The Cybersecurity Maturity Model Certification (CMMC) is the result of a push by the Department of Defense (DoD) to protect the confidential information that its contractors deal with daily.

The second version of CMMC came out in November 2021 and it will affect all DoD contractors and their supply chains working with federal contract information (FCI) or controlled unclassified information (CUI). DoD projects final rulemaking on CMMC 2.0 will occur between July 2022 and December 2023.

• CMMC 2.0 Levels, Explained

• Avoiding False Claims Act

• CMMC Level 1 Practices and Controls

• Required CMMC Level 1 Controls

• Conclusion

Before reading the controls and blindly trying to follow them, you need to understand how CMMC 2.0 works.

As it stands today, DoD contractors are already obligated to implement these cybersecurity requirements.

CMMC 2.0 places additional emphasis on those requirements by annual self-attestations or triennial third-party assessments to evaluate every contractors’ compliance with laid out, mandatory practices.  

The third-party assessment component of CMMC 2.0 may only affect about 25% of those DoD contractors, specifically, those who utilize controlled unclassified information on contracts deemed critical to national security.

There are 3 levels in total, each one building on top of one another requiring stricter requirements as they increase.

The new Level 3 is the highest level of CMMC 2.0 that any contractor may achieve. Only government officials will perform assessments at this level.

On the flip side, Level 1 is the foundational level and the bulk of DoD contractors will need. The only defense industrial base companies that won’t need to obtain Level 1 will be commercial off-the-shelf (COTS) providers that don’t receive FCI.

Any contractor who doesn’t take this new regulation seriously risks losing their DoD contracts and penalties under the False Claims Act (FCA).

In October 2021, the Department of Justice (DOJ) launched the Civil Cyber-Fraud Initiative, which further incentivized whistleblowers to identify among other things, contractors claiming to perform preventative cybersecurity practices which they in fact do not. Under the FCA, contractors face penalties for:

• Knowing failures to meet cybersecurity standards.

• Knowing misrepresentations of security controls and practices.

• Failing to timely report suspected breaches.

If a contractor violates the FCA, they face fines up to 3x the total value of the contract plus over $11k per claim. In 2019 alone, the DOJ obtained more than $3 billion in settlements and justments stemming from false claims act violations and other fraud. In 2020, the DOJ collected over $2.2 billion in settlements. Whistleblowers receive between 15 and 25% of any reward under the case.

In other words, it’s time to make sure you’re performing your current cybersecurity requirements. If you haven’t documented your compliance with these basic requirements, now is the time to get your house in order.

To stay within the scope of this blog post, I’m going to only cover the required CMMC Level 1 controls. It’s the foundational level of CMMC, affecting any DoD contractor or supplier dealing with FCI.

As far as the practices at this stage go, all that’s required is a focus on “Basic Cyber Hygiene”. The requirements outlined in 48 CFR 52.204-21 are further defined in NIST SP 800-171 Revision 2.

The CMMC 1.02 Assessment Guide did a good job of discussing these controls in more detail and providing examples of evidence that would demonstrate sufficient adoption. Until the CMMC-AB or the DoD releases further guidance, this guide is still helpful for companies looking to achieve Level 1 certification.

Adhering to these practices is not a one-time activity. Contractors should be reviewing their vulnerabilities and assessing risk on an ongoing basis and documenting their efforts along the way.  If you’re looking for an easy-to-use solution to track your performance of these required practices and store evidence demonstrating your compliance, sign up for a free 30-day trial of our CMMC 2.0 Compliance Management solution.

This low-cost software as a service allows you to pair evidence at the information system and assessment objective level for each practice and have evidence validated by either internal (CIO) or external (consultants) resources. This tool enables you to build out a plan of actions & milestones (POA&M), assign and manage tasks, and maintain a functional system security plan (SSP).

The access control (AC) domain focuses on the tracking and understanding of who has access to your systems and network. This includes user privileges, remote access and internal system access.

Luckily, the CMMC-AB defines the AC controls that Level 1 contractors must resolve…

• AC.1.001 - aligns to NIST SP 800-171 Rev 2 3.1.1

• AC.1.002 - aligns to NIST SP 800-171 Rev 2 3.1.2

• AC.1.003 - aligns to NIST SP 800-171 Rev 2 3.1.20

• AC.1.004 - aligns to NIST SP 800-171 Rev 2 3.1.22

The Identification and Authentication (IA) domain focuses on the roles within your organization. It synergizes with the AC by ensuring that access to all systems and networks is traceable for reporting and accountability.

There are only two IA control requirements for CMMC Level 1…

• IA.1.076 - aligns to NIST SP 800-171 Rev 2 3.5.1

• IA.1.077 - aligns to NIST SP 800-171 Rev 2 3.5.2

Media Protection focuses on identifying, tracking and ongoing maintenance of media. It also includes policies about protection, data sanitation and acceptable transportation.

CMMC Level 1 contractors have only one MP control to focus on and it deals with sanitation of media devices…

• MP.1.118 - aligns to NIST SP 800-171 Rev 2 3.8.3

Physical protection is often an overlooked domain for many organizations. Sure, most places implement a sign-in process, requiring card reader identification and access to certain portions of their location. Yet, not every organization supervises its visitors throughout their entire stay. PE helps organizations with that.

CMMC Level 1 contractors must focus on the following PE controls…

• PE.1.131 - aligns to NIST SP 800-171 Rev 2 3.10.1

• PE.1.132 - aligns to NIST SP 800-171 Rev 2 3.10.3

• PE.1.133 - aligns to NIST SP 800-171 Rev 2 3.10.4

• PE.1.134 - aligns to NIST SP 800-171 Rev 2 3.10.5

Communication is an integral part of every organization. That communication between employees needs to be secure so that no bad actor may eavesdrop and record sensitive data. The System and Communication Protection (SC) domain focuses on the implementation of boundary level defense on an organizational communication level.

CMMC Level 1 SC control requirements...

• SC.1.175 - aligns to NIST SP 800-171 Rev 2 3.13.1

• SC 1.176 - aligns to NIST SP 800-171 Rev 2 3.13.5

The last domain that relates to what’s required by Level 1 contractors is System and Information Integrity (SI). This domain focuses on the ongoing maintenance and management of issues within information systems. In other words, it enforces that organizations place efforts toward identifying malicious code, placing ongoing protections on email and system monitoring.

CMMC Level 1 contractors must adhere to the following SI controls…

• SI.1.210 - aligns to NIST SP 800-171 Rev 2 3.14.1

• SI.1.211 - aligns to NIST SP 800-171 Rev 2 3.14.2

• SI.1.212 - aligns to NIST SP 800-171 Rev 2 3.14.4

• SI.1.213 - aligns to NIST SP 800-171 Rev 2 3.14.5

The introduction of CMMC 2.0 raised a lot of eyebrows as it was a substantial shift from the ambitious goals outlined in the original CMMC Model.

Many companies that had planned on achieving Maturity Level 1 breathed a collective sigh of relief that they can continue to self-attest to the cybersecurity requirements listed in 48 CFR 52.204-21.

Given the renewed focus by the DoJ on cybersecurity enforcement, the defense industrial base should take steps to implement the Level 1 controls and document their evidence of compliance if they haven’t already.