CMMC: Cybersecurity Maturity Model Certification
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the latest verification method put in place by the Department of Defense (DoD). This certification is the Department's first attempt to set clear requirements for contractors when it comes to cybersecurity. The ultimate goal of the CMMC is to implement an appropriate level of cybersecurity across the supply chain of the defense industrial base (DIB). The DIB supply chain includes more than 300,000 companies, all of which are responsible for protecting unclassified information (CUI) under the CMMC.
The US DoD recognizes that information security is a foundational requirement for the Defense Industrial Base (DIB) supply chain. As such, the US DoD is committed to developing and requiring a consolidated Cybersecurity standard to identify required security practices and controls through the DoD Acquisition process beginning in late 2021. The Cybersecurity Maturity Model Certification standard is in place to increase security measures from malicious cyberactivity and prevent loss of Controlled Unclassified Information (CUI).
CMMC will define 5 levels of cybersecurity readiness, which all US DoD contracts will invoke on the DIB supply chain. It is estimated that over 300,000 DIB contractors will be affected throughout the 5+ year rollout, with most requiring a Level 1 through Level 3 certification. These standards will allow DIB contractors to implement proper cybersecurity protocols and ensure they are as effective and reliable as possible. The standards also establish Relying Party (RP) and Recovery Point Objective (RPO) parameters to establish approved information safety procedures.
CMMC has launched a guide for the path to CMMC-AB certification.
Helps you with
- US DoD Contract Compliance (FAR 52.204-21 & DFARS 252.204-7012)
- Required to Obtain/Renew DoD Contracts
- FCI and CUI Management
- DIB Supply Chain Trust & Integrity
- Cybersecurity Processes and Practices
- Alignment to ISO 27001 Annex A Controls
More about the CMMC standard:
The various levels of CMMC include increasing levels of practices focused on the handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These levels are based on the sensitivity of the information to be protected and the associated range of threats that may be encountered. The processes and practices map to various existing cybersecurity standards and frameworks including ISO 27001 and NIST 800-171.
Five primary levels of CMMC standards address various cyber uses to ensure the appropriate measures are taken for each situation. These levels are as follows:
- Level 1 – Basic Cyber Hygiene (Performed) – 17 practices
- Level 2 – Intermediate Cyber Hygiene (Documented) – 72 practices
- Level 3 – Good Cyber Hygiene (Managed) – 130 practices
- Level 4 – Proactive Cyber Hygiene (Reviewed & Improved) – 156 practices
- Level 5 – Advanced Cyber Hygiene (Optimized) – 171 practices
As with other cybersecurity standards, CMMC is organized into domains:
|Access Control||Asset Management||Audit & Accountability||Awareness & Training||Configuration Management|
|Identification & Authentication||Incident Response||Maintenance||Media Protection||Personnel Security|
|Physical Protection||Recovery||Risk Management||Security Assessment||Situational Awareness|
|System & Communications Protection||System & Information Integrity|
How to Implement CMMC
The CMMC certification system essentially operates with each level's requirements adding to those beneath it. For example, Level 3 would require you to meet Level 1 and 2 requirements and those of Level 3 to receive certification. For each level, you must complete a set of practices and processes. The capabilities domains included are:
- Risk Management (RM)
- Asset Management (AM)
- Incident Response (IR)
- Access Control (AC)
- Maintenance (MA)
- System and Communications Protection (SC)
- Security Assessment (CA)
- System and Information Integrity (SI)
- Configuration Management (CM)
- Media Protection (MP)
- Awareness and Training (AT)
- Situational Awareness (SA)
- Audit and Accountability (AU)
- Personnel Security (PS)
- Recovery (RE)
- Physical Protection (PE)
- Identification and Authentication (IA)
To help you meet your industry's standards, we can provide gap analysis quotes to identify your current situation and the steps you will need to take to move toward certification.
What are the benefits of certification to the standard?
Meeting CMMC standards is critical to the security of industrial operations, as it ensures industrial base standards across organizations. When you use CMMC standards, you'll be able to move forward and optimize your processes while ensuring data and operational safety. Overall, CMMC certification could improve processes to the extent that it can sizably reduce the approximately one trillion dollars lost to cybercrime each year.
The certification allows for collaborative risk management, enabling contractors across industries to cohesively and systematically decrease cybercrime threats that may affect all of them. Additionally, the five maturity levels CMMC certification outlines allow contractors to implement best practices for their situation, ranging from basic cyber hygiene to progressive levels. These standards ensure that DIB contractors are proactively ready to prevent and handle cybercrime.
Contractors who comply with CMMC requirements will be able to recover more easily if they experience a cyber threat because they will not face a financial penalty. Both the DIB and DoD gain optimized resilience against cybersecurity threats with the CMMC standards in place.
Some of the key technical benefits of meeting CMMC certification standards are as follows:
- Meet DoD Contract Eligibility: CMMC Levels will be specified on US DoD contracts; Contracting organizations will need to have the applicable CMMC certification prior to contract award. Organizations without CMMC certification may be disqualified from contracts requiring certified suppliers.
- Meet Flow-down Requirements: CMMC requirements will apply to all DIB contractors throughout the supply chain. Prime contractors will be required to flow-down cybersecurity requirements included in CMMC. Most DIB subcontractors will need to achieve Level 1 or Level 3 certification depending upon the type and nature of information flowed down from the prime.
- Improve Security Posture: The cybersecurity practices defined within CMMC have been carefully selected from globally-recognized best practices from both the private and public sector. In short, these practices will provide clarity on how organizations of all sizes and shapes can improve their cybersecurity posture via the concise and well-defined requirements.
- “Allowable Costs”: CMMC certification costs have been deemed allowable, reimbursable costs under the FAR rules as reasonable and allocable to the requiring contract. As such, organizations may be able to build-in costs associated with certification, thus subsidizing their over-arching security posture improvements.
- Confidence in a “Trust, But Verify” Methodology: Unlike existing NIST compliance, CMMC will require 3rd Party verification of controls, allowing an organization’s customers to have a great sense of security and providing great value throughout the supply chain. As CMMC flows through the supply chain, all parties will eventually have a common understanding and assurance of where organizations stand in relation to information (and thus supply chain) security.
FAQs About CMMC
Contractors commonly have some questions about how CMMC works, so NQA has compiled an FAQ overview.
Q: How much does CMMC cost?
A: CMMC certification costs will depend on the level of certification. Fees for Level 1 certification will depend on your specific requirements. As the levels progress, costs increase. If you have an idea of your scope of certification, we can provide a quick quote with a rough estimate of what your cost will be.
Q: Who should be certified to CMMC?
A: Anyone who is part of the defense contract supply chain should receive CMMC certification. Not all contractors will need to meet all certification levels, so you must assess what requirements you are responsible for meeting based on your specific situation.
Q: How can I prepare for the CMMC?
A: You can begin by assessing your organization's current compliance with the standards. Then, you can create an actionable plan to complete certification and meet CMMC standards. When you work with NQA, our experts can perform auditing services to evaluate areas for improvement and strengths in your operations. Call our team at 1-800-649-5289 to learn more.
CMMC Resource Toolkit
CMMC Gap Analysis Quote Request Form - USA
What You are Missing About the CMMC
Path to Certification
Need a Consultant?