Initially introduced in 2020, Cybersecurity Maturity Model Certification (CMMC) establishes cybersecurity standards for defense contractors who handle sensitive information. It affects all contractors who perform work for the US Department of Defense (DoD).

Organizations that will need to demonstrate CMMC compliance may wonder what is required of them, and how video surveillance fits into their security strategy. In this blog, we’ll look at CMMC, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your organization.

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is a process created by the Defense Department to help ensure all defense industrial base (DIB) contractors meet cybersecurity standards and requirements of unclassified information.

CMMC describes five levels of certification, each of which establishes certain cybersecurity standards for defense contractors who handle sensitive information. It aims to protect sensitive data from cyberattacks, hacking, poor data hygiene, negligence, or other unsafe digital practices.

Initially introduced in 2020, CMMC requirements are being rolled out over time. It's expected that by 2026, all DoD contracts will require a minimum of Level 1 Certification.

Who must comply with the CMMC?

The short answer is that all Department of Defense (DoD) contractors must comply with CMMC. However, the level of certification a contractor must meet varies, and is dependent on the nature of their work and the sensitivity of the data they handle.

For example, organizations handling very basic information will only need to achieve Level 1 Certification to comply. For those handling Controlled Unclassified Information (CUI), the requirement will be a higher level of compliance; a minimum of Level 3 will need to be achieved for those handling CUI.

The DoD has stated that lower-level certification requirements will not be the same certification levels required throughout its entire supply chain for a given contract. This means that there will be different certification levels necessary in a single contract when dealing with multiple organizations and contractors. Organizations must be agile and meet the appropriate level of compliance that satisfies the security requirements for a specifically requested tier.

Implementing Third-Party Certification

Before CMMC’s introduction in 2020, contractors were responsible for their entire cybersecurity process. They implemented, monitored, evaluated, and certified the security of their information technology systems and any defense information they stored or transmitted.

Cybersecurity Maturity Model Certification (CMMC) shifts the evaluation and certification processes to a third party. Now, contractors are still responsible for implementing cybersecurity standards across their organization, but a contractor’s compliance and procedures must be evaluated by a third party.

The CMMC Framework

The CMMC is made up of five certification levels that reflect the maturity and reliability of a company’s cybersecurity standards and processes. Different contractors and projects will require different certification levels depending on the sensitivity of the data they handle.

These tiered levels build upon one another’s technical requirements to achieve certification. An organization must comply with lower-level requirements and institutionalize different processes to implement cybersecurity practices of a higher level.

The Five Levels of CMMC Certification:

1. Basic Cyber Hygiene: Demonstrate basic cyber hygiene, as achieved by the Federal Acquisition Regulation (FAR). It requires an organization to implement antivirus software and properly safeguard federal contract information before disposal.
2. Intermediate Cyber Hygiene: Organizations must demonstrate a standard operating procedure, policies, and documentation on the best cybersecurity practices and policies to protect any Controlled Unclassified Information (CUI).
3. Good Cyber Hygiene: At this level, an organization can demonstrate the ability to safeguard CUI and effectively implement NIST SP 800-171 security requirements. Additionally, an organization is required to maintain a management plan and actively review policies and processes to protect CUI.
4. Proactive Cyber Hygiene: Demonstrate a proactive approach towards establishing practices to enhance detection and response to evolving tactics, processes, and procedures of advanced persistent threats (APTs). An organization is expected to review and document activities for effectiveness and inform high-level management of any issues.
5. Advanced/Progressive Cyber Hygiene: This is the highest level of certification. An organization must demonstrate the ability to protect CUI from APTs by establishing advanced procedures capable to detect and respond to APTs. These processes must be standardized across all applicable organizational units.

Implementing CMMC

As of January 2022, the current accreditation procedures and accreditors have not yet been established. Details are expected to be available soon, and it is believed that by 2026 the CMMC will be fully implemented.

Organizations are encouraged to start certification efforts as early as possible so that what CMMC is finalized they will already be eligible for potential DoD projects or other government contracts that involve sensitive defense information.

How to prepare for CMMC

The best way for an organization to prepare for the implementation of CMMC is to establish best practices and adhere to the CMMC guidelines stated above. It is recommended to begin the compliance process by first meeting the requirements in NIST 800-171.

1. Determine what CMMC levels you must achieve.
2. Evaluate your current status; review cyber hygiene and gather documentation.
3. Review each CMMC requirement one by one against your existing security procedures.
4. Create missing processes, fill in security gaps, and otherwise align your security environment to align with CMMC requirements.
5. Routinely check your environment against CMMC standards to stay prepared for CMMC accreditation once available.

CMMC Compliance and Video Security

CMMC compliance can be complicated, and Rhombus often addresses questions about video surveillance, security cameras, and federal requirements.

Many government and legal organizations use video surveillance to help secure their facilities and protect sensitive data. Because security cameras increase onsite security and accountability, federal contractors can use video security as part of their compliance strategy. When used alongside other cybersecurity best practices, video surveillance can help contractors reach CMMC compliance.

Rhombus has worked with numerous organizations that use cloud security cameras as part of their compliance strategy. Clients use Rhombus to help comply with CJIS, NIST, HIPAA, and more. We hope to aid anyone considering the use of security cameras in their organization to maintain robust cybersecurity protocols and meet compliance with CMMC.

Feel free to request a personalized demo or reach out to one of our experts if you have any questions on how to best roll out video security within your organization.