The Cybersecurity Maturity Model Certification (CMMC) is a United States Department of Defense (DoD) security framework designed to prevent the exfiltration of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from contractors and subcontractors within the Defense Industrial Base (DIB).
The DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 as a dynamic certification program to enhance the DIB cybersecurity posture. The program protects sensitive unclassified information shared by the Department with its contractors and subcontractors. By incorporating cybersecurity requirements into acquisition programs, the CMMC program provides the DoD with assurance that contractors and subcontractors meet these requirements.
The principles of Identity Governance and Administration (IGA) occupy a significant portion of the practice requirements within the CMMC framework. IGA enables a zero-trust model of Identity Governance, ensuring users only have access to what they need, for the time they need it, and nothing more. This zero-trust model includes access to IaaS, SaaS, PaaS, and traditional on-premises resources for human and non-human entities such as bots, the Internet of Things (IOT), and Robotic Process Automation (RPA).
The CMMC operates in tiers that require DIB companies to meet different levels of compliance based on the type and sensitivity of the information they possess on their unclassified networks. In November 2021, the DoD announced its latest iteration, CMMC 2.0, which reduced the previous five-level model down to three. CMMC 1.0 required government-approved third-party assessor certifications for all levels; CMMC 2.0 allows Level 1 and some Level 2 companies to demonstrate compliance through annual self-assessments. Level 2 and Level 3 DIB companies handling sensitive CUI data will require third-party assessments every three years.
|CMMC Model 2.0||Model||Assessment|
practices based on NIST SP 800-172
|Triennial government-led assessments|
practices aligned with NIST SP 800-171
|Triennial third-party assessments for critical national security information; Annual self-assessment for select programs|
CMMC consists of 17 security domains with focus areas such as Access Control, Identification and Authentication, Audit and Accountability, and Risk Management. Within each domain are practices or controls derived from NIST 800-171 for Levels 1 and 2 and NIST 800-172 for Level 3. As of December 2021, the DoD has yet to publish how the previous CMMC 1.0 practices are realigned to the 2.0 three-level model or the new NIST 800-172 practices.
To meet Level 3, a company must have a management plan designed to conduct operations with cyber hygiene best practices in mind, including NIST 800-171 standards. The NIST 800-171 standards are security requirements aimed at protecting controlled unclassified information (CUI).” To “To meet Level 2 or 3, a company must have a management plan designed to conduct operations with cyber hygiene best practices in mind, including at a minimum NIST 800-171 standards. The NIST 800-171 standards are security requirements aimed at protecting controlled unclassified information (CUI).
It isn’t easy to manage subcontractor access and guarantee that they are appropriately scoped and accessed. It can also be a challenge to ensure their access is removed when they leave. Because all DoD contractors and subcontractors will need to be CMMC compliant by October 1, 2025, it’s recommended that prime contractors begin working with their subcontractors to develop the relevant compliance programs. That doesn’t have to be a challenge, however. Vendor access management solutions can oversee contractor access to sensitive materials and manage their access throughout the vendor-subcontractor lifecycle.
Demonstrating full NIST 800-171 and 800-172 compliance can be challenging to maintain, especially when assets reside on-premises and in the cloud. However, automation and risk-based assessment of access requests can streamline the access management process in the face of dissolved network boundaries. This is accomplished by extending governance uniformly throughout the IT ecosystem, making it easy to consistently meet compliance requirements. Likewise, implementing risk-based data governance helps provide consistent controls no matter where the data resides.
Finally, meeting the evidentiary burden of the CMMC requirements can be difficult. You’ll need to prove that you’re constantly and consistently meeting the requirements. That process can be labor-intensive if the proper evidence isn’t readily available or adequately tracked. That’s why it’s in your best interest to automate your evidence collection. Continuous monitoring and tracking of controls provide the evidence auditors will require, minimizing employee time invested.
Cybersecurity is a top priority for the Department of Defense: Its contractors and subcontractors in the Defense Industrial Base (DIB) are increasingly targets of frequent and complex cyberattacks.
The public sector – notoriously behind in the technology race – faces the challenge of securing an enormous remote workforce. The Defense Industrial Base (DIB) sector alone is massive, with more than 100,000 companies and subcontractors working under contract for the Department of Defense. And while there are advantages to having an extensive network, security is a major issue, especially in today’s blended work environment.
Several prominent data breaches in the last few years, including the Office of Personnel Management breach in 2015, have made CMMC standards of paramount importance. Add to that the growth of cloud computing and the shift to blended work environments, and it’s clear the standards are vital for the future of data security. Getting ahead of the curve and finding ways to meet the requirements are critical for contractors hoping to continue working in the federal industry.
Meanwhile, the expansion of remote work has led to increased network attacks at the DoD. According to CSIS data, breaches and attacks raise national security issues, but they also have a clear economic cost – an estimated $600B might be lost every year to cybercrime. Generally, CMMC marks a shift away from attestation and toward auditable evidence regarding contractor security.
Extra security means extra costs, so you’ll need to keep that in mind. The external assessment comes in the form of third-party auditors, or C3PAOs, required under the CMMC framework. Hiring the auditors and going through the audit process will add additional expenses and time investments to your operations. Some estimates show that the typical assessment audit program will cost between $20,000 and $40,000. However, continuous monitoring and tracking of controls provide the evidence auditors will require, minimizing the resources you’ll have to invest.
Saviynt’s Enterprise Identity Cloud (EIC) is built in the cloud, for the cloud, and is the only FedRAMP authorized SaaS solution for Identity Governance and Administration (IGA) and Cloud Privileged Access Management (CPAM). The fundamentals of IGA align closely to the requirements outlined in Federal Identity Credential and Access Management (FICAM). Saviynt EIC is a modular, converged cloud platform developed entirely in-house using a single code base without bolted-on solutions from third-party acquisitions to complicate the implementation process. Each solution can operate independently, allowing customers to select the product that suits them – and integrate EIC with existing solutions.
Saviynt EIC includes the following solutions:
The growth of cloud computing and the shift to blended work environments represent an opportunity for cyberattackers. CMMC standards are critical for the future of data security in the public sector and for contractors that work for the public sector. Getting ahead of the curve and finding ways to meet the requirements will be critical for contractors hoping to continue working in the federal sphere. Saviynt Enterprise Identity Cloud has many essential features to help contractors achieve and maintain compliance with the DoD’s CMMC program.
For more details on how Saviynt enables customers to get and stay compliant within the various CMMC domains and practice levels, see our white paper.