U.S. Department of Defense (DoD) contractors will soon have to comply with a brand-new security framework, the Cybersecurity Maturity Model Certification (CMMC). This new framework, which the DoD is rolling out in phases beginning this year and running through 2025, will impact over 300,000 organizations in the defense industrial base.
U.S. federal contractors are no strangers to compliance requirements, but adding a new framework into the mix has caused some confusion, particularly regarding how the CMMC maps to NIST requirements. Let’s examine the similarities and differences between the CMMC and NIST.
What is the CMMC?
The DoD developed the CMMC to address significant compromises of sensitive defense information in the wake of cyberattacks on defense contractors. Most significant was a string of cyberattacks on Navy contractors by Chinese spies, which were detailed in a 2018 Wall Street Journal expose. The WSJ article prompted an internal Navy cybersecurity audit, which described the military as being woefully underprepared for modern cybersecurity threats. One of the issues noted in the Navy audit was that the DoD relied on its contractors to self-report cyber vulnerabilities and incidents. This honor system resulted in very few incidents being reported.
Enter the CMMC, consisting of 171 cybersecurity best practices and five “maturity levels,” ranging from basic cyber hygiene to advanced processes. The more best practices an organization meets, the higher its maturity level, and the more contracts they’ll be eligible to bid on.
While an organization will be able to bid on a contract before receiving CMMC accreditation, the accreditation will have to be in place by the time a contract is awarded. To obtain CMMC accreditation, organizations must undergo an audit performed by a certified third-party assessment organization (C3PAO).
What’s the difference between the CMMC and NIST?
The security controls in the CMMC were drawn from several existing cybersecurity frameworks, including NIST 800-171 and NIST 800-53, the latter of which birthed the more concise NIST CSF.
One of the biggest differences is that the NIST frameworks do not include “maturity levels”; organizations have either implemented the required controls, or they haven’t. The CMMC offers organizations more flexibility. If an organization is selling low-risk services to the DoD, Level 1 or 2 may be perfectly sufficient. Further, an organization with a lower level of maturity can work towards a higher one while still servicing DoD contracts; the only caveat is that until the organization is accredited for the higher level, they can only service DoD contracts on the lower levels.
Since many NIST controls are incorporated into the CMMC, if an organization is compliant with one of the NIST frameworks, they have a head start on CMMC accreditation. However, the frameworks are not equivalent; the CMMC includes additional controls that aren’t included in the NIST frameworks. Further, in addition to assessing controls implementation, a CMMC audit also assesses an organization’s maturity processes.
Conversely, the NIST frameworks include some items that aren’t in the CMMC. For example, NIST 800-171 includes 63 Non-Federal Organization (NFO) controls. Because CMMC applies only to DoD contractors, it doesn’t address NFO.
What should organizations be doing now to prepare for the CMMC?
As of April 2021, organizations cannot yet undergo CMMC audits, as the CMMC Accreditation Body is still in the process of assessing and issuing licenses to C3PAOs. However, both current and future DoD contractors should take proactive steps to prepare for their eventual CMMC audits.
First, organizations must determine which maturity level they need to achieve to continue servicing their current DoD contracts and/or qualify for the kinds of contracts they want to bid on in the future, then review the CMMC controls associated with that level. Then, the hard work begins: assessing current controls and implementing remediation steps to bring them up to the desired CMMC maturity level.
Organizations should keep in mind that like other compliance frameworks, the CMMC should be considered a starting point for cybersecurity, not the do-all, end-all. CMMC accreditation, in and of itself, is not a substitute for comprehensive cybersecurity.