Department of Defense & CMMC
The Department of Defense (DoD) and CMMC go hand in hand. The CMMC, or Cybersecurity Maturity Model Certification, is a program created by the DoD. The objective of the DoD’s CMMC program was to make it easier and less expensive for the defense industrial base (DIB) to do business with the DoD.
DoD CMMC eliminated cumbersome and disparate security requirements to facilitate the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It also helps the DoD to objectively evaluate contractors’ cybersecurity capabilities, readiness, and sophistication.
A collection of security standards and best practices, DoD CMMC defines security requirements according to three cybersecurity maturity levels. The scale starts with Foundational (Level 1), progresses to Advanced (Level 2), and has Expert at the top, CMMC Level 3.
Receiving certification at each level of DoD CMMC means that an organization has met and adheres to baseline controls. DoD CMMC controls are based largely on other frameworks and inputs from existing cybersecurity standards, including the National Institute of Standards and Technology (NIST), Federal Acquisition Regulation (FAR), and Defense Federal Acquisition Regulation Supplement (DFARS).
What Is Controlled Unclassified Information (CUI)
Established by Executive Order 13556 in 2010, the CUI program standardizes how the entire Executive branch handles unclassified information. Any unclassified information created or possessed by the government or any entity that works with the government must follow the rules for CUI.
According to the Executive Order, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified.”
Since the DoD is an agency within the Executive branch of the U.S. government, CUI applies to it and all of the Defense Industrial Base (DIB). In the case of DIB, the DoD must ensure that CUI is not lost to cybercriminals who target non-government organizations because they can be more prone to security vulnerabilities. Hence, DoD CMMC details security measures to safeguard CUI.
What Size Organizations Are Most Susceptible to Ransomware?
At the highest level, this answer is simple: ‘everyone!’ From small businesses to medium-sized companies, all the way up to enterprises and organizations, nobody is in the clear when it comes to ransomware.
However, when you dig into the details, the answer can become much more complicated. Depending on the perception of value a criminal hacker may have regarding your data, you may be more or less susceptible to an attack.
Other factors include how critical it may be that you respond quickly to a ransom demand, how unprotected your security is, and how consistently you keep employees trained about phishing emails, and other ransomware tactics.
DoD & CMMC Requirements
The DoD cybersecurity requirements revolve around CMMC security controls or practices that are defined for each level.
DoD CMMC Level 1 has 17 security controls under 6 domains.
1. Access Control (A.C.)—4 controls
2. Identification and Authentication (I.A.)—2 controls
3. Media Protection (M.P.)—1 control
4. Physical Protection (P.E.)—4 controls
5. System and Communication Protections (S.C.)—2 controls
DoD CMMC Level 2 has 110 controls grouped under 14 domains. These controls include DoD CMMC Level 1 controls and controls from NIST SP 800-171.
1. Access Control (A.C.)—22 controls
2. Awareness Training (A.T.)—3 controls
3. Audit and Accountability (A.U.)—9 controls
4. Configuration Management (C.M.)—9 controls
5. Identification and Authentication (I.A.)—11 controls
6. Incident Response (I.R.)—3 controls
7. Maintenance (M.A.)—6 controls
8. Media Protection (M.P.)—9 controls
9. Personnel Security (P.S.)—2 controls
10. Physical Protection (P.E.)—6 controls
11. Risk Assessment (R.A.)—3 controls
12. Security Assessment (S.A.)—4 controls
13. System and Communications Protection (S.C.)—16 controls
14. System and Information Integrity (S.I.)—7 controls
DoD CMMC Level 3 has 130 controls grouped under 16 domains. These controls are in addition the DoD CMMC Levels 1 and 2 and include controls from NIST SP 800-171 and NIST SP 800-172.
1. Access Control—8 controls
2. Asset Management—1 control
3. Audit and Accountability—7 controls
4. Awareness and Training—1 control
5. Configuration Management—3 controls
6. Identification and Authentication—4 controls
7. Incident Response—2 controls
8. Maintenance—2 controls
9. Media Protection—4 controls
10. Physical Protection—1 control
11. Recovery—1 control
12. Risk Management—3 controls
13. Security Assessment—2 controls
14. Situational Awareness—1 control
15. System and Communications—15 controls
16. System and Information Integrity—3 controls
As with any organization, DoD cybersecurity is only as strong as its weakest link. The CMMC drives DoD cybersecurity best practices and processes into the DIB. By requiring these organizations to adhere to DoD cybersecurity standards, the DoD CMMC maintains the quality and efficacy of security throughout its supply chain.
DoD Cybersecurity Maturity Model Certification
To work or sell products to the DoD, hundreds of thousands of organizations must certify compliance with DoD CMMC requirements. The processes and requirements for certification vary based on the DoD CMMC level.
Different CMMC levels are noted on all DoD RFPs. DoD CMMC Level 1 is the minimum requirement for any organization that wants to work with the DoD in any capacity. For contracts that involve handling CUI, an organization must have at least a DoD CMMC Level 2 certificate to qualify.
An organization should assess the types of contracts it wants to pursue and procure any required certifications for those DoD CMMC levels. Since the bidding process for these contracts is onerous, organizations are encouraged to conduct an audit of their security preparedness against their required DoD CMMC level. Informal internal audits can suffice for Level 1, but for DoD CMMC Level 2 and Level 3, a Third-Party Assessment Organization (3PAO) is recommended.
A 3PAO is accredited and authorized to audit organizations that are applying for the DoD CMMC certification. As part of the certification process, the C3PAO verifies and validates that an organization has implemented cybersecurity controls as required by the specified DoD CMMC level. Based on the evaluation, the C3PAO provides a pass or fail and documents any deficiencies.
The organization will have 90 days to remediate issues identified during the assessment. If the requirements are met, a certificate of compliance is issued according to the DoD CMMC level of qualification that the organization has achieved. The DoD CMMC qualification certificate will be valid for three years, after which the organization must undergo another assessment to be recertified
DoD Cybersecurity in DIB Supply Chain
With DoD CMMC, cybersecurity requirements for the DIB supply chain continue to be enforced, but the process is more streamlined. Rather than have organizations struggle to meet disparate requirements from different agencies within DoD, CMMC provides a unified code for cybersecurity.
With revisions to DoD CMMC, the burden is further reduced by aligning the requirements with federal guidelines that are utilized by other agencies outside of DoD, such as the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), NIST SP 800-172, and 48 Code of Federal Regulations 52.204-21 (48 CFR 52.204-21), commonly referred to as the FAR Clause or FAR 52.204-21.
While considered to be stringent, DoD CMMC ensures the safety and surety of CUI and FCI while increasing organizations’ overall security posture and their lines of defense against the continuous cyberattacks by nation-states and other criminals.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 28th July, 2022