilities of said organization to provide proper defensive, preventive, and corrective security controls against threats against Controlled Unclassified Information. Therefore, a CMMC designation enhances the value of a small and midsize business and uplifts its visibility during the federal acquisition processes.

Key Attributes of CMMC Framework

The five maturity levels of the CMMC framework shows the level of preventive, detective and corrective counter measurements taken by organizations to protect the government’s sensitive data. In other words, the level of cybersecurity resilience of organizations are shown by these levels.

Below is an overview of these Five Levels
    1. Level 01 (Basic Cyber Hygiene) – This is explained as the implementation of 17 controls in the NIST 800-171 standard (processes are to be performed).
    2. Level 02 (Intermediate Cyber Hygiene) – Organizations are to implement the NIST 800-171 security requirements (additional 72 controls to the above) to protect any Controlled Unclassified Information (CUI). (Processes are to be documented).
    3. Level 03 (Good Cyber Hygiene) – With the above, organizations are required to have an Institutionalized Management Plan for the protection of CUI while being verified with the implementation of 130 controls. (Processes are to be managed).
    4. Level 04 (Proactive) – Advanced persistent threats (APTs) are required to be identified by changing processes and tactics, while being compliant to additional 156 controls from NIST 800-171. (Processes are reviewed).
    5. Level 05 (Advanced / Progressive) 
      • While being compliant with the above levels, organizations are required to standardize and implement advanced processes that align with all of the 171 controls within the NIST 800-17.
      • (Optimized processes for detecting and responding to APTs with no latency required at this stage).

Understanding The Technical Contents of The CMMC Framework

The CMMC framework does include processes, capabilities, and practices that span across a subset of the five levels, as explained above. Organizations are initially required to identify the current processes, capabilities, and practices related to cybersecurity. As an organization that is required to handle sensitive data that are critical to the National Security objectives of the U.S. government, there are very specific risk assessment processes needed to identify possible risks pertaining to sensitive information. Additionally, vulnerability testing is a useful process for identifying security loopholes.

Furthermore, the 17 domains discussed in the CMMC model above, includes Access Control, Asset Management, Audit and Accountability, Awareness and Training, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Security, Recovery, Risk Management, Security Assessment, Situational Awareness, Systems and Communications Protection, and System and Information Integrity.

Aligning Organizational Cybersecurity Programs with CMMC

Federal government contractors and sub-contractors are required to identify the current cyber security posture of their organizations in order to properly implement the CMMC framework. Therefore, the process of aligning an organizational cybersecurity program with the CMMC would involve a thorough readiness assessments, gap analysis, and audit of incident response procedures. Aligning organizations’ capabilities with these 17 domains is crucial, yet a vital requirement in attaining a CMMC designation.

At the initiation point, organizations are required to develop a System Security Plan (SSP) which serves as a roadmap for the maintenance of the cybersecurity posture of an organization. This plan must include information security policies, such as Data Accessibility Policy, Disaster Recovery Policy, Backup Policy, Incident Response Management Policy, Risk Management Policy, Quality Assurance and Testing Policy, Media Sanitization Policy, etc., Additionally, clear system architecture diagrams and the roles and responsibilities of employees must be itemized.

Following the clear SSP, a proactive and systematic process is to be maintained in order to keep systems up-to-date and also to keep employees’ knowledge base up-to-date via security awareness training. Moreover, regular monitoring, testing, and reviewing of feedback is vital here. Once these processes are placed in a smooth cycle, a rough cyber resiliency plan can be executed by competent cybersecurity experts who specialize in small and midsize businesses within the federal services industry.

Final Thoughts

To bid for U.S. government’s contracts, especially in the federal services industry, it is a mandatory requirement to be compliant with the CMMC framework, as organizations will be handling critical information that is relevant to the National Security objectives of the United States. Unfortunately, small to midsize businesses are losing the opportunity to bid for contracts in the U.S. Defense Industrial Base, due to lack of a cohesive standard for implementing organizational cybersecurity processes.

Achieving CMMC takes a considerable amount of attention to various domains across the security vertical. However, to improve the chances of competitively competing and winning federal contracts it is critical that small to midsize businesses understand the intricacies of the CMMC framework, and learn how to align current organization cybersecurity programs to said framework.

All in all, current cybersecurity programs are to be thoroughly analyzed in order to identify the stumbling blocks in the way to achieving CMMC standards. Collaborating with the cybersecurity specialists at GoldSky Security to conduct vulnerability assessments, risk analysis, and rigorous testing of security controls are the major steps for positioning any small to midsize business to achieve CMMC certification.

[ninja-popup ID=4188]