AWS Public Sector Blog

How to plan for Cybersecurity Maturity Model Certification (CMMC)

CMMC compliance

Later this year, the Cybersecurity Maturity Model Certification (CMMC) accreditation framework will take effect, impacting U.S. Department of Defense (DoD) contractors, supply chain, solution providers, and systems integrators. The intention of CMMC is to verify that appropriate levels of cybersecurity practices and processes are in place, help maintain basic cyber hygiene, and protect federal contract information (FCI) and controlled unclassified information (CUI) that resides on the DoD’s industry partners’ networks. The DoD estimates that more than 300,000 organizations will require certification. In addition, other U.S. federal agencies and international organizations may adopt a similar framework to protect their intellectual property (IP). No matter the size of your organization, cloud-based services can help you meet the requirements of CMMC.

Theft of IP and sensitive information due to malicious cyber attacks are a threat to U.S. national security and is estimated to have cost the economy $57 billion to $106 billion in 2016 alone. Hostile cyber actors are known to target the defense industrial base (DIB) and the DoD supply chain. As a result, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) developed the CMMC framework.

FCI is information provided by or generated for the U.S. government under contract not intended for public release. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies but excludes classified information. One such example of CUI includes documents marked “For Official Use Only” (FOUO).

The CMMC framework measures cybersecurity maturity according to five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected. The level of required CMMC maturity increases as DoD shares increasingly sensitive information with their contractors, supply chain, solution providers, and systems integrators.

According to a recent talk by Katie Arrington, chief information security officer for OUSD (A&S), every DoD contractor will need to obtain a Level 1 certification while DoD contractors handling CUI will require CMMC Level 3. Arrington also stated that less than one percent of future DoD contracts will require CMMC Level 4 or 5 certification during a recent webinar with WashingtonExec.

What does this mean for you?

The CMMC requirement will be included in DoD solicitations starting this year, and by 2026 all DoD programs will incorporate CMMC requirements. Contractors must be assessed by a Certified Third-Party Assessment Organization (C3PAO) and issued a CMMC certificate prior to contract award. Previously, DoD contractors were required to self-attest their compliance with the DFARS 252.204-7012 clause, which includes requirements for NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, cyber incident reporting, FedRAMP Moderate or equivalent controls if utilizing a commercial cloud service provider, and more.

Certification of IT environments through the implementation of associated CMMC controls could be costly and time consuming. Depending on the IT environment, this may include a combination of on-premises and cloud-based solutions. Using cloud infrastructure to build and manage CMMC environments with appropriate levels of control mappings to the “correct level” of CMMC certification can help alleviate concerns from mid-sized contractors and small businesses who are concerned about CMMC impacting their ability to win future DoD contracts. While time to production is one area of concern, the cloud can help by using operational expenditures versus capital investments to lower financial impacts. Regardless, whether organizations are large or small, cloud technologies can accelerate compliance efforts, reduce compliance costs by leveraging pre-approved configurations, and minimize large capital outlays by only paying for cloud services used rather than software licensing costs.

What needs to be authorized? What is the system boundary for CMMC?

Establishing the system boundary for CMMC certification is a strategic, organizational decision. Organizations must first identify where FCI and CUI reside within their IT systems. Many organizations find this a daunting challenge as FCI and CUI may reside within their legal, contracts, accounting, sales, professional services, and engineering departments. Often, this sensitive data is stored within employees’ desktops, email, mobile devices, shared network folders, contract management systems, and other departmental systems. Under existing CMMC guidance, these technology components are within the CMMC system boundary and CMMC processes and practices apply. Understanding who processes FCI and CUI, as well as where this sensitive information resides, impacts scoping decisions.

For organizations that serve DoD and federal customers, they can establish their CMMC accreditation or system boundary as their entire IT environment. Alternatively, they can establish a separate security enclave that isolates both DoD data and their employees—serving DoD and federal customers—from other commercial endeavors. The use of a separate security enclave for FCI and CUI data may reduce the CMMC assessment costs and limit remediation efforts to address CMMC gaps. However, organizations may have to deploy and support duplicate systems (e.g., email, security tools, departmental systems, etc.) to separate their sensitive DoD data from commercial business.

If organizations pursue a separate security enclave, then they should develop a strategy to isolate their FCI and CUI data, train their users, and monitor for compliance with organizational policy. Separate security enclaves can have additional indirect costs and cause user inconvenience as some departments such as legal, contract, and accounting may require separate desktops and departmental systems as these users support both DoD and commercial entities. With this in mind, establishing the system boundary for CMMC certification should be carefully considered.

Cloud-based services can lower costs while improving organizational security, regardless of whether an organization pursues a separate security enclave or wishes to certify their entire IT organization.

Distinguishing between CMMC practices and controls

CMMC, as a maturity model, requires security professionals to understand the differences between security practices and security controls. While CMMC has its roots in NIST SP 800-171 r2 and NIST SP 800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations, CMMC includes the concept of processes and practices and maps these to 17 security domains to create a maturity model. The CMMC framework does not state how a security practice should be applied and most of the practices allow for multiple avenues of successful implementation. In contrast to NIST SP 800-53 r4 and associated security control overlays, CMMC requires organizations to implement security processes and practices to achieve a desired maturity level. This flexibility to allow for multiple approaches within CMMC can lead to misunderstanding with reviewers, so organizations should educate their security professionals on the nuances of CMMC (practice vs. control) and insist their external security assessors have completed CMMC training as well.

Customer considerations for CMMC compliance

As organizations adopt the CMMC framework, certain capabilities and practice areas can be more challenging to solve as the maturity level increases. Most organizations supporting DoD entities collect or create FCI and CUI during the performance of their contract, thus requiring CMMC Level 3 certification. Collecting and creating FCI and CUI requires organizations to implement appropriate protections as adversaries attempt to exfiltrate valuable intellectual property. Based on research of data breaches and strategies to mitigate them, we selected four CMMC practices that address the most common data breaches identified.

These security practices are:

  1. Identify, report, and correct information and information system flaws in a timely manner (SI.1.210)
  2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified (RM.2.142)
  3. Use of multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts (IA.3.083)
  4. Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities [IR.2.092]

From the 130 security practices required to achieve CMMC Level 3 certification, the four security practices above have a higher degree of technical, management, and operational complexity. Consistently deploying security patches in a timely manner and implementing vulnerability scanning technology to identify missing security patches or insecure device configurations are essential for preventing security breaches. To prevent security breaches due to phishing emails or stolen credentials, multi-factor authentication (MFA) is an effective security practice, particularly when the second factor is physically separate from the device gaining access (e.g., smart card or physical token). While there is broad agreement among security professionals that MFA can prevent security breaches, implementations of MFA technologies often fail, not for technical reasons, but for lack of senior executive commitment to change end users’ and administrators’ resistance to the technology. As organizations approach CMMC Level 3 certification, security professionals will need to educate their organizational leadership, system administrators, and end users to gain their support for MFA. There are numerous AWS Identity Access Management (AWS IAM) solutions that support MFA and minimize user resistance to adoption.

Finally, organizations should evaluate their incident response (IR) capability as they prepare for CMMC Level 3 certification. Incident detection and response is both technically and operationally challenging as it requires the deployment of audit log management tools and configuration of meaningful alerts for indicators of potential compromise. Research shows that adversaries are often able to remain undetected for years in organization’s networks, highlighting the difficulties implementing an effective incident detection capability. Cloud technologies, particularly native cloud audit log management services that aggregate audit logs from virtual network, desktop, and server devices, make these challenges easier to solve using advanced tools and search capabilities.

As organizations look to achieving CMMC Level 3 certification, they should pay attention to the corresponding management and operational practices needed to support and sustain the implementation of patch management, vulnerability identification, strong authentication, and incident response. These processes and practices are difficult, but not impossible, to solve.

AWS Compliance Programs and CMMC Solutions

AWS Compliance Programs provide customers with supporting documentation to help navigate complex compliance programs. These programs include FedRAMP at Moderate and High baselines and U.S. DoD Cloud Computing Security Requirements Guide (CC SRG) Impact Levels 2, 4, 5, and 6.

AWS will be providing compliance information and documentation to help customers understand the requirements of the CMMC framework. AWS’s compliance teams understand the difficulty in navigating the ambiguity within the CMMC and are here to help. AWS also intends to provide CMMC solutions to help customers quickly deploy cloud environments and accelerate their CMMC compliance. For more information, check out the breakout session from the AWS Public Sector Summit Online, “Accelerating DoD Cybersecurity Maturity Model Certification (CMMC) with AWS GovCloud (US)”, now available on demand through 30 September 2020.

Tyler Harding

Tyler Harding

Tyler Harding is the Department of Defense (DoD) compliance program manager within Amazon Web Services (AWS) security assurance. He has over 20 years of experience providing information security solutions to federal civilian, DoD, and intelligence agencies.

Ulysses Cubillos

Ulysses Cubillos

Ulysses Cubillos is the senior business development manager for the AWS GovCloud (US) regions for regulated industries and the Department of Defense at Amazon Web Services (AWS). He has over 25 years experience helping the aerospace and defense industry execute on programs and successfully transforming their business.