Skip to content
Search
Glossary Listing

What is the Cybersecurity Maturity Model Certification (CMMC)?

What is the Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is a United States Department of Defense (DoD) security framework designed to prevent the exfiltration of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from contractors and subcontractors within the Defense Industrial Base (DIB).

The DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 as a dynamic certification program to enhance the DIB cybersecurity posture. The program protects sensitive unclassified information shared by the Department with its contractors and subcontractors. By incorporating cybersecurity requirements into acquisition programs, the CMMC program provides the DoD with assurance that contractors and subcontractors meet these requirements.

The principles of Identity Governance and Administration (IGA) occupy a significant portion of the practice requirements within the CMMC framework. IGA enables a zero-trust model of Identity Governance, ensuring users only have access to what they need, for the time they need it, and nothing more. This zero-trust model includes access to IaaS, SaaS, PaaS, and traditional on-premises resources for human and non-human entities such as bots, the Internet of Things (IOT), and Robotic Process Automation (RPA).

Cybersecurity Maturity Model Certification (CMMC) Requirements

The CMMC operates in tiers that require DIB companies to meet different levels of compliance based on the type and sensitivity of the information they possess on their unclassified networks. In November 2021, the DoD announced its latest iteration, CMMC 2.0, which reduced the previous five-level model down to three. CMMC 1.0 required government-approved third-party assessor certifications for all levels; CMMC 2.0 allows Level 1 and some Level 2 companies to demonstrate compliance through annual self-assessments. Level 2 and Level 3 DIB companies handling sensitive CUI data will require third-party assessments every three years.

 Screenshot 2024-04-10 at 9.43.05 PM

CMMC consists of 17 security domains with focus areas such as Access Control, Identification and Authentication, Audit and Accountability, and Risk Management. Within each domain are practices or controls derived from NIST 800-171 for Levels 1 and 2 and NIST 800-172 for Level 3. As of December 2021, the DoD has yet to publish how the previous CMMC 1.0 practices are realigned to the 2.0 three-level model or the new NIST 800-172 practices.

To meet Level 3, a company must have a management plan designed to conduct operations with cyber hygiene best practices in mind, including NIST 800-171 standards. The NIST 800-171 standards are security requirements aimed at protecting controlled unclassified information (CUI).” To “To meet Level 2 or 3, a company must have a management plan designed to conduct operations with cyber hygiene best practices in mind, including at a minimum NIST 800-171 standards. The NIST 800-171 standards are security requirements aimed at protecting controlled unclassified information (CUI).

Managing Subcontractor Access

It isn’t easy to manage subcontractor access and guarantee that they are appropriately scoped and accessed. It can also be a challenge to ensure their access is removed when they leave. Because all DoD contractors and subcontractors will need to be CMMC compliant by October 1, 2025, it’s recommended that prime contractors begin working with their subcontractors to develop the relevant compliance programs. That doesn’t have to be a challenge, however. Vendor access management solutions can oversee contractor access to sensitive materials and manage their access throughout the vendor-subcontractor lifecycle.

Demonstrating CMMC Compliance

Demonstrating full NIST 800-171 and 800-172 compliance can be challenging to maintain, especially when assets reside on-premises and in the cloud. However, automation and risk-based assessment of access requests can streamline the access management process in the face of dissolved network boundaries. This is accomplished by extending governance uniformly throughout the IT ecosystem, making it easy to consistently meet compliance requirements. Likewise, implementing risk-based data governance helps provide consistent controls no matter where the data resides.

Finally, meeting the evidentiary burden of the CMMC requirements can be difficult. You’ll need to prove that you’re constantly and consistently meeting the requirements. That process can be labor-intensive if the proper evidence isn’t readily available or adequately tracked. That’s why it’s in your best interest to automate your evidence collection. Continuous monitoring and tracking of controls provide the evidence auditors will require, minimizing employee time invested.

Cybersecurity Maturity Model Certification (CMMC)’s Business Impact

Cybersecurity is a top priority for the Department of Defense: Its contractors and subcontractors in the Defense Industrial Base (DIB) are increasingly targets of frequent and complex cyberattacks.

The public sector – notoriously behind in the technology race – faces the challenge of securing an enormous remote workforce. The Defense Industrial Base (DIB) sector alone is massive, with more than 100,000 companies and subcontractors working under contract for the Department of Defense. And while there are advantages to having an extensive network, security is a major issue, especially in today’s blended work environment.

Several prominent data breaches in the last few years, including the Office of Personnel Management breach in 2015, have made CMMC standards of paramount importance. Add to that the growth of cloud computing and the shift to blended work environments, and it’s clear the standards are vital for the future of data security. Getting ahead of the curve and finding ways to meet the requirements are critical for contractors hoping to continue working in the federal industry.

Meanwhile, the expansion of remote work has led to increased network attacks at the DoD. According to CSIS data, breaches and attacks raise national security issues, but they also have a clear economic cost – an estimated $600B might be lost every year to cybercrime. Generally, CMMC marks a shift away from attestation and toward auditable evidence regarding contractor security.

The Cost of Doing Business

Extra security means extra costs, so you’ll need to keep that in mind. The external assessment comes in the form of third-party auditors, or C3PAOs, required under the CMMC framework. Hiring the auditors and going through the audit process will add additional expenses and time investments to your operations. Some estimates show that the typical assessment audit program will cost between $20,000 and $40,000. However, continuous monitoring and tracking of controls provide the evidence auditors will require, minimizing the resources you’ll have to invest.

Saviynt & Cybersecurity Maturity Model Certification (CMMC)

Saviynt’s Identity Cloud is built in the cloud, for the cloud, and is the only FedRAMP authorized SaaS solution for Identity Governance and Administration (IGA) and Cloud Privileged Access Management (CPAM). The fundamentals of IGA align closely to the requirements outlined in Federal Identity Credential and Access Management (FICAM). Saviynt Identity Cloud is a modular, converged cloud platform developed entirely in-house using a single code base without bolted-on solutions from third-party acquisitions to complicate the implementation process. Each solution can operate independently, allowing customers to select the product that suits them – and integrate Identity Cloud with existing solutions.

Saviynt Identity Cloud includes the following solutions:

Identity Governance and Administration (IGA)
  • Ensures that users have seamless access and your organization is in continuous compliance.
  • Increases organizational efficiency and agility through automation and intuitive identity workflows.
  • Powered by a comprehensive identity warehouse and user experience to drive frictionless access, Saviynt IGA enables Zero Trust in your hybrid and multi-cloud environment.
Cloud Privileged Access Management (CPAM)
  • Provides complete privileged access protection to support ongoing business transformation and scale as your business needs evolve.
  • Gain visibility and governance for every identity across your entire environment to improve your security posture and maintain compliance.
  • Fast to deploy and easy to manage, so you realize value on day one.
  • CPAM can limit users’ actions in the end systems, and session recording provides an auditable record of the activities executed.
Application Access Governance (AAG)
  • Protects sensitive application access and satisfies governance, risk, and compliance (GRC) requirements.
  • Get comprehensive capabilities in Separation of Duty (SoD) analysis, emergency access management, role engineering and management, compliant provisioning, and access certification.
Data Access Governance (DAG)
  • Discovers, analyzes, and protects sensitive structured and unstructured data – regardless of whether your IT ecosystem is on-premises, hybrid, or cloud-based.
Third-Party Access Governance (TPAG)
  • Securely manages third parties throughout the engagement lifecycle.
  • Internal and external sponsors shepherd the account from inception, through access management, periodic reviews, and eventual decommissioning.

In Conclusion

The growth of cloud computing and the shift to blended work environments represent an opportunity for cyberattackers. CMMC standards are critical for the future of data security in the public sector and for contractors that work for the public sector. Getting ahead of the curve and finding ways to meet the requirements will be critical for contractors hoping to continue working in the federal sphere. Saviynt Enterprise Identity Cloud has many essential features to help contractors achieve and maintain compliance with the DoD’s CMMC program.

For more details on how Saviynt enables customers to get and stay compliant within the various CMMC domains and practice levels.

 

Resources

Saviynt Identity Cloud Architecture

Solution Guide

Modern Identity Governance & Administration for Mid-sized Organizations

On-Demand Webinars

Saviynt Identity Cloud

Solution Guide