Are you a government contractor trying to find out what is the Cybersecurity Maturity Model Certification (CMMC), and how it will affect your company?
The Cybersecurity Maturity Model Certification (CMMC) will be the official certifying document to prove your company’s compliance with NIST SP 800-171. The initial draft document of the CMMC version 0.4 was released to the public on August 30, 2019. The official CMMC v1 release was on January 20, 2020.
The CMMC will encompass multiple maturity levels that range from basic hygiene to advanced. The ranges fall into five levels which we will cover shortly. The intent of the CMMC is to identify the required level of hygiene in request for proposals or RFPs sections L and M and use these levels as a go/no-go decision for the government.
What does this mean? Basically, the RFP will determine what CMMC level your company needs to meet in order to bid on each proposal. If the RFP requires a CMMC level 5, and your company only meets a CMMC level 3 then you may not be able to bid on that contract.
Why the CMMC is being created?
The framework is being created in order to assess and enhance the cybersecurity posture of the defense industrial base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect control unclassified information (CUI) that resides on the department’s industry’s partners networks. It is intended to add measures to decrease the chances of your company getting breached and also limiting and minimizing the damage that a breach can have on your company and the US government.
For example, let’s say your company was breached but you implemented the government’s encryption standards on all of your CUI systems. While your network has been compromised, the government information is still protected thus minimizing the damage to the government.
One of the most frequently asked questions is if my company is compromised, will I lose my certification? The answer is no. An investigation will be required to find out what happened and where the breakdown was in your system in order to allow the compromise. It will also determine the damage to the government based on the outcome of the breach.
From there, your company could be required to re-certify depending on whether or not the breach was due to negligence on your part.
For example, here are two scenarios from the same attack with two different outcomes. The attack is a zero-day attack which is an attack that has never been seen before. There is no defense for it because the developer was unaware of the flaw. The scenario is that company A and Company B uses a new accounting software.
The software has a flaw, and the flaw allows an attacker to gain access to employees financial data. Both companies are CMMC level 5 certified and have implemented everything the government has required. Company A is attacked on Monday and immediately notifies the government, and the software company immediately begins to develop a patch to fix the issue. The patch is made available on Thursday of the same week, and the software company notifies everyone who uses the software to immediately apply the patch.
Company B does not apply the patch and is hacked on Sunday. Both companies were hacked by the same attack but Company A’s attack was not due to negligence because no one knew of the flaw before they were attacked. Company B was made aware of the patch three days before it was attacked and did not update their system. Company B could be required to re-certify whereas Company A is still compliant.
Remember, this is a hypothetical example, and there is no permanent guidance available yet on how this would be handled.
Now, let’s dive into the five levels of the CMMC.
Level 1 is a basic cyber hygiene level in the lowest level on the model. Level 1 practices consist of basic cybersecurity that is achievable for small companies. Level 1 processes are performed at least in an ad-hoc manner or as needed basis. An example of a level 1 practice would be adding an antivirus to your systems.
Level 2 is the intermediate cyber hygiene level. Level 2 practices consist of universally accepted cyber security best practices. Level two processes involve the development of documentation for your security practices. An example of a level 2 practice would be to add security awareness training.
Level 3 is the good cyber hygiene level. Level 3 practices consists of implementing all of the NIST 800-171 controls. Level 3 processes covered how your processes are maintained and followed. An example of a level 3 practice would be to add two-factor authentication to your CUI network.
Level 4 is the proactive cyber hygiene level. Level 4 practices include advanced and sophisticated cyber security procedures. Level 4 processes focus on periodically reviewing your processes, ensuring that your system is properly resourced, and improvements are made throughout the enterprise. An example of a level 4 practice would be to include security procedures for mobile devices.
Level 5 is the advanced cyber hygiene level. Level 5 is the highest and final level. This level consists of highly advanced cybersecurity practices this will include all of the requirements of the previous four levels. Level 5
processes focus on continuously improving security throughout the enterprise. An example of a level 5 practice would be to man a 24 hour security operations center or sock to monitor your network continuously.
In summary, your CMMC level determines what RFPs you are qualified to bid on. Your company will then have to schedule a third-party CMMC auditor to certify you at the level of the contract. There will be more guidance provided to determine which third-party auditors are authorized to conduct these assessment. Please understand that the details of the CMMC are still in draft form and there will be changes before the final product is made available. We recommend that if this affects your company then you should at least download a copy of the draft the link is provided below you can also email us with questions at
Please contact us if you need further guidance or assistance with this new certification requirements. We provide readiness assessment or gap analysis for the NIST SP 800-171 or any standards or frameworks (e.g. ISO 27001, SSAE18 (SOC 1/2), PCI DSS, HIPAA, HITRUST)