CMMC Demystified

Update as of January 2024

The latest proposed CMMC rule changes were released December 26, 2023.

CMMC requirements will start appearing in contracts in March 2025, not May 2023 as previously anticipated.

CMMC requirements will continue rolling out to contracts between March 2025 through March 2026.

Only 53 C3PAO firms have been authorized to perform CMMC assessments as of January 17, 2024, but there are roughly 80,000 organizations who will require CMMC assessments. More C3PAO firms are being added, but this limitation will be a bottleneck for firms who wait to the last minute to begin their CMMC compliance journey.

The time to start preparing for CMMC was yesterday, but today is better than tomorrow.

Manufacturers who sell to the Department of Defense and larger DoD contractors will soon be required to comply with CMMC or else they will lose federal government contracts. The CMMC model was recently updated to better protect controlled unclassified information (CUI) that’s stored or created by private companies like manufacturers. CMMC is a response to concerns that criminal actors or hostile nation-states could steal CUI from an unprotected manufacturer and use the data to exploit weaknesses in our country’s defense systems.

CUI is an umbrella term used to identify data that is not classified but requires protection. Some examples include:

• Personally Identifiable Information (PII)
• Sensitive Personally Identifiable Information (SPII)
• Proprietary Business Information (PBI) Confidential Business Information (CBI)
• Unclassified Controlled Technical Information (UCTI)
• Sensitive but Unclassified (SBU)
• For Official Use Only (FOUO)
• Law Enforcement Sensitive (LES)
• And more…

If you store CUI on your computer systems, your organization must comply with CMMC by May 2023, by order of the federal government, to win DoD contracts. Full implementation of CMMC is a roughly two-year phased approach, prioritizing the most sensitive DoD contracts. It’s unknown which DoD contacts will require CMMC compliance first or what level they will require, but you can probably make a few educated guesses with this information.

• Level 1 is “Foundational” CMMC and requires 17 checkboxes. It’s completed via self-assessment.
• Level 2 is “Advanced” CMMC. It aligns with the existing NIST 800-171 standard and needs 110 checkboxes. It requires third-party assessment in most cases.
• Level 3 is “Expert” CMMC, requiring over 110 checkboxes based on NIST 800-172. It can only be achieved with the federal government’s assessment.

CMMC Level 2 is expected to be widely required for DoD manufacturers and contractors by 2025. Its 110 checkboxes follow the NIST 800-171 requirements, which are organized into 14 groups. NIST 800-171 was initially required in 2017, so it’s a relatively well-understood standard by security professionals. The checklist items must be implemented and enforced. To give you an idea of what the 110 checklist items contain, the 14 groups are:

1. Access Control

Devices automatically lock after a period of inactivity, excessive unauthorized login attempts are blocked, data is encrypted in transit and at rest, and access control adheres to the least privileged access principle, meaning accounts are given no more authorization than necessary to perform required functions.

2. Awareness and Training

Everyone is trained and assessed security risks and related cybersecurity procedures, and appropriate employees are trained to complete security-related roles.

3. Audit and Accountability

Event logs are recorded, analyzed, and audited to observe cybersecurity incidents. SNAP-Defense works well for this.

4. Configuration Management

Device access is limited. Approved devices restrict unauthorized software and accessories and are kept up-to-date on available security patches.

5. Identification and Authentication

Multifactor authentication and password policies are enabled and enforced.

6. Incident Response

Capabilities for cybersecurity event detection, analysis, containment, recovery, and response must be present. Typically this requires a Security Operations Center (SOC) service, which is included in SNAP-Defense.

7. Maintenance

Ensure maintenance is formally scheduled and performed by authorized parties.

8. Media Protection

Storage containing CUI is marked, secured, and securely wiped.

9. Personnel Security

Make sure HR & IT is in sync for active and terminated employees and people with access to CUI pass appropriate background checks.

10. Physical Protection

Physical access to sensitive devices and areas is limited to authorized personnel.

11. Risk Assessment

Conduct routine vulnerability scans and correct problems.

12. Security Assessment

Conduct routine penetration tests, audit logs for computer system misuse, and correct problems.

13. System and Communications Protection

Block “shadow-IT” by prohibiting unauthorized remote control of systems and data uploads to other systems.

14. System and Information Integrity

Install the latest critical security patches on all devices within five days of release. Scan for traditional malware, unusual patterns of activity, and evidence of breach with next-generation antivirus services like EDR, and MDR. MDR is included with SNAP-Defense.

Compliance is more than a simple implementation of security technologies. It’s also secure operating procedures and a compliance documentation package. Required documentation includes a System Security Plan (SSP) and associated documents, its policies, and its procedures, as well as a Plan of Action and Milestones (POA&M). The entire compliance journey typically takes 9-12 months, not including the actual assessment.

Note that as of October 2022, only 30 firms were certified to complete the third-party assessment, so after readiness is achieved, today there is a backlog of companies who need audits.

After full compliance is certified, an ongoing maintenance phase must be present that includes annual risk assessments, penetration tests, vulnerability assessments, and updates to the SSP and other relevant compliance documentation.

Certification is typically good for three years, assuming ongoing maintenance is completed.

Pegasus Technologies helps a variety of companies, including:

• Manufacturers without a dedicated IT department
• Manufacturers with small IT departments not trained on CMMC rules
• Manufacturers with IT departments who understand CMMC and need help with some of the 110 checkboxes or want to outsource a few managed security services required to achieve compliance, like patching, EDR, MDR, SOC, SNAP-Defense, cybersecurity awareness training and assessment, and business email compromise (BEC) filtering
• Manufacturers with large IT departments busy working on other critical tasks within the company View Pegasus Managed IT Services for IT Departments
• Manufacturers who need to schedule recurring vulnerability scans and penetration tests

The reality is that even if the DoD contracts a manufacturer works on today do not require CMMC compliance, adhering to NIST 800-171 standards drastically increases the effectiveness of an organization’s cybersecurity defense systems and paves the way for future compliance should a contract require CMMC in the coming years. Because achieving full compliance is not an overnight process, there are many reasons to start the CMMC journey today and take advantage of the superior cyberdefenses NIST 800-171 provides against ransomware, insider threats, and cybercriminals. Manufacturers need all the help they can get to preserve their efficiency and reputation, and we stand ready to assist.

Contact us today to discuss how Pegasus can help your organization continue to win DoD manufacturing contracts after CMMC requirements are enforced in May 2023 and beyond.