What is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB). This includes over thousands of companies in the supply chain. The CMMC is the next evolution of compliance for the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems.
The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.
The CMMC consists of 171 practices (formerly controls under DFARS) across five levels to measure technical capabilities. There are 17 capability domains; 43 capabilities and 5 process across 5 levels to measure process maturity.
How do we become compliant with CMMC?
Companies wishing to purse CMMC accreditation must reach out to a CMMC Third Party Assessment Organization (C3PAO). Although as of the date of this blog, C3PAO’s requirements are not established yet. And thus there are no companies that have obtained CMMC accreditation.
Previously, contractors were responsible for implementing, monitoring and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC changes this paradigm by requiring third-party assessments of contractors’ compliance with certain mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats from adversaries.
DoD contractors should immediately learn the CMMC’s technical requirements and prepare not only for certification, but long-term cybersecurity agility. Details on how the CMMC assessments will be conducted, and how to challenge those assessments, are anticipated soon. DoD contractors that have already started to evaluate their practices, procedures and gaps when the details are finalized will be well-positioned to navigate the process and meet the mandatory CMMC contract requirements for upcoming projects.
Why is CMMC important?
The CMMC brings together a number of previously discrete compliance processes into one unified framework. These include NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933. In addition, it has taken some best practice guidelines from associated compliance procedures such as those contained in FISMA.
CMMC Compliance requirements will appear on the requests for information (RFI) process in June 2020 and the requests for proposals (RFP) process in September 2020, though it will be a couple years before the full framework will be enforced. The first full version of the CMMC framework was published in January 2020, following the publication of several draft versions over the previous few years.
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
What do I need to do to pursue CMMC compliance?
Whether you are a commercial company seeking to protect your proprietary information or a Government agency working with sensitive or classified data, our professionals can quickly assess your vulnerabilities using our proven methodologies and recommend mitigation solutions that withstand the scrutiny of DFARS and NIST cyber compliance audits. We have worked with countless customers to understand vulnerabilities in environments where traditional Information Technology networks are converged with Operational Technology (OT) systems, e.g., Industrial Control Systems, never envisioned to be internet-connected. Regardless of your operating environment, we can help you implement GRC best practices that meet the requirements of the emerging Cybersecurity Maturity Model Certification (CMMC) program.