Analyzing Maturity Level 2 Of CMMC: What’s Next?
Cybersecurity is all around us. Not only does it help protect our national secrets, but it also keeps our organizations, our homes and our personal information safe.
There are bad actors everywhere who are looking for ways to do everything from steal your Social Security number to simply crash your computer. These imminent threats mean we as business leaders must put extra measures in place to protect the data we gather from our customers and treat it as if it was our own.
We must take the necessary precautions to protect sensitive but unclassified information — known as CUI (controlled unclassified information) — that we receive from our Department of Defense (DoD) customers. The Cybersecurity Maturity Model Certification (CMMC), is something we must anticipate, especially if we want to continue doing business with the DoD.
There are five maturity levels in the CMMC that grade you on a scale from having basic cyber hygiene to having advanced and progressive cyber hygiene. Each level can be daunting for a company depending on its size and resources it must implement. The CMMC draws from numerous cybersecurity frameworks and laws including NIST, DFARS, CIS and more. Because the CMMC draws from so many existing source documents, completing a gap analysis between your current cybersecurity posture and where you want to be is feasible.
If you know of NIST 800-171 because you’re a current DoD contractor, you can figure out what you need to implement it. CMMC Maturity Level 2 (ML2) demands well-documented processes to tackle everyday risks and vulnerabilities. Each one of the 17 domains consists of various capability statements and practices that also require corresponding policies, plans and procedures.
This is where CMMC really differs from NIST and other pervious publications. Without these processes documented, you are not fully complying with the CMMC, showing that you cannot properly handle the information sent over from our DoD customers. There are also a few technical tools that need to be implemented to achieve a CMMC ML2, including tools to audit logs, identify vulnerabilities and spot malicious activity on the network. This can be a daunting requirement for any type or size of company.
ML2 also requires the ability to create logs and management tools to track risks throughout the organization. A change control board, plan of actions and milestones (POA&M), risk management log, and security assessment log are among the necessary management tools.
These are fairly simple to put together but can be overlooked or implemented incorrectly. Because the CMMC requires these types of documents, it stands out from NIST and other frameworks. Many organizations struggle to implement these requirements, and other organizations don’t want to comply with them.
Mitigating vulnerabilities and securing systems are essential practices with cybersecurity, but they starts to become more and more difficult when you do not want to cut productivity or disable users’ abilities to complete tasks. Every practice within the 17 CMMC domains included in ML1 requires some type of organizational change or adoption that requires users to change their work patterns, and ML2 is more challenging than ML1.
Adopting CMMC ML2 will most certainly be difficult for small companies to implement because most contracts will either require ML1 or ML3, which means you will need to implement both ML2 and ML3 to continue to perform work for the DoD.
So where is the line drawn for this? What is the difference if a company is ML1 and still receives the same amount or type of data that an ML2-certified company would receive? Either way, companies will need to come up with a strategy to implement these tools and techniques as well as maintain some type of infrastructure, whether it be on-premises, in the cloud or a hybrid model.
To create an effective strategy for implementing CMMC, every member must be on board and ready to implement changes throughout the organization. Having an outline that maps each practice can go a long way in proving the complexity of pinpointing your systems into compliance. This also helps show other members in your organization a road map to completing your ever-changing infrastructure and provides proof of how demanding it could be to implement different tools and techniques.
CMMC requires adoption from every user, not just the IT team, the executive team or the back-office team, so be ready for some change. Finding the tools to implement the solutions is the easy part; it is using the policies and techniques on a day-to-day basis to fulfill the new cybersecurity posture that is the real challenge.