27 Feb 2020

By this point, you should hopefully understand that the purpose of the Cybersecurity Maturity Model Certification (CMMC) is to simplify cybersecurity for federal contractors and sub-contractors.

Katie Arrington, the DOD’s Chief Information Security Officer for Acquisition and Sustainment, noticed (quite aptly) that “self-certifying” just wasn’t cutting the cake, so to speak.  Hackers were targeting contractors, and stealing Controlled Unclassified Information (CUI) was like shooting fish in a barrel.

Their solution to this massive problem is the CMMC.  The first version was rolled out less than a month ago and we must say that we are impressed.  It takes cybersecurity best practices and applies them to a 5-tiered maturity process, meaning that they build on each other; in other words, you can’t achieve CMMC ML 5 until you have also achieved CMMC ML 1-4.

Keep in mind, you will not know what CMMC ML your contract will require until it is rolled out (hopefully later this year) and until then, YOU ARE REQUIRED TO BE NIST SP 800-171 CERTIFIED.

So let’s take a closer look at each step, shall we?

You can also review the information on the DoD’s CMMC website.  We also recommend checking out their well-done FAQ page and if you still have questions, feel free to ask the professionals on our CMMC Defense Forum.

https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf

CMMC ML 1

  • Practice 
    • “Basic Cyber Hygiene”
    • 17 Practices for basic safeguarding of Federal Contract Information (FCI)
  • Process
    • “Performed”
    • No actual processes
  • Only addresses practices from the FAR Clause 52.204-21.

There really isn’t much to this, as it is simply “Basic Cyber Hygiene.  There is nothing for you to document  but there are 15 safeguarding requirements from FAR (clause 52.204-21) that correspond directly to 17 security requirements from NIST SP 800-171 (r1).

The ONLY way you will be qualified to only achieve CMMC ML 1 (unless they make drastic changes) is if you don’t handle CUI at all, BUT if you are NIST SP 800-171 certified, it is likely that you would achieve this level certification with very little more work involved.

CMMC ML 2

  • Practice 
    • “Intermediate Cyber Hygiene”
    • 72 practices meant to help transition from safeguarding FCI to protecting CUI
  • Processes
    • “Documented”
    • 2 processes

This is where you need to start “showing your work” as my old Calculus teacher would say.  You must start documenting every action you have taken in the name of cybersecurity, including those steps from ML1.  This is primarily a “transition step,” and it’s unlikely that too many contractors will be required to remain at this step, but it needs to be completed nonetheless.  ML2 is taken from, and in compliance with, FAR.  It also contains a select subset of 48 NIST SP 800-171 r1 practices as well as seven more practices that promote “Intermediate Cyber Hygiene.”

Similar to ML1, if you are already NIST SP 800-171 compliant, you most likely will have no trouble achieving this level.

CMMC ML 3

  • Practice
    • “Good Cyber Hygiene”
    • 130 practices to protect CUI
  • Processes:
    • “Managed”
    • 1 process for safeguarding CUI
  • Includes all 110 security controls from NIST 800-171
  • All contractors handling CUI will be required to be CMMC Level 3 certified

This is where we really start to get to the “meat and potatoes.”  Not only does ML3 encompass all of NIST SP 800-171 security controls, but it also includes FARS (from ML 1-2) and 20 additional “best cybersecurity practices” to attain “Good Cyber Hygiene.”

This is actually what we recommend as a starting point for most contractors.  If you are NIST SP 800-171, there will most likely be a little bit of remediation but you will be pretty close and it won’t take a lot to get you ML3 certified.

CMMC ML 4

  • Practice
    • “Proactive”
    • Includes 130 practices to protect CUI from Level 3 PLUS an additional 26 controls to not only protect CUI but to also reduce the risk of APTs
  • Processes:
    • “Reviewed”
    • Actively take corrective measures
  • Mostly sourced from NIST 800-171 RevB.

CMMC ML 5

  • Practice
    • “Advanced/Proactive”
    • Includes the 130 practices to protect CUI from Level 3 PLUS the 26 controls from Level and and additional 15 practices to further reduce the risk of APTs
  • Processes:
    • “Optimizing”
    • Focus on protecting CUI from APTs
  • Mostly sourced from NIST 800-171 RevB.

CMMC ML’s 4-5 are all of NIST SP 800-171, FARS and a little bit more.  The biggest difference is that you get into proactively protecting your CUI and reducing the threat of Advanced Persistent Threats (APTs), which are sophisticated cyber adversaries.  We doubt many smaller  contractors will be required to attain ML 4 or ML 5, but we can definitely assist with that, as well, if your contract requires it.

In fact, we can help you regardless of what level you are required to achieve.  Although there is nothing set in stone as of yet, we have a pretty good idea of what the requirements will be and recommend you start tackling CMMC sooner, rather than later, so you don’t wait too long and lose your contracts (or get hacked… or both!)

Please call us with any questions you have at 919-422-2607 or visit our CMMC Defense Forum.  You can also schedule a free consultation with Craig online.

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top