The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that companies within the DoD supply chain have adequate cybersecurity controls in place. The CMMC framework assesses a company’s cybersecurity maturity across three levels, with each level building upon the previous one.
Operational Technology (OT) has often been ignored or left out of compliance mandates. Since OT is unique in terms of its physical nature of the operation, manufacturing practices, and use of air gaps, it’s difficult to find a finite answer for Controlled Unclassified Information (CUI) flowing down to the Physical or OT level. OT has been considered for future CMMC revisions, but implementing existing guidance and controls is already a challenge for the Defense Industrial Base (DIB) without adding ambiguous requirements.
Despite this, the DIB should think about risk management in the context of the pace of modernization and convergence across their IT and OT landscapes. As Industry 4.0 modernization progresses, the physical isolation of OT and the false sense of security it provides can become a significant risk. Adopting next-generation applications and capabilities like SaaS-based applications, augmented reality, digital twin, artificial intelligence, and machine learning is critical to maintain revenue-driving competitive advantages. However, these technological advances must be supplemented with appropriate levels of cyber and information security policies to ensure logical and physical separation of CUI across networks and applications, as is done in a traditional corporate IT environment.
Organizations that take a proactive approach to people, process, and technology are “future-proofing” their system security plans. For instance, DIB organizations that started investing in enterprise-wide 800-171 and 800-53 many years ago are better placed to align with current CMMC and Zero Trust frameworks. Waiting for the best and final guidance or supplementary funding can make the process more challenging and time-consuming. It’s much smarter to consider expanding current policies into the OT domain earlier, rather than being forced to add them later.
The Three Levels of CMMC Compliance
CMMC 2.0 lowers the number of CMMC levels from five to three, and the levels are based on the type of information DIB companies handle.
- Level 1 (Foundational) is based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, which aims to protect covered contractor information systems and limit access to authorized users. This level applies to companies that focus on the protection of Federal Contract Information (FCI).
- Level 2 (Advanced) is comparable to the original CMMC Level 3, and it’s for companies working with CUI. It will mirror NIST SP 800-171, aligning with the 14 control families and 110 security controls developed by NIST to protect CUI.
- Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. These requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls, making for a total of 130 controls. These 130 controls will align with the same 14 control families in NIST 800-171, with the 20 additional controls coming from NIST 800-172.
The CMMC Assessment Process
To become CMMC compliant, companies must undergo an assessment by a CMMC Third-Party Assessment Organization (C3PAO) accredited by the CMMC Accreditation Body (CMMC-AB). The assessment evaluates the company’s compliance with the practices and processes required for the desired level of certification.
The assessment process includes a review of the company’s documentation and practices, as well as an on-site evaluation to validate that the practices are being implemented effectively. Once the assessment is complete, the C3PAO provides a report to the CMMC-AB, which then issues the certification.
Benefits of CMMC Compliance
CMMC compliance provides several benefits for companies that want to work with the DoD, including:
- Verified cybersecurity controls: CMMC compliance demonstrates to the DoD that a company has implemented adequate cybersecurity controls to protect sensitive information.
- Competitive advantage for working with the federal government: CMMC compliance is becoming a requirement for companies that want to work with the DoD, and by achieving compliance, a company can position itself as a preferred vendor for DoD contracts.
- Improved cybersecurity posture: Implementing the practices required for CMMC compliance can improve a company’s overall cybersecurity posture, which can help protect against cyber threats.
How Dragos Can Help
Dragos provides technology and services to help companies meet the requirements of the CMMC framework, especially for those working in the DIB. Each domain within the framework contains requirements that can be addressed by leveraging solutions from Dragos:
- Access Control (AC)
- Asset Management (AM)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (SA)
- Systems and Communications Protection (SC)
- System and Information Integrity (SI)
The Dragos Platform and professional services can help companies identify and close gaps in their cybersecurity posture, implement the required cybersecurity controls, and build a strong cybersecurity program that meets the requirements of the CMMC framework.
Comply with CMMC
Ready to put your insights into action?
Take the next steps and contact our team today.