CMMC and the Role of Registered Practitioner Organizations

Answering questions about CMMC, RPOs, and how they link to each other. What does one of them have to do with the other, and why are they both so important to the security of the U.S. Military.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

“I AM THE CREEPER. CATCH ME IF YOU CAN.” This was the message that was displayed by the first computer virus. Created in 1971 by Bob Thomas, “The Creeper” was originally designed to test security and see if a self-replicating program was possible. Since then, computer programming has evolved, and with it so has cyber crime. Now, there are many more cyber threats than ever before. Instead of a harmless program like the creeper, there are things like phishing, malware, botnet attacks, data breaches, crypto-jacking, etc. As these threats evolve and escalate, in direct proportion to technology, so must cybersecurity. 

What is CMMC?

In January of 2020 The U.S. Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification program due to a number of breaches in the supply chain. In November of 2021 the DoD released CMMC 2.0 that cut down on redundant practices, and reduced the cost of compliance and certification. CMMC 2.0 also reduced the amount of certification levels from 5 to 3. But, what is CMMC? Cybersecurity Maturity Model Certification, or CMMC, is the standard for cybersecurity implementation for the Defense Industrial Base (DIB). The DIB handles research, manufacturing, advancements, improvements, and components to meet the needs and improve efficiency of the U.S. military. It includes over 300,000 companies in its supply chain and they operate under the Defense Federal Acquisition Regulation Supplement (DFARS). In short, CMMC was created to ensure that defense contractors meet the basic level of cybersecurity necessary to protect sensitive data related to the government. 

Why are RPOs Important?

There are 3 Maturity Levels (ML) of certification for CMMC and each level is built upon the previous level. So, for example, if an ML3 certification is required, the contractor must also meet the certification requirements of ML2 level. These levels are:

Maturity Level 1- Foundational

ML1 is the building blocks of basic cyber hygiene, and focuses on safeguards and cybersecurity practices. Maturity Level 1 is required by contractor, prime or sub, working with the DoD Federal Contract Information (FCI) and focuses on the protection of this data. FCI is information that is not for public release, like transaction information, and only requires minimum cybersecurity hygiene. Some examples of the 17 controls in ML1 are limiting information system access, authenticating the identities of users, and even to escort visitors and monitor their activity. These practices, and others like them, will reduce the risk of data breaches by asserting control over who has access to system information. This foundational level requires an annual self-assessment by an officer of the company. 

Maturity Level 2- Advanced

ML2 of CMMC 2.0 lines up with NIST SP 800-171, which is a compliance standard that focuses on protecting Controlled Unclassified Information, or CUI. As of 2017, 3.6 million people worked for the Federal government in a private contractor capacity and were responsible for protecting CUI. Controlled Unclassified Information is information that is sensitive enough to protect and could be damaging if accessed by unauthorized parties, but is not sensitive enough for higher level security classification. For example, CUI could include blueprints, health documents, or even intellectual property. Level 2 consists of 93 additional practices on top of the previous 17 practices of the ML1 certification and requires triennial third party assessments conducted by a CMMC Third-Party Assessment Organization (C3PAO). 

Maturity Level 3- Expert

This highest level of certification is the most challenging and is intended for contractors that deal with high priority CUI programs. It continues to build on the previous levels and will require assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Unfortunately, as of January 12th, 2022, the DoD has yet to finalize the ML 3 practices, but it is expected they will incorporate the controls and practices in NIST SP 800-172.  

So, Why Do You Need an RPO?

If this made little to no sense to you, you are not alone. It is projected that a majority of companies, around 59.0%, will only be required to obtain CMMC Maturity Level 1 certification, whereas 40% of companies will need Level 2, and Level 3 will cover the remaining 1% of DoD contractors. The requirements for CMMC assessments are complicated and not as easy to understand and manage given the numerous recent changes to the standard coming out of the Department. That is why RPOs, or Registered Practitioner Organizations, are so important to the implementation of CMMC. 

While RPOs are not authorized to certify companies, they can use their familiarity with the constructs of CMMC Certification and NIST standards to help, advise, consult, recommend, and implement the correct measures to mitigate risk and prepare your team for the certification process. When seeking ML2 certification, a contractor or subcontractor must pass an assessment conducted by a Certified Assessor (CA) managed by a C3PAO, and if they are unsuccessful they must wait 90 days to try again. Those 90 days can be costly in many ways; it can mean the loss of DoD contracts, as well as loss of reputation because people may be hesitant to work with a company that cannot offer them the level of cybersecurity they require. That is a high price to pay for noncompliance. 

In the year 2020 there were 1000 data breaches in the United States alone. World wide there were over 2200. The DoD’s ultimate goal for the Three Levels of CMMC is to shore up the gaps in cybersecurity to reduce the risk of data breaches. This goal is both reasonable and achievable with the use of RPOs. They can effectively and efficiently reduce the time and effort contractors and subcontractors take to become certified. Thus cutting down the time that FCIs and CUIs are vulnerable to data breaches. Technology is not going to stop evolving, people are not going to stop finding ways to commit crimes, so cybersecurity has to find a way to evolve with it. Click here to learn how an RPO can partner with your team for self-attestation or a C3PAO assessment.

Peter Frasco is the owner and CEO of Intelligent Integration Technologies and CMMC Registered Practitioner with over 30 years of experience in Information Technology and Cybersecurity including work for the US Army as a Chief Warrant Officer, Silicon Valley Startups, and BlackBerry during their pivot to a cybersecurity powerhouse.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Do You Want To Boost Your Business?

drop us a line and keep in touch

WordPress Cookie Notice by Real Cookie Banner