CMMC Efforts Not Slowing Down, Steps for Preparation

Posted by Caleb Merriman Todd Walker on May 29, 2020

Cybersecurity Maturity Model Certification CMMC

By Caleb Merriman, CISO, Deltek, and Todd Walker, Vice President, Product Strategy, Deltek

One thing that is certain in these uncertain times is that the Department of Defense (DoD) is moving forward with its plans for Cybersecurity Maturity Model Certification (CMMC). Though the onset of COVID-19 has somewhat slowed assessment program efforts and the subsequent training involved, the goal to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) remains intact. As the DoD supply chain continues preparation efforts, many organizations are exploring how cloud service providers (CSPs) can help support their CMMC requirements.

CMMC Model

In January of 2020, the official CMMC model was released, and over the next few months, all organizations receiving DoD funding will need to address CMMC requirements in requests for information (RFIs) and requests for proposal (RFPs) bids. The build toward CMMC began in the earlier years of the last decade, with the primary objective being the protection of sensitive information. The origins of the compliance framework can be found in special publications from the National Institute of Standards and Technology (NIST) – NIST SP 800-171 and NIST SP 800-53 – and constructed with existing regulations, such as Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

CMMC addresses the protection of FCI and CUI data:

  • Federal Contract Information (FCI) - Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.
  • Controlled Unclassified Information (CUI) - Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Additional types of CUI data include:

  • Controlled Technical Information (CTI) – Technical information with military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure or dissemination.
  • Covered Defense Information (CDI) – Defined in DFARS 252.204-7012 as unclassified CTI or other information, as described in the CUI registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and government-wide policies.

 

CMMC is Here, Time to Move to the Cloud


Webinar

Watch Now

 


The CMMC includes 17 capability domains, 43 capabilities, 5 processes across five levels to measure process maturity and 171 practices across five levels to measure technical capability.

  • Level 1 – Basic cyber hygiene, includes 17 practices, no processes.
  • Level 2 – Intermediate cyber hygiene, includes an additional 55 practices and introduces two processes.
  • Level 3 – Good cyber hygiene, includes an additional 58 practices and additional process.
  • Level 4 – Proactive, includes an additional 26 practices and additional process.
  • Level 5 – Advanced/Progressive, includes an additional 15 practices and additional process.

Level 1 is where the DoD expects most firms to be, with select practices being documented where required. Level 2 is meant to be a stepping stone to Level 3, where firms get into the practice of documenting each practice involving CUI. Level 3 is a managed state where a policy has been put into place and maintained to cover all activities, with all CUI practices documented. Level 4 is a higher level of cybersecurity for limited incidences of highly sensitive information, where activities are reviewed and measured for effectiveness. Level 5 is the optimized zone, with a tested and standardized, documented approach seen across all applicable organizational units.

Preparing for CMMC

Previously, the various cybersecurity standards and best practices that CMMC is based on were largely self-certified. What has changed is that a certified third-party assessment organization (3PAO) is now required to review systems and processes for certification. To standardize this process, the DoD established a non-profit, independent organization, the CMMC Accreditation Body (CMMC-AB), to define the assessment and administration needed for certification. Currently, the CMMC-AB is in the process of licensing assessors and the firms that will serve as 3PAOs. Once an organization obtains an approved certification, it is expected to be valid for three years.

The webinar CMMC is Here, It’s Time to Move to the Cloud reviews some preparatory steps government contracting firms can take to ready their organizations.

  • Step 1 – Understand the maturity level a firm needs and identify the gaps that could prevent achieving certification
  • Step 2 – Build internal support and buy-in while building a plan to close the certification gaps
  • Step 3 – Formalize processes and controls for documenting compliance
  • Step 4 – Confirm compliance through certification then maintain and monitor compliance and lend audit support.

Leveraging CSPs can be a solid strategy for addressing many aspects of CMMC; for instance, the controls implemented in the Deltek Cloud support DFARS 252.204-7012 and NIST SP 800-171 controls which were adapted to form the basis of the CMMC framework. However, simply moving into the cloud does not automatically make a firm compliant. But it does reduce the compliance lift and can assist with getting to certification quicker and with less cost.

With Deltek’s Costpoint Cloud Solutions, the Costpoint application maintenance, databases, operating systems, hardware and system performance and availability no longer have to be managed by the customer. Deltek constantly monitors the health of its solution and provides many of the controls, practices, policies and procedures needed to support NIST SP 800-171 and CMMC Level 3 controls. 

Later this year, we will be releasing a new cloud offering that incorporates additional practices and controls to align with CMMC Level 4, NIST SP 800-53, FedRAMP Moderate Equivalency, and International Traffic in Arms Regulations (ITAR) requirements that will allow firms to store CDI and CTI data in the Deltek Cloud. 

Additionally, Deltek has incorporated the CMMC framework as an authoritative source that will drive the continual development of internal controls. Deltek’s cloud compliance and security postures incorporate much of the CMMC framework, and the organization is closely monitoring the CMMC assessor accreditation process for future approval. Deltek also continues to make investments that align with industry security standards, controls and industry best practices where needed for CMMC, FedRAMP Moderate Equivalency, ITAR and the next waves of cyber and data security.

What Next

Learn more about Deltek’s current approach to CMMC compliance, where the organization is headed with cloud and some additional considerations for government firms as they prepare for CMMC by watching the webinar CMMC is Here, It’s Time to Move to the Cloud.

Access these additional Deltek resources: