The Cybersecurity Maturity Model Certification (CMMC) was designed to improve the security posture of the Defense Industrial Base. In developing the framework, Pentagon officials drew from cybersecurity standards from around the world. The UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model were referenced, and many of the security controls demanded by CMMC are long-standing cybersecurity best practices. As a result, security professionals will find CMMC familiar in some ways and unique in others. Below, we will examine the similarities and differences between CMMC and other cybersecurity frameworks.
Compare and Contrast: CMMC vs. Other Cybersecurity Frameworks
NIST Special Publications 800 Series
Developed by the National Institute of Standards and Technology, the NIST SP 800 series is a collection of cybersecurity standards used by the US government and contractors. The crown jewel is NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Its 18 categories of security controls can be tailored to help organizations mitigate information security risk. NIST SP 800-171 provides a smaller subset of controls specifically for federal contractors.
Many NIST controls, requirements, and guidelines have been pulled directly from the 800 series into the CMMC framework. Organizations already compliant with NIST cybersecurity standards will find themselves at an advantage in pursuing CMMC.
The Pentagon recognizes that by burdening smaller defense contractors with elaborate, expensive security requirements, they risk driving those companies out of business and ultimately, having a less competitive, less diverse acquisition marketplace. While the NIST standards require controls based on assessed risk, CMMC requires different levels of security based on the sensitivity of data handled by the company.
Difficulty and Cost
These depend on which NIST standard is being implemented, market conditions, company size, resource availability, and your starting security posture. However, for a SMB of <100 employees, limited IT resources, and little in the way of a preexisting security program, full compliance with NIST SP 800-53 will be a considerable undertaking. Considering the costs of audits, remediation, and products or services that may be required to achieve compliance (including, most likely, continuous monitoring), companies should be prepared to spend a minimum of $30,000 and potentially as much as $130,000. NIST 800-171, on the other hand, should be both easier and cheaper.
ISO/IEC 27000 Family
Developed by an international consortium for standardization, this family of standards includes the widely recognized ISO/IEC 27001, which describes how to develop a comprehensive information security management system. Other standards cover Risk Management (ISO/IEC 27005), Incident Response (27035), and Governance (27014).
These standards follow the same universal security principles introduced by the NIST SP 800 series: the implementation of a structured security program, a formalized process for examining risk, and the introduction of tailored security controls. Since so much of CMMC derives from the NIST controls, there will naturally be considerable overlap with the ISO/IEC 27000 family as well.
The ISO/IEC 27000 family is designed for use by a wide range of organizations, rather than specifically for government. As such, there are government-specific requirements in CMMC which are entirely absent from this family. For example, NIST requires FIPS-compliant encryption standards, while the ISO/IEC 27000 family do not.
Difficulty and Cost
Whether you’re reading ISO/IEC standards, implementing their guidance, or being certified as compliant, you will be spending money. The standards themselves are between one and two hundred dollars each, and ISO 27001 certification audits run approximately $10-30,000. Implementation and compliance costs vary, but we can roughly estimate between $30-$50,000 for a SMB of <100 employees. Part of the reason for the lower cost is that this popular private-sector framework requires less niche knowledge than the NIST family.
Payment Card Industry Data Security Standard
PCI was a voluntary collaborative effort from several major credit card companies to align their security standards and provide a minimum baseline of information security for merchants. Achieving PCI compliance should not be challenging for any company with a fairly mature security program: requirements include changing default passwords, encrypting cardholder data, and requiring staff to have a username, password, and need-to-know before gaining access to sensitive data. Worryingly, only “46 percent of companies in Europe and 39 percent of companies in America comply with the PCI DSS.”
With only 12 requirements, PCI could best be compared to CMMC Level 1, which has 17 practices for basic cybersecurity hygiene. Both are a baseline level of cybersecurity that should be achievable for any company dealing with sensitive data.
While PCI compliance requires only a fundamental level of security, CMMC includes five different levels, with the requirements scaling based on the type of data being protected. Taken as a whole, CMMC is far more comprehensive, and followed correctly, will lead to far more robust security.
Difficulty and Cost
With the usual caveats that difficulty and cost depend on a variety of factors (including, for PCI, the number of transactions conducted by the merchant), it’s fair to say that PCI compliance is easier and cheaper than CMMC in most circumstances: potentially only a few thousand dollars for very small businesses.
Center for Internet Security Critical Security Controls
The CIS Controls can be seen as an early precursor to CMMC, in that they were developed to help government and affiliated entities follow cybersecurity best practices. They were designed with a philosophy of ‘offense informs defense,’ and are specifically intended to prevent the most common cyber attacks.
Just as CMMC imposes less demands on smaller companies and more stringent demands on larger, better-resourced ones, the CIS Controls are divided into three Implementation Groups. Group 1 is for small firms with limited resources, Group 2 for companies with moderate resources, and Group 3 for more mature organizations with significant resources.
The CIS Controls are written in an explanatory, user-friendly manner. Each control is preceded by an explanation of why it matters, followed by a simple, plain-English description. While many firms will require outside consultant support to achieve CMMC compliance, even small organizations should be able to implement the CIS Controls on their own.
Difficulty and Cost
These will vary depending upon which Implementation Group your organization falls into, but compared with CMMC, the CIS Controls should be simpler and less expensive to implement. The average cost to implement these controls should be a few thousand dollars at most, depending on whether the organization does the work themselves or consults externally.
Health Insurance Portability and Accountability Act
HIPAA is a US federal regulation covering security requirements handling protected health information (PHI). Like other frameworks, HIPAA introduces administrative, technical, and physical controls to protect the availability, integrity, and confidentiality of data. However, HIPAA also codifies the patient’s right to access and request corrections to their own data. HIPAA was bolstered by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which strengthens penalties and forces breaches to be reported.
Just as CMMC forces the entire DoD supply chain to safeguard Controlled Unclassified Information (CUI), HIPAA mandates hospitals, subcontractors, and business partners to secure and protect PHI. HIPAA, like CMMC, is supported by NIST special publications: NIST SP 800-66 provides detailed guidance to organizations pursuing HIPAA compliance.
Failing a CMMC audit could jeopardize a company’s ability to bid on DoD contracts, but for organizations caught violating HIPAA standards, the penalties are far more severe: in 2018, the mean fine amount was $2.6 million dollars.
Difficulty and Cost
Everything in hospitals seems to be expensive, and security compliance is no exception. For fairly small organizations, expect to invest an average of $10,000 to achieve HIPAA compliance. For larger organizations, you might spend five times that amount. The technical controls are nothing unusual for cybersecurity professionals, but a bigger challenge may be training employees to understand and adhere to your new HIPAA-compliant privacy policies.
General Data Protection Regultion (GDPR) / California Consumer Privacy Act (CCPA)
After the European Union introduced the stringent GDPR privacy law in 2018, the State of California followed suit with its own privacy regulations. GDPR requires companies to design their business processes and information systems with user privacy in mind, demanding that companies only collect data specifically required and consented to by users. Violations can be heavily penalized: the most egregious “…could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.” CCPA lacks the GDPR’s requirement to report breaches within only 72 hours, but has a wider view of what constitutes ‘personal data.’ Like HIPAA, CCPA gives customers the right to view their own data. Fortunately for smaller firms, CCPA is only mandatory for companies with over $25 million in annual revenue.
Just as CMMC is primarily focused on protecting Federal Contract Information (FCI) and CUI, these two privacy regulations are concerned virtually exclusively with user’s personal data. Both require policies, procedures, and practices to be implemented in order to defend against threats to protected data.
These regulations, and GDPR in particular, are government legislation and are therefore more vague and flexible than the CMMC. Companies have more leeway in meeting the intent of the law, whereas the CMMC is comparatively rigid and specific.
Difficulty and Cost
One survey reports that 74% of companies spent over $100,000 on GDPR compliance, and 20% spent over $1M. CCPA only became mandatory in January 2020, but one report by the California Department of Finance estimated roughly similar figures: $100,000 for companies with 20-100 employees, $450,000 for those with 100-500 employees, and $2 million or more for large companies with over 500 employees.
If there is one silver lining, it’s that the same cybersecurity controls end up being duplicated in many of the above frameworks. After all, despite being designed for different industries and to protect different types of data, every cybersecurity framework builds upon the same fundamental security concepts. As you work towards compliance with CMMC, you will also be inching closer to compliance with a range of other cybersecurity frameworks.