What Defense Contractors Need to Know About CMMC.

What Defense Contractors Need to Know About CMMC.

National security concerns highlight the importance of data security for defense companies!

Beyond the threat to national security, cyberattacks can disrupt supply chains, increase costs, delay scheduling, and cause significant financial and reputational damage.

That’s why the Cybersecurity Maturity Model Certification (CMMC) was introduced in January 2020! CMMC is a certification framework whose purpose is to secure the US defense industry and their associated Controlled Unclassified Information (CUI) and/or Federal Contract Information (FCI).

Contractors audited by the Department of Defense and found to be non-compliant could face an immediate stop-work order. In such a situation, work will be suspended until the firm implements suitable security measures.

CMMC is not a one-size-fits-all because it consists of five different cybersecurity maturity levels compared to existing security frameworks. CMMC applies to all DOD contractors, including subcontractors, who will be required to be fully certified by 2026.

The CMMC level of security a company should hold is determined on the security requirement needs for each defense contract. So, contractors and subcontractors alike will need to decide what CMMC level best suites their business operation.

The framework is categorized into high level domains, capabilities and practices and processes.

  • DOMAINS – key of set capabilities for cybersecurity, there are 17 total domains
  • CAPABILITIES – achievements to ensure cybersecurity within each domain
  • PRACTICES & PROCESSES - activities required by level to achieve a capability

17 Capability Domains

Access Control (AC) Incident Response (IR) Risk Management (RM) Asset Management (AM)
Maintenance (MA) Security Assessment (CA) Awareness and Training (AT) Media Protection (MP)
Situational Awareness (SA) Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC)
Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA)
Recovery (RE)

CMMC Model with 5 levels measures cybersecurity maturity

Level 1 Basic Cyber Hygiene 17 Performed 0
Level 2 Intermediate Cyber Hygiene 72 Documented 2
Level 3 Good Cyber Hygiene 130 Managed 3
Level 4 Proactive 156 Reviewed 4
Level 5 Advanced/Progressive 171 Optimizing 5

Level 1 – Basic Cyber Hygiene. Includes basic cybersecurity, including universally accepted common best practices.

Level 2 – Intermediate Cyber Hygiene. Includes universally accepted cybersecurity best practices. Practices are documented, and access to CUI data will require multi-factor authentication.

Level 3 – Good Cyber Hygiene. Includes coverage of all NIST Special Publication 800-171 controls. Processes at Level 3 are maintained and followed, including a comprehensive knowledge of cyber assets.

* The NIST SP 800-171 requirements ensure that firms working with the Department of Defense has standardized methods in place to protect sensitive information.

Level 4 – Proactive. Includes advanced and sophisticated cybersecurity practices. Methods are regularly reviewed, adequately resourced, and continuously improved.

Level 5 – Advanced / Progressive. Includes highly advanced cybersecurity practices, include continuous improvement across the enterprise and defensive responses performed at machine speed.

Contractors are no longer allowed to self-assess and will be required to obtain certification by an Authorized and Accredited Third Party Assessment Organization (C3PAO) and must be renewed every three years.

As a SOC2 certified, Managed Service Security Provider (MSSP), our team at LANAIR has already helped several DOD manufacturers and Aerospace companies navigate through CMMC NIST 800-171 to become compliant and meet the cybersecurity requirements!

It’s a lot of information to take in and getting certified will not occur overnight. Let us help your organization discover and classify all of the sensitive data you have, where it is located, and how it is being treated.

Send us an email to start@lanairgroup.com to complete an internal/external vulnerability assessment based on CMMC and NIST Framework Guidelines prior to scheduling a CMMC assessment with a C3PAO.