What is Cybersecurity Maturity Model Certification (CMMC) 2.0?
FIPS 140 Validated Cryptography for CMMC 2.0 Compliance
What is Cybersecurity Maturity Model Certification (CMMC) 2.0?
The Cybersecurity Maturity Model Certification (CMMC) is a significant initiative by the Department of Defense (DoD) aimed at fortifying the defense industrial base (DIB) against sophisticated and frequent cyber threats
Its central focus is on enhancing the security of controlled unclassified information (CUI) and federal contract information (FCI) shared within the DIB network
The Department of Defense (DoD) has recently introduced an updated version of the Cybersecurity Maturity Model Certification, known as CMMC 2.0
CMMC 2.0 brings a consolidation of levels - it will now consist of just three levels instead of the previous five. This change is aimed to simplify the process and reduce the burden on small and medium-sized businesses that may have struggled to meet the requirements of the higher levels in the previous model
Who is Subject to CMMC 2.0?
All prime- and sub-contractors of the DoD intending to bid on future contracts containing the CMMC DFARS clause will need to secure a CMMC certification from a certified third-party assessment organization (C3PAO) before the contract is awarded
Prime- and sub-contractors who access, process, or store Federal Contract Information (FCI) will at least require a Level 1 CMMC 2.0 certification
Those that access, process, or store Controlled Unclassified Information (CUI) will be required to undergo a third-party assessment to obtain a Level 2 or Level 3 CMMC 2.0 certification
What is the Relationship Between CMMC 2.0 and FIPS 140?
The Cybersecurity Maturity Model Certification (CMMC) and the Federal Information Processing Standards (FIPS) 140 have a distinct but interconnected relationship in strengthening cybersecurity infrastructure, particularly in organizations dealing with sensitive government information
FIPS 140, developed by the National Institute of Standards and Technology (NIST), sets the benchmark for cryptographic modules intending to protect sensitive information. It is integral to the realization of CMMC goals. It requires that cryptography modules be tested by third party laboratories and certified by NIST as meeting government standfards for encryption
CMMC incorporates NIST 800-171 security requirements, which in turn reference FIPS 140 for encryption standards. Essentially, to fulfill CMMC Level 2 or Level 3 requirements, organizations must use encryption methods that are FIPS 140 validated. This ensures that information, particularly Controlled Unclassified Information (CUI), is protected by strong, vetted cryptographic modules whenever it is transmitted or stored
How Are Companies Seeking CMMC Certification Getting Tripped Up by FIPS 140 Validation?
In the past, FIPS 140 validation was only required for technology companies that sold their software and hardware to the federal government
With CMMC, the requirement for FIPS 140 validation now applies to every member of the DIB (an estimated 250,000 companies) that handle CUI. Every system these companies use that performs encryption and touches CUI must use FIPS validated cryptography
Traditional FIPS 140 validations, achieved by working with a consultant, a certification lab and NIST, require significant technical resources, can take as long as two years, and require constant vigilance and effort as changes in requirements or newly discovered security vulnerabilities can cause NIST to de-certify an active FIPS certificate
How Does SafeLogic Overcome the FIPS 140 Problem for the CMMC Ecosystem?
Through its breakthrough FIPS 140 Validation-as-a-Service offering, SafeLogic can get your company a FIPS 140 certificate in your own names in just two months, not the 2+ years as is required for traditional FIPS 140 validations
SafeLogic also ensures your FIPS 140 certificate remains ‘active’ despite changing requirements or the discovery of security vulnerabilities, so you can continue using it to support procurements
Once a technology vendor obtains FIPS 140 validation for their product, they can now sell that product to not only federal agencies, but also all companies in the Defense Industrial Base that are pursuing CMMC contracts
Four Ways Companies Pursuing CMMC 2.0 Certification Benefit from Working with SafeLogic
1. SafeLogic provides you one-stop shopping. As opposed to working with a FIPS 140 consultant AND a FIPS certification lab AND NIST AND possibly open source, operating system or cloud vendors, companies only need to work with SafeLogic. Our FIPS 140 experts handle any necessary interaction with any third party. Your resources can then focus on other aspects of your CMMC initiative.
2. SafeLogic helps you continue meeting your CMMC cryptography requirements as your FIPS 140 requirements change and their needs change. For instance, SafeLogic experts can test new algorithms, test new OEs, etc.
3. Should you need one, RapidCertcan get you a FIPS 140 certificate in your own name in two months. In the FIPS 140 world, vendors with their own CMVP certificates can have a distinct competitive advantage over those relying on an open source or operating system CMVP cert from another vendor.
4. MaintainCertmakes sure your underlying FIPS Validated module remains ‘Active’ using a white glove service model for a fixed cost. If a company relies on an open-source module or something that comes with the OS, and that module goes historical, that will put its CMMC status at risk.
Want to know more about how SafeLogic can help with your CMMC strategy? Speak with one of our FIPS 140 experts!
