If your small business does work for the Department of Defense as a contractor or plans to do so in the future, you will be responsible for meeting a set of security requirements known as the Cybersecurity Maturity Model Certification, or CMMC.
This program is aimed at helping our country to protect sensitive national security information. For companies that work in the Defense Industrial Base, or DIB, it is essential to have the right cybersecurity practices in place to protect against increasingly sophisticated adversaries trying to gain access to this information.
The CMMC framework is an enhanced set of standards that has been put in place to ensure the protection of national security information including that which supports and enables the warfighter. In short, it protects all sensitive unclassified information that is shared by the Department of Defense with contractors and subcontractors.
CMMC was originally introduced in January 2020 outlining five levels aimed at protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It added 20 additional, unique requirements to the 110 security controls in NIST SP 800-171. A new, more streamlined version of the program, referred to as CMMC 2.0, was announced in November 2021.
Which Small Businesses Must Comply?
Given the far-reaching nature of the defense industry, more than 300,000 businesses will be required to adhere to CMMC’s requirements upon the final rulemaking. Any company that receives stores, processes, or transmits FCI and/or CUIfor defense-related contracts, whether as a prime contractor or a subcontractor, regardless of the level of the supply chain involved, will be required to be in compliance with CMMC. In these cases, it is essential for the business to understand what type of information they handle and what constitutes a program-defined CUI or FCI.
This may include specifications, procedures, and drawings that could impact government work and the warfighter. Small businesses uncertain about the implications to them should read their contracts, and future solicitations, carefully. Contracts or solicitations that refer to DFARs 252.204-7012, which signifies compliance with NIST SP 800-171, will also be required to comply with CMMC.
What Are The Requirements?
In the original version of CMMC, there were five levels of compliance; this was condensed into three levels in the updated CMMC 2.0. At a minimum, DoD contractors and subcontractors who deal with Federal Contract Information are required to meet the 17 practices laid out in Level 1 and complete an annual self-assessment submitting the results with an affirmation by a senior company official into SPRS. Many companies find that they already meet the Level 1 requirements, which relate to basic cyber hygiene.
For companies that handle FCI and CUI, Level 3 certification was required under CMMC 1.0, which includes 130 controls aimed at protecting CUI. A select group of small businesses that handle critical information that needs protection from Advanced Persistent Threats were required to reach levels four and five. However, this only applied to around 1% of DoD contractors. The original requirements went into effect in January of 2021.
In November 2021, the Department of Defense announced that it had revamped the Cybersecurity Maturity Model Certification to make it more affordable, particularly for small businesses, and to clarify and align the requirements to other federal requirements and commonly accepted standards. With the new model came an overhauling of third-party assessments to allow for a more precise focus on the Advanced and Expert level requirements.
Under the updated version of CMMC, there are just three levels rather than the previous five. Level 1 remains the same, while the new level 2 is on par with the previous Level 3 with some significant differences. Finally, the new Level 3 is comparable to the old Levels 4 and 5 with a few noteworthy changes..
Here is a closer look at the CMMC requirements for small businesses under CMMC 2.0.
Level 1 (Foundational)
Level 1 is made up of 17 basic cybersecurity practices that are required for protecting Federal Contract Information. All federal contractors are required to implement these protections for FCI before they are allowed to execute contracts and subcontracts.
The 17 practices contained in this level are considered general good cyber hygiene practices for all businesses. Many small businesses already have some or all of these practices in place.
- Using passwords and PINs for restricting logins to ensure only authorized users can access systems
- Assigning accounts user access privileges that limit the types of functions and transactions authorized users can carry out
- Ensuring networks the business connects to are secure and limiting the use of external information systems
- Limiting where information is shared and posted, particularly when it comes to publicly accessible information systems
- Creating accounts for all employees so that users, processes and devices can be tracked
- Using password authentication to verify the identities of users, processes and devices before granting access to organizational information systems
- Destroying or sanitizing information system media that contains FCI before reusing or disposing of it
- Limiting the physical access to information systems and equipment, along with their operating environments, to authorized parties
- Supervising visitors and monitoring their activity
- Maintaining audit logs of which users accessed which information and when
- Managing and controlling physical access devices
- Keeping the business’s computers and communications inside a firewall
- Setting up a secure network for internet access with subnetworks for publicly accessible system components that are separated from the internal networks
- Installing updates and patches in a timely manner
- Using antivirus systems appropriately to protect from malicious code
- Updating the business’s mechanisms for malicious code protection when new releases are made available
- Performing real-time antivirus scans of files that come from external sources as they are downloaded, opened and executed, and carrying out regular scans of information systems
Level 2 (Advanced)
Some of the biggest changes in CMMC 2.0 can be seen at the new Level 2. Like the previous Levels 2 and 3, this level is for Defense Industrial Base members who handle more sensitive information that is referred to as Controlled Unclassified Information (CUI) and requires significantly greater safeguarding.
This level is aligned with NIST SP 800-171 and also requires small businesses to be compliant with FAR 52.204-21.
Some of the components involved include:
- Implementing DNS filtering services
- Managing non-vendor support products separately
- Using spam protection mechanisms for the business’s information system access entry and exit
- Analyzing and triaging events to support resolutions
- Defining procedures for handling CUI data
- Performing comprehensive data backups regularly
- Protecting wireless access with authentication and encryption
The domains involved in Level 3 compliance are:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (AM)
- Media Protection (MP)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Many of the contractors associated with foundational Level 1 as well as a subset of advanced Level 2 programs will be allowed to perform annual self-assessments, while a portion of advanced Level 2 programs – those contractors who manage information that is critical to national security – will be required to undergo third-party assessments every three years.
Level 3 (Expert)
The Level 3, or Expert, practices build on Levels 1 and 2 in addition to a subset of NIST SP 800-172 requirements, much like Levels 4 and 5 in CMMC 1.0. Some of these important practices include:
- Detecting, analyzing and mitigating malicious action scripts
- Reviewing systems annually with the latest threat intelligence in mind
- Identifying and correcting improper log management activities
- Setting up and managing an active response team that is available around the clock
- Employing automated response actions and asset tracking in real time
How Does CMMC 2.0 Impact Small Businesses?
For many small businesses, one of the most positive aspects of CMMC 2.0 is that it eliminates the maturity process requirements found in the previous version. These were originally implemented to address the maturity of the cybersecurity practices taking into account the continuous improvement and life cycle rather than a single point in time evaluation. This change made CMMC compliance much more attainable for small businesses due to the level of effort and costs associated with documenting the maturity.
Another noteworthy component of CMMC 2.0 is the allowance of a Plan of Actions and Milestones (POA&M), allowing a subset of requirements to be achieved within a clearly defined timeline beyond the awarding of the contract. These can be thought of as work instructions that explain how a business will remediate deficiencies found in its cybersecurity program.
Many small businesses find deficiencies when they compare their cybersecurity practices to the requirements. Under CMMC 1.0, businesses had to have a perfect cybersecurity program when they were assessed, and this is something in which many younger small businesses struggled.. While there is a subset of the most important requirements not allowed in POA&Ms, the opportunity for limited use will still give small businesses more flexibility when it comes to obtaining certification.
How To Ensure Compliance
CMMC requirements are very complex, and although CMMC 2.0 aims to streamline the process, it can still be a significant burden for many small businesses to stay on top of compliance. Businesses often partner with a cybersecurity advisory service to ensure that they remain compliant and can continue to operate as a DoD contractor.
Prepare Your Small Business For CMMC Compliance
Vaultes offers small businesses a suite of convenient solutions for ensuring CMMC compliance. Our cybersecurity professionals are Subject Matter Experts ready to perform readiness and gap assessments, provide consultations, or assist with remediation efforts to support your small business in its CMMC journey. Get in touch today to learn more about our services.