What is CMMC (Cybersecurity Maturity Model Certification)?
The Cybersecurity Maturity Model Certification (CMMC) is the latest verification method put in place by the Department of Defense (DoD). This certification is the Department's first attempt to set clear requirements for contractors when it comes to cybersecurity. The ultimate goal of the CMMC is to implement an appropriate level of cybersecurity across the supply chain of the defense industrial base (DIB). The DIB supply chain includes more than 300,000 companies, all of which are responsible for protecting unclassified information (CUI) under the CMMC.
The US DoD recognizes that information security is a foundational requirement for the Defense Industrial Base (DIB) supply chain. As such, the US DoD is committed to developing and requiring a consolidated Cybersecurity standard to identify required security practices and controls through the DoD Acquisition process beginning in late 2020.
CMMC will define 5 levels of cybersecurity readiness, which all US DoD contracts will invoke on the DIB supply chain. It is estimated that over 300,000 DIB contractors will be affected throughout the 3 to 5 year roll-out, with most requiring a Level 1 through Level 3 certification.
What Is CMMC?
Helps you with
- US DoD Contract Compliance (FAR 52.204-21 & DFARS 252-204-7012)
- Required to Obtain/Renew DoD Contracts
- FCI and CUI Management
- DIB Supply Chain Trust & Integrity
- Cybersecurity Processes and Practices
- Alignment to ISO 27001 Annex A Controls
More about the CMMC standard:
The various levels of CMMC include increasing levels of practices focused on the handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These levels are based on the sensitivity of the information to be protected and the associated range of threats that may be encountered. The processes and practices come from various existing cybersecurity standards and frameworks including ISO 27001, NIST 800-171, and others.
Level 1 – Basic Cyber Hygiene (Performed) – 17 practices
Level 2 – Intermediate Cyber Hygiene (Documented) – 72 practices
Level 3 – Good Cyber Hygiene (Managed) – 130 practices
Level 4 – Proactive Cyber Hygiene (Reviewed & Improved) – 156 practices
Level 5 – Advanced Cyber Hygiene (Optimized) – 171 practices
As with other cybersecurity standards, CMMC is organized in to domains:
|Access Control||Asset Management||Audit & Accountability||Awareness & Training||Configuration Management|
|Identification & Authentication||Incident Response||Maintenance||Media Protection||Personnel Security|
|Physical Protection||Recovery||Risk Management||Security Assessment||Situational Awareness|
|System & Communications Protection||System & Information Integrity|
What are the benefits of certification to the standard?
Meet DoD Contract Eligibility: CMMC Levels will be specified on US DoD contracts; Contracting organizations will need to have the applicable CMMC certification prior to contract award. Organizations without CMMC certification may be disqualified from contracts requiring certified suppliers.
Meet Flow-down Requirements: CMMC requirements will apply to all DIB contractors throughout the supply chain. Prime contractors will be required to flow-down cybersecurity requirements included in CMMC. Most DIB subcontractors will need to achieve Level 1 or Level 3 certification depending upon the type and nature of information flowed down from the prime.
Improve Security Posture: The cybersecurity practices defined within CMMC have been carefully selected from globally-recognized best practices from both the private and public sector. In short, these practices will provide clarity on how organizations of all sizes and shapes can improve their cybersecurity posture via the concise and well-defined requirements.
“Allowable Costs”: CMMC certification costs have been deemed allowable, reimbursable costs under the FAR rules as reasonable and allocable to the requiring contract. As such, organizations may be able to build-in costs associated with certification, thus subsidizing their over-arching security posture improvements.
Confidence in a “Trust, But Verify” Methodology: Unlike existing NIST compliance, CMMC will require 3rd Party verification of controls, allowing an organization’s customers to have a great sense of security and providing great value throughout the supply chain. As CMMC flows through the supply chain, all parties will eventually have a common understanding and assurance of where organizations stand in relation to information (and thus supply chain) security.