Just what is the Cybersecurity Maturity Model Certification (CMMC), and how can you make sure you can meet it? See exactly how ARIA Cybersecurity Solutions’ track record in providing solutions to achieve compliance with GDPR, HIPAA, and other data privacy regulations now puts us in a unique position to meet the CMMC requirements.
What is the Cybersecurity Maturity Model Certification (CMMC), and How Can You Make Sure You’re in Compliance?
One thing is clear: Cybersecurity threat risk will continue to get worse, not better. This trend (and realization) led the Department of Defense (DoD) to create the Cybersecurity Maturity Model Certification (CMMC) and now make it a requirement for defense contractors and other vendors performing work for the DoD and other federal agencies.
The main objective of the Cybersecurity Maturity Model Certification is to protect controlled unclassified information (CUI) within the entirety of the defense industrial base (DIB) of vendors. In this case, the DoD defines CUI as any information the government creates or possesses, or that another entity creates or possesses on its behalf. This can include things such as infrastructure, export controls, or financial, intelligence, legal, or other information and data.
Five levels of CMMC compliance
The DoD has defined five levels of CMMC compliance, ranging from basic hygiene to advanced security, each with its own set of supporting practices and processes. To meet a specific level’s requirements, a contractor must first meet the practices and processes of the level(s) that proceed it, which creates a demanding “all or nothing” approach to complying with all five levels.
The DoD has released the following descriptions of each of the five levels.
- Level 1: Safeguard federal contract information (FCI).
- Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI.
- Level 3: Protect CUI data.
- Level 4: Provide advanced and sophisticated cybersecurity practices.
- Level 5: Protect CUI and reduce the risk of advanced persistent threats (APTs).
Note: The previous descriptions are only a high-level summary of what is required in each step. There is much more detail in each of the five CMCC steps, which we will cover in additional blogs and material.
CMMC compliance starts as early as fall 2020
Beginning in the fall of 2020, clear demonstration of CMMC compliance will be mandatory for any newly awarded contracts to any DIB vendor, including primary vendors as well as subcontractors (this means any organization that handles CUI that on behalf of the primary vendor including infrastructure, export controls, or financial, intelligence, legal, or other information and data). The Cybersecurity Maturity Model Certification framework is essentially a mix of practices, processes, and approaches that are intended to standardize the assessment of a DIB vendors’ capabilities.
When you look at the five maturity levels described above, you’ll see that they actually categorize all of this information into 17 separate domains, which in turn, cover 43 different capabilities. Think of it as drilling down and becoming more specific as you move from the 17 domains to the 43 capabilities.
For example, a domain might include an area such as “access control” or “systems and communication protection,” yet a capability might be a requirement such as “control remote system access” or “control communications at system boundaries.”
It is important to note that companies don’t necessarily have to demonstrate that they can address all 43 capabilities. They only have to show they have the various capabilities for the particular maturity level sought.
But wait; there’s more. Then there are 173 “practices”—technical activities required within any given capability requirement. Finally, there are nine processes designed to measure the maturity of the organization’s cybersecurity procedures and are mapped against all five CMCC levels
Path to compliance
While the CMMC requirement kicks in in 2020, all DoD suppliers have until 2025 to prove certification. Unlike the NIST 800-171, where a self-assessment was adequate, Cybersecurity Maturity Model Certification is dependent upon an audit by a third-party assessing organization (3PAO) However, since the NIST framework is the basis for the CMMC requirement, organizations that have planned for NIST adherence are ahead of the game.
Becoming CMMC certified is not an easy feat. The timeline between application and certification is at least six months. The average ongoing cost of CMMC compliance is estimated to be $3,000 per employee per year with an initial one-time implementation cost of $500-$1,000 per employee.
It is important to conduct an assessment of the business and what (or if) CUI is part of the equation as the Cybersecurity Maturity Model Certification states that contractors can choose to “achieve a specific level for its entire enterprise network or for particular segments where the information to be protected is handled and stored.” If it is possible to minimize the systems that store, process, or transmit CUI data, contractors will be able to minimize the attack services as well as reduce the overall costs of compliance.
ARIA streamlines solution and processes complexity
ARIA SDS solutions provide a unique approach to cybersecurity protection that encompasses all of these capabilities and more in one platform.
The ARIA Advanced Detection and Response (ADR) solution is a single platform approach for enterprise-wide automated threat detection and containment. This “SOC-in-a-box” gives organizations all the benefits of a full SOC as a fraction of the cost. It provides complete visibility into all parts of the network, where other security solutions are limited or completely blind. This increased network visibility is critical to find the most harmful threats faster and earlier in the attack lifecycle before significant damage can be done.
ARIA ADR also helps IT and security teams find cyber-threats quickly and accurately, by ingesting the comprehensive analytics generated from alerts, logs, and threat intelligence. Using artificial intelligence, ARIA ADR feeds this data through machine learning-based, predefined threat models.
These models can identify the behaviors associated with the most harmful threats and enable the solution to automatically and quickly identify, and stop, all types of suspicious activities and correlate them to accurately produce valid alerts.
The ARIA Packet Intelligence (PI) application is integrated with the ARIA ADR solution, yet it can also run independently to improve the performance and effectiveness of existing security tools like SIEMs or SOARs. The application deploys transparently in the network and detects and monitors all IoT devices by looking through the network data as it flows through each device.
The application classifies this data and generates NetFlow metadata for all packet traffic, which can be directed to existing security tools like SIEMs. All of this happens on the fly without impacting delivery to allow the monitoring of various IoT devices in network aggregation points that are usually one step back in the wireline network.
By feeding this steady stream of analytics to SIEMs and applying advanced rules, the ARIA PI application allows these systems to detect the presence of network-borne threats as they become active. With this capability these threats are typically missed as the internal network is not monitored.
To learn more about our compliance solutions, please visit our compliance site, and stay tuned for more information related to CMMC in the future.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.