What Does My Company Need to Do for CMMC and How Do We Achieve Compliance?
Due to the serious nature of cybersecurity threats, the DoD is requiring mandatory certification for contractors in order to secure DoD contracts.
The Cybersecurity Maturity Model Certification (CMMC) is designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC requirements now require DoD Contractors to be certified through an approved Third Party Assessor.
CMMC Certification Requirements
Minimum certification requirements are now included in select Requests for Proposals (RFP’s) and Requests for Information (RFI’s).
The DoD has indicated that a prime-level certification requirement may involve different certification levels across the supply chain, resulting in challenges for both prime contractors and subcontractors.
Elements of the CMMC Framework
The CMMC Framework builds on previously established standards, practices and frameworks. The content is organized into a set of domains and divided across five CMMC levels. Level 1 incorporates 17 practices, and each subsequent level requires additional practices. Achieving compliance with Level 5 involves the completion of 171 practices.
CMMC Framework Certification Levels:
CMMC Level No. of Practices Achievement Maturity Level
at CMMC Level Description
|1||17||Basic safeguarding of FCI
|2||55||Transition Step to Protect CUI
|4||26||Increased Protection of CUI||Reviewed|
|5||15||Reducing Risk of Advanced Persistent Threats (APT’s)||Optimized|
Each domain incorporates various capabilities examined in the certification process. The 171 practices are distributed within each of the 17 domains across the five CMMC levels, depending on the complexity of the domain and the number of practices assigned.
The 17 domains are listed below:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AA)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IDA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PP)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (SAS)
- Situational Awareness (SA)
- System and Communications Protections (SCP)
- System and Information Integrity (SII)
Achieving CMMC Compliance
The CMMC assessments could have a significant impact on Contractors’ ability to meet minimum requirements. A low rating could limit a Contractor’s ability to successfully compete for work.
CMMC level understanding is valuable to nongovernmental organizations. The CMMC Framework consolidates best practices and guidance from several existing federal government cybersecurity standards. IT leaders can assess the current maturity level of their cybersecurity activities through comparison with CMMC requirements.
Is My Company Required to Be CMMC Compliant?
If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), the company is required to be certified at CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
Who Can Access CMMC Certification Results?
CMMC Certification Results are not made public; the only information made available is the fact that the company has obtained a CMMC Certification. The DoD will have access to all DIB Companies’ certification results.
CMMC Certification is Mandatory for DOD Contractors and Subcontractors
Companies should locate a Third-Party Contract Assessor, certified by the DoD, to audit CMMC Compliance. Vestige Digital Investigations is currently working with companies, helping them obtain CMMC Certification with a Pre-Certification Assessment. Begin our THREE-PHASE CMMC PREPARATION PROCESS … and CONTACT US today.
Vestige Views Blog – Part 1 of 2