Author: Paul Cronin, Co-Founder of Rootshell
Back in 2014 when dinosaurs ruled the earth, I was fortunate enough to be involved with CREST in helping shape the UK government’s Cyber Essentials scheme. There are two levels of certification for Cyber Essentials, which involves an independent verification from an accreditation body through self-assessment, and Cyber Essentials Plus, which involves an accreditation body performing the assessment to ensure the requirements are in place.
The general idea at the beginning of the scheme was to make sure that anyone bidding for contracts for UK Government work would meet the general baseline of Cyber Hygiene. I can recall and still am opposed to self assessment (basic) believing that there should be some form of technical validation. That said it was better than nothing and of course would stop and make people think about Cyber Hygiene when reading the questionnaires helping making suppliers generally more secure.
My opinion is that Cyber Essentials has and continues to be a great success for the UK government (NCSC). In our own experience from certifying CE Plus (technical verification) businesses, we know we have made Cyber security improvements in the UK Gov supply chain.
The US government also have the same aspirations to have a model which scales to their requirements to ensure that all suppliers to the DOD within the supply chain meet the Cybersecurity Maturity Model Certification (CMMC). Since 2016-20 they have been working on CMMC 1.0 and this has now evolved to 2.0 which the DOD plans to have rolled out in 2025/26 for all DOD bids and contracts.
Not dissimilar to the Cyber Essentials model CMMC will have different levels with the CMMC having 3 levels.
The 3 CMMC levels in version 2.0 are foundational, advanced, and expert (1 2 & 3). There are also two types of Assessment levels: Self Assessment and Certification Assessment.
The certification assessment must be conducted by C3PO from Star Wars.
Nope sorry not C3PO…but C3PAO which means Third party Assessor Organization.
Organizations can choose which level they need to implement, based on their requirements. If you for example supply pencils to the DOD I would expect Level 1 self-assessment is sufficient,
If you happen to supply any weapons systems then you are looking at Level 3 certified assessment.
The higher levels offer more protection, but in my opinion if you are a large external service provider it’s going to take a lot of time effort and money and resources to implement.
Estimated time for NIST SP800-171r2 for SMB’s (50-500 employees) is around 12-18 months.
CMMC Level 1: Foundational Cyber Hygiene
The most basic level of security, Level 1, requires implementation of basic cybersecurity hygiene practices such as password management and keeping systems up-to-date with patches. This level is intended for small businesses with minimal risk to their data.
There are 17 controls Level 1 is based off of which is found in FAR 52.204-21. This is a good starting point for organizations who are just beginning to implement cybersecurity measures, or who have limited resources.
Level 1 certification is required for companies that handle Federal Contract Information (FCI) but aren’t considered part of the critical infrastructure, which includes most businesses and government agencies.
CMMC Level 2: Advanced Cyber Hygiene
Level 2 builds on the cybersecurity hygiene practices of Level 1 and requires additional measures to be put in place. Level 2 is similar to NIST SP 800-171 and includes 110 practices. Some of the CMMC 2.0 practices focus on control, incident response, risk management, physical security, and system and information integrity.
Level 2 certification is required for companies that handle CUI and are considered part of the critical infrastructure. This includes companies in the energy, water, communications, and transportation sectors.
CMMC Level 3: Expert Cyber Hygiene
Level 3 is the highest level of CMMC certification and requires the most stringent security measures. Level 3 is based on NIST SP 800-171 and adds additional practices from NIST SP 800-172. The extra practices focus on more sophisticated detection and response capabilities, information protection, and system hardening requirements.
Level 3 certification is required for the same types of companies who need Level 2 certification, but who also handle CUI in the most sensitive or higher security assurance of DoD contracts. Organizations required to comply with CMMC Level 3 certification are assessed by the Federal Government’s Defense Contract Management Agency.
The table below gives a good indication of the current process of getting certified.
Self-Assessment Certification Assessment
| Level 1 | Level 2 | Level 2 | Level 3 | |
| Requirement | 15 requirements in FAR clause 52.204-21 | 110 requirements in NIST SP800-171 Rev2 | 110 requirements in NIST SP800-171 Rev2 | 24 requirements from NIST SP800-172 |
| Scoring | All requirements must be fully implemented | Fully implemented requirements worth either 5,3 or 1 point | Fully implemented requirements worth either 5,3 or 1 point | Fully implemented requirements worth 1 point |
| Procedure | Verify 59 objectives via SP800-171A fully implemented: all objectives met no open items: “Final Self Assessment” | Verify 320 objectives via SP800-171A fully implemented all objectives met No open items result in “Final Self Assessment” | Verify 320 objectives via SP800-171A fully implemented all objectives met No open items result in “Final Certification Assessment” | Verify 320 objectives via SP800-171A fully implemented all objectives met No open items result in “Final Certification Assessment” |
| POAMS | No POAM’s allowed | Permissible open items Conditional Self Assessment 180 days to close self assessment | Permissible open items Conditional Certification Assessment 180 days to close via C3PAO | Permissible open items Conditional Certification Assessment 180 days to close via DIBCAC |
| Assessment | Annual Results submitted to SPRS | Every 3 years Results submitted to SPRS | Every 3 years via C3PAO Results submitted to eMASS | Every 3 years via DIBCAC Results submitted to eMASS |
| Affirmation | At each assessment and annually via senior company official | At each assessment and annually via senior company official | At each assessment and annually via senior company official | At each assessment and annually via senior company official |
| Scoping | Consider external service providers (ESP) during assessment | ESP must have L2 final Cert | ESP must have L2 final Cert | ESP must have L3 final Cert |
- POAMS = Plan of Action and Milestones
- SPRS = Supplier Performance Risk System
- ESP = External Service Provider
- EMASS = Enterprise Mission Assurance Support Service
- DIBCAC = Defense Industrial Base Cybersecurity Assessment Center
There is a lot of information out there on the Internet on CMMC and personally, I think it’s very very confusing and unclear. I can only imagine the size of the supply chain involved within the DOD and getting such a scheme running based on thousands and thousands of suppliers within the supply chain.
I have a phrase that I use to overcomplicate things “Over egging the Omelette” and I do feel this is the path that has been taken with CMMC. However once up and running, I have no doubt this will help make the DOD safer from a Cyber perspective.
I did attempt to go through the process myself at Level 1 even though we don’t currently provide services to the DOD. However, attempting to contact the CMMC to ask if I could apply was met with a file not found on the Contact Us web form.
Helpful links
CMMC Website – https://dodcio.defense.gov/CMMC/
NIST link to SP800-171 – https://csrc.nist.gov/pubs/sp/800/171/a/final
Summit 7: This company seems very knowledgeable on the subject and would be a good resource for anyone requiring CMMC help. – https://www.summit7.us/
Wikipedia – https://en.wikipedia.org/wiki/Cybersecurity_Maturity_Model_Certification
Subscribe So You Never Miss an Update
