What Is CMMC?
A Brief Overview
The Cybersecurity Maturity Model Certification incorporates various cybersecurity standards and “best practices” that are mapped across several maturity levels ranging from: 1 (Basic Cyber Hygiene) to 5 (Advanced), each building off of the last.
Each level has associated compliance processes, that, when implemented, will reduce risks against a specific set of cyber threats.
How Does It Work?
A Two-Entity Approach
Auditors: Independent auditors will conduct evaluations based on the desired CMMC certification level (1-5) and determine if the DoD contractor is compliant.
Department of Defense: The DoD will measure compliance with the DFARS and NIST requirements to ensure contractors are handling sensitive unclassified information properly.
Staying Competitive with Cybersecurity Maturity
Model Certification Requirements
The overall goal of CMMC
is to be a unified cybersecurity
standard for the Department of
Defense acquisitions to improve the
cybersecurity posture of
companies and reduce exfiltration
of Controlled Unclassified
Information from the
Defense Industrial Base.
CMMC Level Overview
Demonstrate basic cyber hygiene, as defined by the Federal Acquisition Regulation (FAR).
- Demonstrate intermediate cyber hygiene.
- Standard operating procedures, policies, and plans established for all practices.
- Demonstrate good cyber hygiene and effective NIST SP 800-171 Rev. 1 Security Requirements.
- All activities are reviewed for adherence to policy and procedure and are adequately resourced.
- Demonstrate a substantial and proactive cybersecurity program.
- All activities are reviewed for effectiveness and management is informed of any issues.
- Demonstrate a proven ability to optimize capabilities in an effort to repel advanced persistent threats.
- All activities are standardized across all applicable organizational units and identified improvements are shared.
Implementation of CMMC In 2020
Who Is Affected and How?
- Teams and Subcontracting: Potential for Stricter Vendor Approval Processes With Larger Firms
- Small Business Vendors and Start-Ups: Potential Barrier For Entry
Risks of Noncompliance
- Pass/Fail Evaluation
- 21 Additional Controls Beyond NIST SP 800-171; No Falling Back on SSP or POA&M.
- Failure Bars You From Work on DoD Contracts.
- A Low Score Limits Your Contract Availability.
- All Primes and Subs MUST Have a CMMC Certification Prior To Contract Award.
What Major Challenges Are There?
- Migration to Office 365 GCC High
- SIEM Solutions
- Backup Solutions
- Managing Non-Supporting Hardware/Software
- Identifying, Categorizing, and Labelling CUI