How to Become CMMC Certified
The method to become certified varies based on the level of CMMC you need to meet. The big distinction is whether you are protecting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
FCI is information not intended for public release that the US government provides under a contract to develop or deliver a product or service to the government, but not publicly available information, such as on websites.
CUI is information the US government creates or possesses that a law, regulation, or government-side policy requires or permits an agency to handle using safeguarding or dissemination controls.
CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems.
If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as “Covered Defense Information” — not to be confused with “Controlled Technical Information.”
CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information.
Refer to “covered contractor information system” as that term is defined in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, paragraph (a) and DFARS 252.204‑7012(b)(2)(ii)(B).
NIST 800-171 and CMMC provide a set of guidelines that outline the processes and procedures that companies need to implement in order to achieve compliance in regard to controls around CUI. In working with several DoD contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”
Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”
Let’s say that during fulfillment of a federal contract, you receive an email with attached files from the agency with which you are doing business. That information (which is CUI) now resides on your company’s email system (potentially on that workstation’s hard drive) and must be protected. Likewise, if you develop proprietary information for the DoD or for a prime contractor, that information must be protected. If you receive printouts through the mail or by courier service, that information must be protected.
When evaluating compliance with CMMC (or NIST 800-171), typical systems to include are end user workstations and laptops, servers, storage devices, and network devices such as routers, firewalls, switches, wireless access points (WAP), and printers. Physical security may also need to be addressed.
CMMC levels are based on the security criticality of the information you receive when performing under a contract. Level 2 compliance is harder to meet than Level 1 compliance, and Level 3 compliance is harder to meet than Level 2.
from Acquisition & Sustainment, Office of the Under Secretary of Defense, https://www.acq.osd.mil/cmmc/about-us.html
CMMC Level 1 – Foundational
Level 1 compliance of CMMC requires an annual self-assessment.
To meet CMMC Level 1, you comply with 17 cybersecurity best practices.
- Domain: Access Control (AC), AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Domain: Access Control (AC), AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Domain: Access Control (AC), AC.1.003 – Verify and control/limit connections to and use of external information systems.
- Domain: Access Control (AC), AC.1.004 – Control information posted or processed on publicly accessible information systems.
- Domain: Identification and Authentication (IA), IA.1.076 – Identify information system users, processes acting on behalf of users, or devices.
- Domain: Identification and Authentication (IA), IA.1.077 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Domain: Media Protection (MP), MP.1.118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- Domain: Physical Protection (PE), PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Domain: Physical Protection (PE), PE.1.132 – Escort visitors and monitor visitor activity.
- Domain: Physical Protection (PE), PE.1.133 – Maintain audit logs of physical access.
- Domain: Physical Protection (PE), PE.1.134 – Control and manage physical access devices.
- Domain: System and Communications Protection (SC), SC.1.175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Domain: System and Communications Protection (SC), SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Domain: System and Information Integrity (SI), SI.1.210 – Identify, report, and correct information and information system flaws in a timely manner.
- Domain: System and Information Integrity (SI), SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems.
- Domain: System and Information Integrity (SI), SI.1.212 – Update malicious code protection mechanisms when new releases are available.
- Domain: System and Information Integrity (SI), SI.1.213 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Level 1 companies are protecting FCI, not CUI, and can self-certify. Many small businesses in the Defense Industrial Base (DIB) will only need to meet Level 1 of CMMC.
To meet CMMC Level 1, you upload your assessment into the DoD Supplier Performance Risk System (SPRS) annually. Only senior company officials (CEO, CFO, etc.) can make the CMMC Level 1 attestation to SPRS.
Corserva can assess your compliance to the 17 controls and guide you in submitting your assessment results to the government.
CMMC Level 2 – Advanced
Level 2 compliance of CMMC requires either an annual self-assessment or an outside assessment performed every three years.
- Level 2 contractors who do not handle information deemed critical to national security will be able to perform annual self-assessments.
- Level 2 contractors managing information critical to national security will be required to undergo third-party assessments every three years.
The CMMC Accreditation Body (CMMC-AB) has stipulated that companies requiring an outside assessment will need to work with an accredited and independent third-party organization to perform a CMMC assessment. An assessment organization is called a “CMMC Third Party Assessment Organization” or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments and can be found on the website of the CMMC-AB.
To meet CMMC Level 2, you follow the 110 best practices identified in NIST SP 800-171.
Under certain limited circumstances, the DoD will allow POA&Ms to achieve certification.
Companies that can self-certify will be able to use POA&Ms as an acceptable form of remediation for certain CMMC practices. POA&Ms will not be allowed for the highest-weighted requirements of CMMC.
You write POA&Ms (Plans of Actions with Milestones) to document controls to which you don't currently comply and how you plan to make changes to meet those gaps in the future.
Assuming you take the correct approach when developing a POA&M, it can be a valuable tool to improve the company's security posture. Just don't fall into the trap of using a POA&M as a checkmark to compliance. Instead of a procrastination step, your POA&M should be a roadmap to compliance, clearly outlining what steps you plan to take in the future to fully meet compliance.
In addition to POA&Ms, System Security Plans (SSP) can also be helpful on the path to a stronger security posture.
Corserva can create POA&Ms and SSPs for you, as well as perform NIST 800-171 assessments.
A Certified 3rd Party Assessor Organization (C3PAO) is licensed by the CMMC Accreditation Body (CMMC-AB) to perform CMMC assessments. Only those companies listed as C3PAOs on the CMMC-AB Marketplace are authorized to perform C3PAO assessments.
Within the CMMC-AB Marketplace, note the distinction between an "Authorized C3PAO" and a "C3PAO Candidate." Only companies that are Authorized C3PAOs can perform CMMC assessments. A C3PAO Candidate has begun the process of applying to become a C3PAO but has not yet completed the process.
Level 2 companies requiring a C3PAO assessment can comply with CMMC as follows:
- Prepare for your CMMC assessment by performing a self-assessment or working with a partner. Corserva's CMMC expert advisors can help you with audit preparation.
- Visit the CMMC-AB Marketplace to research potential C3PAOs. Only C3PAOs listed on the CMMC-AB Marketplace are authorized by the CMMC-AB to perform assessments.
- Hire a C3PAO to perform a CMMC assessment for you.
- The C3PAO will create an assessment report and if there are no deficiencies, issue a CMMC certificate.
- The C3PAO will submit a copy of the assessment report and CMMC certificate to the DoD, which is valid for 3 years. This final step completes the requirement for CMMC compliance.
CMMC Level 3 – Expert
Level 3 compliance of CMMC requires a government-led assessment every three years.
To meet CMMC Level 3, the company must meet more than 110 best practices based on NIST SP 800-172.