A Guide to Get Ready for CMMC

In the Western world, many of the developments we see in advanced defense technologies are not developed in government labs. Groups of contractor partners, from major corporations to small suppliers, work together with the Department of Defense (DoD) and federal agencies to make up the supply chain within the Defense Industrial Base (DIB). Each of these partners brings a unique set of capabilities to a federal project and are often involved at varying stages within the project lifecycle.

Like every other nation state, the U.S. has set up its cyber defense arm with both offensive and defensive capabilities to safeguard these proprietary technologies and communications between the DoD and its DIB contractors. Until recently, contractors handling unclassified information could self-attest to their adherence to required cybersecurity measures. But with attack surfaces expanding and instances of cyber warfare in recent years, Ex. SolarWinds Supply Chain attack, the DoD was prompted to create a better system to monitor the cyber defense posture of its supply chain partners.

Hackers looking to infiltrate federal projects usually seek out the “soft underbelly” in the supply chain, such as smaller contractors who do not have the most advanced cyber protection. They can gain access to emails and file shares when there isn’t adequate protection in place, which can allow even deeper access into the supply chain and end with disastrous results. While not a direct example from the U.S., cyber warfare is a looming threat, with countries like Russia and Ukraine engaging in cyber battles that resulted in the loss of communications infrastructure of the Ukrainian armed forces. There also have been instances of an Advanced Persistent Threat, or APT, coming from laptops manufactured in China that had a built-in hardware capability to slowly extract information from the network, making it more difficult to detect.

With these instances of cyber warfare and broader attack surfaces in mind, the DoD announced its Cybersecurity Maturity Model Certification, or CMMC, in January 2020. CMMC is a unified standard for implementing cybersecurity across the DIB. Through this standard, the DoD can better understand each supply chain partner’s level of “maturity,” or how effective their defense posture is to protect sensitive government information and thwart attacks.

The CMMC is composed of five certification levels, reflecting the effectiveness of a company’s cybersecurity infrastructure. Each level boasts different security requirements, which build upon one another and become more complex the higher they go. Pending their role and level of involvement in a particular project, companies in the DIB supply chain will have to meet the associated level of maturity. Here’s a brief overview on each level in the CMMC framework:

Reference: CMMC Model

Level 1 – requires basic cyber hygiene, like the use of antivirus software and changing passwords frequently

• Level 2 – requires documentation of intermediate cyber hygiene practices to protect Controlled Unclassified Information (CUI)
• Level 3 – requires an institutionalized management plan to implement good cyber hygiene practices safeguarding CUI
• Level 4 – requires the implementation of processes for reviewing and measuring the effectiveness of these practices and enhanced protection measures
• Level 5 – requires standardized and optimized processes across the organization and enhanced capabilities to detect APTs

While contractors will remain responsible for implementing their cybersecurity requirements under CMMC, this new system shifts the responsibility of monitoring to independent parties, as compliance assessments will be completed by third-party auditors, or a CMMC Third Party Assessment Organization (C3PAO). C3PAOs must also be accredited by the CMMC Accreditation Body, and this process is currently underway. As of Dec. 1, 2020, the CMMC rule change has been finalized and can now be included in the requirements of government contracts. While the rule is now final, DoD officials have reported the requirements will be rolled out over the next five years to provide time for contractors to receive their assessments from a C3PAO.

As government contractors begin preparations for CMMC compliance, Caveonix has an all-in-one solution to help manage your CMMC certification package. Our Caveonix cloud solution, as a SaaS or dedicated deployment, provides complete security, compliance, and governance modules. For larger entities running multiple programs, our multi-tenancy capability allows you to onboard all your partners and manage programs from the baseline to continuous monitoring under your own umbrella. We offer the complete solution so DoD contractors can build, implement and manage their CMMC certification program easily and cost effectively.

If you need enhanced cybersecurity and compliance management to obtain CMMC, contact us to learn how Caveonix can help.