The Ultimate Guide to CMMC

The Cybersecurity Maturity Model Certification program is a verification mechanism designed to ensure all Defense Industrial Base (DIB) companies implement adequate cybersecurity practices. Based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, the CMMC framework unifies all DIB contractors under one certifiable security standard.

In short, all Department of Defense (DoD) mission partners are required to adopt the same set of security controls, depending on certain variables. Regardless, any government contractor bidding on a DoD contract must obtain a CMMC certification, thereby verifying they’ve fulfilled their requirements.

Why was CMMC created?

In October 2016, the DoD issued the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 — titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Under this regulation, defense contractors were only required to self-attest their own cybersecurity maturity.

However, auditing was often inaccurate and rarely conducted, resulting in inconsistent compliance. In turn, DoD agencies didn’t have assurance that their mission partners were taking all necessary steps to protect government assets.

In an effort to migrate away from this self-attestation model, the DoD unveiled CMMC in 2019. It began incorporating CMMC standards into DoD contract requirements in November 2020.

Why is CMMC compliance important?

The purpose of the CMMC framework is to protect government information from unauthorized access and exposure. More specifically, it mandates practices for securing two types of data:

1. Controlled Unclassified Information (CUI): Controlled Unclassified Information is any data that doesn’t carry classified status but still needs to be safeguarded due to particular government policies and ordinances. CUI can pertain to critical infrastructure, financial records, national defense, and other sensitive areas.
2. Federal Contract Information (FCI): By contrast, FCI is information provided by or generated for the U.S. government under contract that hasn’t been marked for public release. Although not as sensitive as CUI, Federal Contract Information must still be strictly protected.

With a growing swarm of cyberattacks targeting government agencies, CMMC compliance has become vital. State-sponsored hacks can be especially costly, ringing in an average cost of $4.43 million per breach. Worse yet, given the nature of government data, these attacks can jeopardize U.S. interests — including national security.

What are the benefits of gaining a CMMC certification?

Defense contractors have every reason to comply with CMMC requirements. Not only is it mandatory for all mission partners, but it’s also a competitive business advantage. For instance, earning a CMMC certification can:

• Help you bid on DoD contracts
• Provide a high level of assurance to agency customers
• Strengthen your cyber resilience and minimize risk exposure

What’s CMMC 2.0?

The DoD announced plans to update and simplify the CMMC framework in November 2021. The aim was to make it easier for contractors to implement and comply with CMMC standards while streamlining the certification process.

It consolidated its framework into a more uniform, comprehensive, and easily understandable rendition: CMMC version 2.0. Looking ahead, the DoD will require at least some level of CMMC certification to qualify for a contract award by October 1, 2025.

CMMC organizes its requirements using a tiered system. Whereas the original version contained five independent levels, CMMC 2.0 simplified the framework down to three.

They’re aligned based on how contractors (and subcontractors) handle FCI and CUI. Generally, the more sensitive information you process, the more stringent your compliance requirements.

As such, each level has its own processes, practices, and assessment procedures and builds upon the previous.

1. CMMC Level 1 (Foundational): 17 practices verified through self-assessment.
2. CMMC Level 2 (Advanced): 110 practices aligned with NIST SP 800-171, verified by a triannual third-party security assessment.
3. CMMC Level 3 (Expert): 110+ practices based on NIST SP 800-172, verified through a triannual government-led security assessment.

CMMC also breaks down specific cybersecurity practices into 14 domains with 43 capabilities. In this context, the term “capabilities” refers to the security controls a DoD contractor must implement and manage depending on their corresponding level. The CMMC domains include:

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

Entrust provides solutions to facilitate compliance with the following 9 CMMC domains:

CMMC Domain

CMMC DomainAccess Control (AC)

CMMC DomainAudit and Accountability (AU)

CMMC DomainConfiguration Management (CM)

CMMC DomainIdentification and Authentication (IA)

CMMC DomainMaintenance (MA)

CMMC DomainMedia Protection (MP)

CMMC DomainPhysical Protection (PE)

CMMC DomainSystem and Communication Protection (SC)

CMMC DomainSystem and Information Integrity (SI)

Capability

Access Control (AC)

• Establish system access requirements
• Control internal system access
• Control remote system access
• Limit data access to authorized users and processes

Audit and Accountability (AU)

• Define audit requirements
• Perform auditing
• Identify and protect audit information
• Review and manage audit logs

Configuration Management (CM)

• Establish configuration baselines
• Perform configuration and change management

Identification and Authentication (IA)

• Grant access to authenticated entities

Maintenance (MA)

• Manage maintenance

Media Protection (MP)

• Identify and mark media
• Protect and control media
• Sanitize media
• Protect media during transport

Physical Protection (PE)

• Limit physical access

System and Communication Protection (SC)

• Define security requirements for systems and communications
• Control communications at system boundaries

System and Information Integrity (SI)

• Identify and manage information system flaws
• Identify malicious content
• Perform network and system monitoring
• Implement advanced email protection

Entrust Supports

Access Control (AC)

Audit and Accountability (AU)

Configuration Management (CM)

Identification and Authentication (IA)

Maintenance (MA)

Media Protection (MP)

Physical Protection (PE)

System and Communication Protection (SC)

System and Information Integrity (SI)

The CMMC assessment process is rigorous by design. Starting your compliance journey can be daunting, but with a well-planned checklist you can take it one step at a time.

Let’s review each one to help you get started:

1. Determine your CMMC level: Your minimum cybersecurity maturity level depends on how you handle FCI and CUI. Take inventory of your systems, networks, and processes to identify exactly where and how you come in contact with this data.
2. Complete a self-assessment: Conduct a CMMC gap analysis to detect vulnerabilities or areas of improvement that aren’t aligned with best practices.
3. Build a system security plan (SSP): SSPs are required for CMMC certification. They map your security landscape and control capabilities, allowing you to identify your environment’s boundaries, where it connects to other systems, and how well you execute certain requirements.
4. Invest in future-ready tools: You’ll likely discover gaps in your cybersecurity posture. Be prepared to deploy additional solutions to cover the bases and satisfy your CMMC compliance requirements.
5. Engage a third-party auditor: The CMMC audit must be completed by a Registered Practitioner, Registered Provider Organization, or Third-Party Assessment Organization (3PAO).
6. Maintain compliance: Once certified, you must implement continuous monitoring to identify gaps as they arise and ensure security controls continue to operate as intended.

Simplify compliance with Entrust solutions

Compliance is mandatory if you’re a DoD contractor. Unfortunately, that doesn’t mean it’s easy.

However, there are ways you can simplify the process, harden your defenses, and achieve and maintain a CMMC certification. With Entrust as your expert partner, you can deploy a portfolio of solutions that not only get you CMMC-ready, but also help you future-proof security for years to come.

From identity and authentication to media protection, access control, and more, we help you facilitate CMMC domains with ease. Whether it be through Entrust Public Key Infrastructure or Entrust Identity as a Service, you can rest assured you — and your DoD partners — are well-protected.