The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors handling sensitive information meet adequate cybersecurity standards. It aims to enhance the protection of controlled unclassified information (CUI) within the defense industrial base (DIB) supply chain.
The first version of CMMC, CMMC 1.0, is built on existing regulations and standards such as the National Institute for Standards and Technology (NIST SP) 800-171 and integrates various cybersecurity best practices. It consists of five maturity levels, each representing an increasing cybersecurity maturity level, ranging from basic cyber hygiene to advanced capabilities. These five maturity levels are:
- Level 1: Basic Cyber Hygiene
- Level 2: Intermediate Cyber Hygiene
- Level 3: Good Cyber Hygiene
- Level 4: Proactive
- Level 5: Advanced/Progressive
The CMMC framework specifies a set of practices and processes that contractors must implement based on the level of certification required for a particular contract. These practices include access control, incident response, system protection, secure communications and asset management.
Contractors working with the DoD and its supply chain partners must undergo a CMMC assessment conducted by accredited third-party assessment organizations to demonstrate compliance with the specified cybersecurity requirements. The level of certification required for a particular contract is determined by the sensitivity of the information being handled.
CMMC 2.0 Likely in 2025
The DoD is revising the CMMC requirements as part of a rulemaking process expected to be completed by the end of 2024, with enforcement likely beginning in 2025. The key changes being proposed for CMMC 2.0 include the following:
Streamlining:
- Reduces the number of maturity levels from five to three
- Leverages widely used NIST cybersecurity standards
Assessments:
- Expands the use of self-assessment to reduce compliance costs
- Increases oversight of professional and ethical standards of third-party assessors
Implementation:
- Allows companies under certain circumstances to make their plan of actions and milestones (POA&M) to achieve certification
- Permits the government to waive CMMC requirements under certain limited circumstances
New Credential Management Requirements
According to Mike Eppes, director of public sector at Keeper Security, CMMS 2.0 is expected to include new credential management requirements, such as requiring contractors to verify that employees’ passwords are not on the commonly used passwords list, ensuring passwords are encrypted, and enforcing complex password rules.
Eppes noted that during third-party assessments, contractors will be required to demonstrate that they use an advanced cloud authentication and network model with the highest level of privacy and security and an encrypted password vault for each end user.
MBL Technologies is a DoD CMMC registered provider organization. Some of our CMMC services include consultation and training to assess the impact of CMMC for your organization, and subject matter expertise to help close your POA&M. We also provide comprehensive cybersecurity services for long-term, sustainable solutions that address every facet of the evolving threat landscape. Contact us today to get started.