What is the CMMC Standard?
The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s latest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on DoD supplier’s systems and networks. It builds upon Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring every contractor to be audited and certified by a third-party auditor.
CMMC combines various cybersecurity control standards such as NIST SP 800-171, NIST SP 800- 53, ISO 27001, ISO 27032, AIA NAS9933 and others into one, unified standard for cybersecurity with maturity levels ranging from ranging from Basic Cybersecurity Hygiene to Advanced. CMMC also measures the maturity of a company’s institutionalization of cybersecurity practices and processes.
What types of sensitive information are covered by the CMMC?
The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with defense contractors and subcontractors during contract performance.
- Federal Contract Information (FCI): FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
- Controlled Unclassified Information (CUI): CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
Which companies are subject to the CMMC?
The organizations that are subject to CMMC certification compose the Defense Industrial Base (DIB), the supply chain for the Department of Defense (DoD). These are organizations that are essential in the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services.
Which are the changes in CMMC version 2.0?
The CMMC version 2.0 was enacted in November 2020 by the DoD to ensure that contractors part of the DIB perform cyber hygiene to level compatible with doing business with the government. The main changes from CMMC version 1 include a consolidation of the five maturity levels into three, and the elimination of unique practices and processes in favor of mirroring existing frameworks such as the Cybersecurity Framework from the National Institute of Standards and Technology (NIST) — special publications 800-171 and 800-172, in particular.
Which are the CMMC 2.0 levels?
The CMMC version 2.0 model measures the implementation of cybersecurity requirements at three levels. Each level consists of a set of CMMC practices:
- Level 1: CMMC Level 1 is a foundational level, focusing on basic cyber hygiene and applies to organizations handling FCI, requiring 17 security practices and an annual self-assessment. All Level 1 requirements are described in the Federal Acquisition Regulation 52.204-21.
- Level 2: CMMC Level 2 is an advanced level, designed for organizations handling CUI, requiring compliance with 110 security practices based on NIST SP 800-171, and either self-assessments or third-party assessments by a CMMC Third Party Assessor Organization (C3PAO) depending on contract requirements.
- Level 3: CMMC Level 3 is the highest level, for organizations managing the most sensitive data, requiring certification on 24 advanced cybersecurity practices and processes based on NIST SP 800-172 and government-led assessments.
The CMMC levels and associated sets of practices across domains are cumulative. More specifically, for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. For the case in which an organization does not meet its targeted level, it will be certified at the highest level for which it has achieved all applicable practices.
What are the CMMC deadlines?
- CMMC Levels 1 and 2 assessments are required starting March 1, 2025.
- CMMC level 3 will be required as of March 1, 2028.
What are the CMMC penalties for non-compliance?
Failure to meet CMMC requirements can lead to the loss of existing DoD contracts or the inability to bid on new ones. It may include fines for violating contract terms or federal regulations, potentially including penalties under the False Claims Act (FCA). Additional legal liabilities, audits and investigations may also be enforced.
White Paper
Compliance Cybersecurity Maturity Model Certification (CMMC) for Government Contractors
Read our detailed white paper to understand how Thales can help with CMMC compliance requirements
How Thales Helps with CMMC 2.0 Compliance
Thales’ solutions can help organizations that are part of the Defense Industrial Base comply with the CMMC requirements by simplifying compliance and automating security reducing the burden on security and compliance teams. We help address essential cybersecurity risk-management requirements for CMMC 2.0 level 2 addressing application security, data security and identity & access management requirements across multiple categories.
CMMC Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF) protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self- Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption, tokenization, and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment. They also identify anomalous behavior and monitor activity to identify potential threats and verify compliance, allowing organizations to prioritize where to allocate their efforts.
Identity & Access Management
Provide seamless, secure, and trusted access to applications and digital services for customers, employees, and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and multi-factor authentication that help ensure that the right user is granted access to the right resource at the right time.
Mapping Thales Capabilities to CMMC 2.0 Level 2 Requirements
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Centralize access control over multiple hybrid environments in a single pane of glass.
- Prevent password fatigue with Smart Single Sign-On with conditional access.
- Secure remote work access.
- Apply contextual security measures, terminate session or prevent logon based on risk scoring.
- Enforce granular user access policies to sensitive data and secrets.
- Access policies operate as additional control on top of operating system’s access permissions.
- Enable complete separation of roles where only authorized users and processes can view unencrypted data.
- Identify abnormal user behavior and block login or terminate session.
Solutions:
Identity & Access Management
Data Security
How Thales helps:
- Log all events and stream logs to external SIEM systems.
- Reports on user activity, such as authentication methods, user groups, or application access.
- Gain full sensitive data activity visibility, track who has access, audit and report.
- Collect evidence through automated reporting, dashboards, and secure audit trail.
- Log sensitive data access and stream to SIEM systems.
- Maintain a year's worth of records for audit reporting.
- Automatically notify relevant authorities.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Enable MFA with the broadest range of hardware and software methods.
- Build and deploy adaptive authentication policies.
- Protect against phishing and man-in-the-middle attacks.
- Risk-Based Authentication and PKI and FIDO Authenticators.
Solutions:
Identity & Access Management
How Thales helps:
- Mitigate DDoS attacks in as little as three seconds.
- Prevent malicious Bot attacks with automated protection.
- Inspect all traffic, detect and prevent web-based attacks with WAF.
- Lifecycle management of data-related incidents and automated ticket generation for faster incident handling.
- A year's worth of retained records are instantly accessible for detailed search.
Solutions:
Application Security
Data Security
How Thales helps:
- Smart cards can be integrated with various building access technologies to function as both an employee’s physical and digital ID.
- PKI and FIDO authentication. Reports on user activity, such as authentication methods, user groups, or application access. Encryption with granular access control for sensitive data stored on any media.
Solutions:
Identity & Access Management
Data Security
How Thales helps:
- Discover and classify potential risk for all public, private, and shadow APIs.
- Identify vulnerabilities in handling of sensitive data and enforce protection.
- Identify structured and unstructured sensitive data at risk across Hybrid IT.
- Monitor data access and activity and identify threats to sensitive data.
- Identify current state of compliance, documenting gaps, and providing a path to full compliance.
How Thales helps:
- Continuously monitor cyber traffic, detect and prevent cyber threats with WAF.
- Safeguard ICT network performance and integrity from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Protect data-at-rest, in use, and secrets across hybrid IT.
- Protect data in motion with high-speed encryption.
- Pseudonymize and mask sensitive information for production or tests.
- Manage cryptographic keys and protect them in a FIPS 140-3 environment.
- Manage and protect all secrets and sensitive credentials.
- Maintain crypto-agility with products designed for post-quantum upgrade.
- Secure execution with Confidential Computing.
- Data activity monitoring for structured and unstructured data across cloud and on premises systems.
How Thales helps:
- Discover, inventory, and remediate vulnerabilities in APIs.
- Safeguard ICT network performance from DDoS attacks.
- Prevent malicious Bot attacks with automated protection.
- Continuously monitor cyber traffic, detect and prevent cyber threats with WAF.
- Monitor for abnormal I/O activity and block malware.
- Monitor and alert anomalies to detect and prevent unwanted activities.
Solutions:
Application Security
Data Security
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.