The Basics of CMMC



Deltek Costpoint | Value Added



January 7, 2022

The content in this blog has been repurposed from our partner, Deltek.

Cybersecurity Maturity Model Certification (CMMC) compliance is a combination of various cybersecurity standards and best practices. The model’s creation was supported by the Department of Defense (DoD) and built upon existing regulations where compliance is based on trust and a verification component. The primary objective of CMMC is the protection of sensitive information. The origins of the compliance framework can be found in special publications from the National Institute of Standards and Technology (NIST) – NIST SP 800-171 and NIST SP 800-53 – and constructed with existing regulations, such as Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

CMMC addresses the protection of FCI and CUI data:

Federal Contract Information (FCI) – Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided by the government to the public.
Controlled Unclassified Information (CUI) – Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

HOW WILL CMMC IMPACT GOVERNMENT CONTRACTORS?

Most organizations receiving funding from the DoD will need to be certified to qualify for future Department acquisitions, with the potential exception for commercial items. Prior to defining CMMC, the federal agencies and systems integrators required cloud service providers to meet Federal Information Security Management Act (FISMA) or Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) requirements, including auditing of performance.

Achieving Federal Risk and Authorization Management Program (FedRAMP) authorization was the first major shift where the government began to mandate its contractors use cloud technologies for efficiency and cost savings. In addition, it became a requirement to select a cloud provider that is trusted and has been vetted by the government to help keep data secure. Not only was this mandate a major change, but for the first time government contractors now had to prove they were meeting these controls and requirements on a regular basis.

The pairing of the Cloud First Mandate and FedRAMP controls as the building blocks for CMMC compliance provided a real opportunity for government agencies to trust commercial entities to host civilian and even DoD workloads. Government contractors committed to designing, operating and reporting their results on a monthly basis will have the opportunity to achieve authorization. Those who fail to maintain their security and compliance posture could have their authorizations suspended.

UNDERSTANDING CMMC REQUIREMENTS

The CMMC includes 17 capability domains, 43 capabilities, 5 processes across five levels to measure process maturity and 171 practices across five levels to measure technical capability.

Level 1 – Basic cyber hygiene, includes 17 practices, no processes.
Level 2 – Intermediate cyber hygiene, includes an additional 55 practices and introduces two processes.
Level 3 – Good cyber hygiene, includes an additional 58 practices and additional process.
Level 4 – Proactive, includes an additional 26 practices and additional process.
Level 5 – Advanced/Progressive, includes an additional 15 practices and additional process.

In 2020, the DoD began implementing requirements for CMMC. All Companies that do business with the DoD will have to fully certify their CMMC compliance by October 1, 2025, passing an audit performed by a DoD accredited auditor.

Level 1 is where the DoD expects most firms to be currently, with select practices being documented where required.
Level 2 is meant to be a stepping stone to Level 3, where firms get into the practice of documenting each practice involving CUI.
Level 3 is a managed state where a policy has been put into place and maintained to cover all activities, with all CUI practices documented.
Level 4 is a higher level of cybersecurity for limited incidences of highly sensitive information, where activities are reviewed and measured for effectiveness.
Level 5 is the optimized zone, with a tested and standardized, documented approach seen across all applicable organizational units.

IMPORTANT CMMC TERMS YOU NEED TO KNOW

Assessors: Individuals who have successfully completed the background, training and examination requirements as outlined by the CMMC Accreditation Body (AB), and to whom a license has been issued. Assessors are not employed by the CMMC AB and may or may not be employed by the Certified Third Party Assessment Organization (C3PAO).

Certified Third Party Assessment Organization (C3PAO): An entity with which at least two assessors are associated and to which a license has been issued to engage with organizations seeking certification (OSC) to complete their associated CMMC assessment.

CMMC Accreditation Body (AB): The accreditation body that establishes and oversees a qualified, trained and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the CMMC program.

Organizations Seeking Certification (OSC): The organization that is going through the CMMC assessment process to receive a level of certification for a given environment.

HOW TO GET CMMC CERTIFICATION

Government contractors should take into account the following steps for CMMC compliance readiness.

Step 1 – Understand the maturity level your firm needs and identify the gaps that could prevent achieving certification
Step 2 – Build internal support and buy-in while building a plan to close the certification gaps
Step 3 – Formalize processes and controls for documenting compliance
Step 4 – Confirm compliance through certification then maintain and monitor compliance and lend audit support

Leveraging cloud service providers can be a solid strategy for addressing many aspects of CMMC; for instance, the controls implemented in the Deltek Cloud support DFARS 252.204-7012 and NIST SP 800-171 controls which were adapted to form the basis of the CMMC framework. However, simply moving into the cloud does not automatically make a firm compliant. But it does reduce the compliance lift and can assist with getting to certification quicker and with less cost.

SELECTING A CLOUD SOLUTION FOR CMMC

Here are 4 key considerations for government contractors when looking at a vendor for a cloud solution:

Does the cloud vendor have a strong government contractor client base?
Can the cloud vendor demonstrate that those practices that they will perform on your behalf meet the requirements of National Institute of Standards and Technology (NIST) 800-171?
What are the vendor plans are for CMMC, and what level do they strive to be? It’s important to remember that Level 3 is required to store CUI with that vendor’s solution.
Does your vendor have plans to achieve Federal Risk and Authorization Management Program (FedRAMP) certification or have they already secured it?

HOW DELTEK SUPPORTS GOVERNMENT CONTRACTORS WITH CMMC

The Department of Defense (DoD) has mandated that all government contractors who complete contracts for DoD must be CMMC certified by October 1, 2025. That said, many government contractors are planning ahead, making it a top priority to find a cloud service provider (CSP) that offers a solution that can support their CMMC compliance requirements, as well as NIST mandates, FedRAMP Moderate requirements and ITAR controls.

Deltek is dedicated to protecting user data by ensuring our capabilities meet the constantly changing security landscape. We are continuously making improvements to our suite of products to better support your cyber posture by increasing investments in security, compliance and supporting technologies.

Deltek’s cloud solutions provide benefits beyond what a traditional on premise or hosting solution can provide. Businesses of all sizes can easily prepare for the ever-changing regulations of CMMC, while confidently and securely accessing data within a secure cloud environment that is continuously adjusted to meet the most up-to-date governmental and agency standards.

For more information and support around CMMC, contact us today.

15 Lessons Learned from 15 Years of Business Leadership

Apr 15, 2024 | Deltek Costpoint, Deltek WorkBook, Government Contracting, Value Added

Written by: Marty McGann, CEO at PCI As PCI proudly celebrates its 15th anniversary, I was asked to write a blog on my reflection as a business owner for the last 15 years. Inspired by ESPN, welcome to "15 for 15," where I reveal the top 15...

Navigating Compliance: Essential Instructions to Incurred Cost Submissions

Apr 4, 2024 | Compliance, Deltek Costpoint, Government Contracting

Incurred Cost Submissions (ICS) can have many names, including Incurred Cost Electronically (ICE), Incurred Cost Proposal (ICP), and the Final Indirect Rate Proposal. The purpose of an incurred cost submission is to reconcile provisionally billed...

Navigating Mergers and Acquisitions in 2024: Data Migration Roadmap

Feb 22, 2024 | Deltek Costpoint, Government Contracting

Are you gearing up for a merger or acquisition in 2024? Let PCI be your unwavering guide through the intricacies of Deltek Costpoint integration and data migration from any legacy system to Costpoint. Our specialized expertise is tailored to ensure...