Note: This article was updated December 2021 to include the Cybersecurity Maturity Model Certification (CMMC) program changes (now known as CMMC 2.0), announced November 2021 by the Department of Defense (DoD).
If you’re reading this post, chances are you have been through a regulatory compliance push before. And you’re probably hoping that (at least) some of your previous efforts will count towards newer frameworks, like the Cybersecurity Maturity Model Certification (CMMC).
Well, we’re here to tell you where that might be the case, and where it might not be.
This post will cover how the CMMC relates to other regulatory frameworks, such as NIST 800-171, PCI DSS v3.2.1, ISO 27002, and the CIS Top 20 Controls. We’ll look at areas of overlap between capability requirements, and highlight some notable ways that CMMC demands businesses level-up their security stance from what other frameworks require.
If you need a deeper dive into how and why to achieve the CMMC level that’s right for you, we hosted a free webinar that walked through the decision. Click here to watch the recording.
People who register will receive a complete table mapping the individual requirements across various frameworks. The webinar will also outline the ways that many of your CMMC requirements can be met with the help of ActZero MDR, ActZero Virtual CISO, and partner programs from Managed Service Providers (MSPs).
Key Differences Between CMMC and Other Frameworks
The CMMC framework draws on maturity processes and cybersecurity best practices from multiple previous standards, encompassing some or all of their requirements as part of its own. The biggest difference between CMMC and other compliance frameworks is that CMMC establishes five tiered, stacking certification levels that identify the maturity and reliability of a company's cybersecurity infrastructure. Briefly, the three levels are:
- Level 1: "Basic cyber hygiene" practices, such as using antivirus software and requiring regular password changes by employees.
- Level 3: "Good cyber hygiene" practices that safeguard CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.
- Level 5: Implementation of more sophisticated capabilities, to detect, protect against, and respond to APTs, as selected from NIST 800-172. For example, IR.5.102 requires you to “Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.”
And, unlike some other compliance standards, the real consequences for non-compliance with CMMC aren’t in the fines that might be levied against you, but rather in the contracts you’re ineligible for if you fail to comply. This is especially the case with companies making up the defence industrial base (DIB)—the 300,000+ businesses, organizations, and universities that research, design, supply, and operate military systems.
You should also anticipate that enforcement will be different than with other compliance regimes. While it’s true that only 75 auditors are currently CMMC-certified, that number will be 1000+ auditors in the coming year, and those auditors will be looking for companies to audit, so…
How CMMC Relates to Different Frameworks
Okay, so we’ve touched on how the CMMC is different from other frameworks, but you want to know what’s the same and what you might already be compliant with without needing to do extra work, right? Fair enough. Here are some similarities between CMMC and other standards you might be dealing with.
- NIST 800-171 & 172
CMMC 2.0 Level 2 (formerly Level 3 in CMMC 1.0) includes NIST 800-171 controls, while CMMC 2.0 Level 3 (formerly Level 5 in CMMC 1.0) includes NIST 800-172 Controls. NIST 800-171 mandates technological and process-driven security measures for companies that exchange Controlled Unclassified Information (CUI) with contractors to government agencies. Similarly, NIST 800-172 includes such measures for companies with Federal Contract Information (FCI). Like NIST 800-171, the CMMC standard can apply to organizations three-degrees removed from a government agency. Are you doing business with a business that has a US Department of Defense (DoD) contract? Then you need to be CMMC compliant if you want to maintain that relationship with the company who has a relationship with the DoD. - PCI DSS v3.2.1
Not too many companies with CUI data also take credit cards for their services, but if you do sell direct then you’ve likely heard of this standard. However, there is a good chance that you may need better security than PCI to eliminate the most risks to your manufacturing process and if your company sells a product directly. - ISO 27002
While very popular as a choice for companies looking to certify their IT practices, this standard is one of the more lengthy and costly to implement. Many teams may have to satisfy both ISO 27002 and CMMC, so this may be one of the more complete standards in terms of coverage relative to CMMC at all maturity levels. - CIS Top20 Controls
A favourite of ours at ActZero for the SMB client. CIS is the de facto standard for those who want to demonstrate to their customers that they are serious about security, but who don’t need a certification or industry recognition to do so. Unlike other standards, CIS is organized chronologically to help companies get through the process a little less painfully. While CIS is missing a number of CMMC objectives, it is almost always the best place to start and expand from if you don’t need the verification upfront. A seasoned vCISO will be able to combine the above when performing audit.
Check Out Our Webinar for More Insights
To learn more about which CMMC level is right for you check out our recorded webinar CMMC Compliance: How to Achieve the "Right" Level.
Featuring speakers Adam Mansour from ActZero (a leading provider of Managed Detection and Response) and Scott McDaniel from Simple Helix (a leading Managed Service Provider (MSP)), various paths to compliance (in-house, MSP, MDR) will be discussed. Our experts will offer insights about what is required at various CMMC levels, what determines the level you need to pursue for your business, and lessons learned from previous CMMC compliance projects.
There will be an exclusive offer to help you understand your capabilities at the end of the webinar, and free resources, including a CMMC Project Plan.
If you need to better understand which level and which specific requirements of CMMC 2.0 your company needs to be concerned with, ActZero can help. Reach out to us today.
