What is CMMC compliance?

The Cybersecurity Maturity Model Certification, or CMMC for short, is a security framework for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. The CMMC compliance requirements map to the set of controls laid out in the NIST SP 800-171 Rev 2 and NIST SP 800-172 families.

CMMC version 2.0 came into effect on December 26, 2023, and is designed to ensure adherence to rigorous cybersecurity policies and practices within the public sector and amongst wider industry partners.

Whilst many of the controls relate to how organizations conduct their IT operations, there are several specific technology requirements, and Ubuntu Pro includes features which meet these requirements head on.

What are the CMMC maturity levels?

CMMC has 3 levels, designed to meet increasing levels of security scrutiny:

1. Safeguarding Federal Contract Information (FCI), with an annual self-assessment.
2. Protection of Controlled Unclassified Information (CUI), with a triennial third-party assessment for critical national security information, and annual self-assessment for other cases.
3. Enhanced Protection of Controlled Unclassified Information, with triennial government-led assessments.

Most independent contractors and industry partners will use level 2, and perform an annual self-assessment of their security posture against the program requirements.

When will CMMC compliance become a hard requirement?

While the 2.0 standard has been live since December 2023, CMMC will become a contractual requirement after 3 years, which falls in 2026. However, it takes time to work through the controls and achieve the security requirements, and organizations may take anywhere from months to years to gain this level of maturity, depending on their size and agility. Undoubtedly, the best course of action is to start planning now in order to remain eligible for contracts and to keep winning business.

How does CMMC compare to NIST SP 800-171? 

CMMC is based on the NIST SP 800-171 security controls framework for handling Controlled Unclassified Information – similar to FedRAMP – and so anyone familiar with these publications will feel comfortable with the CMMC requirements. Whilst NIST SP 800-171 provides a wide range of security controls, the exact implementation can be left to the user’s discretion; CMMC gives exact requirements and provides a framework for self-assessment and auditing.

5 steps to CMMC compliance

In order to become CMMC compliant, you should be systematic in your approach. Here’s how to proceed:

1. Determine your CMMC maturity level requirements: this depends on the type of information that you’ll be handling. Level 1 is just for federal contracts, whilst Level 2 – the most widely used level – is for CUI. Level 3 is for critical infrastructure.
2. Determine your scope and assets: – it’s very important to work out the boundary of the systems that will handle the sensitive data, and keep track of which IT assets are included in this.
3. Perform a gap analysis: go through the CMMC control framework and check which controls you currently meet, and which ones need attention; either for existing systems or for future designs.
4. Choose the right technology platforms: such as Ubuntu Pro, a subscription for open source security that patches critical vulnerabilities within 24 hours.
5. Complete a self-assessment.

How Canonical can support your journey towards CMMC

Patching security vulnerabilities

Ubuntu Pro supports the CMMC requirement to remediate software vulnerabilities in a timely manner. Since starting out 20 years ago, Canonical has typically released patches for critical vulnerabilities within 24 hours. We provide 12 years of security patching for all the software applications and infrastructure components within the Ubuntu ecosystem. 

FIPS-certified crypto modules

Ubuntu Pro provides FIPS 140-2 and FIPS 140-3 certified cryptographic modules that you can deploy with a single command. These certified modules replace the standard cryptographic libraries which ship with Ubuntu by default, making the system FIPS 140 compliant, and allowing existing applications to make use of FIPS-approved cryptographic algorithms and ciphers without further certification or modification.

System hardening

DISA-STIG is a system hardening guide that describes how to configure an Ubuntu system to be maximally secure, by locking it down and restricting unnecessary privileges. The STIG for Ubuntu lists several hundred individual configuration steps to turn a generic Ubuntu installation into a fully secure environment. System hardening is an important CMMC requirement.

You can simplify STIG hardening with the Ubuntu Security Guide (USG): the USG tool enables automated auditing and remediation of the individual configuration steps in order to comply with the STIG benchmark, and allows you to customize the hardening profile to meet individual deployment needs.

Overview 

Canonical is a software distributor rather than a service provider, and as such we are not CMMC certified ourselves, but through Ubuntu Pro we provide the tools that enable our customers to meet these specific technology requirements within the baseline controls. 

As such, Ubuntu Pro provides an easy pathway to CMMC compliance. It delivers CVE patching for Ubuntu OS and Applications covering 36,000 packages, along with automated, unattended, and restartless updates, and the best tools to secure and manage your Ubuntu infrastructure, developed by the publisher of Ubuntu. Learn more about Ubuntu Pro on our explanatory web page.