What is CMMC?
The Cybersecurity Maturity Model Certification, or CMMC, is a distinct model meant for Department of Defense (DoD) contractors. It specifies the controls for protecting sensitive data for organizations that work with Federal Contract Information (FCI) and Controlled User Information (CUI), or are a part of the DoD supply chain.
The CMMC is simpler than earlier systems of data protection which required contracting authorities to request a System Security Plan and devise a Plan of Action & Milestones in order to adhere to the DFARS (Defense Federal Acquisition Regulation Supplement).
Currently, an appraisal or audit is not available for CMMC.
CMMC Certification Details
CMMC contains 5 maturity levels, starting from the basic hygiene controls in level 1 to the newest advanced controls in level 5. The higher the level, the more secure the company is. Being at a higher level implies your company is able to handle more work, and therefore, is eligible for more contracts.
Level 1: Basic Cyber Hygiene
This level has basic cybersecurity practices that are mainly applicable to small companies, including 35 controls that are a part of all universally accepted practices.
Level 2: Intermediate Cyber Hygiene
This includes all the universally-accepted practices for cybersecurity maintenance that need to be documented. This level will require multi-factor authentication to access CUI data, and level 2 brings 115 additional security controls to level 1.
Level 3: Good Cyber Hygiene
Level 3 includes coverage for all controls and cybersecurity practices that are not mentioned in the CUI protection scope. The processes at this level need to be accurately managed and followed, and there are 91 additional controls.
Level 4: Proactive
This includes all advanced and proactive cybersecurity practices that adapt their protection practices to APT (Advanced Persistent Threat). The processes at this level need to be reviewed, properly managed with resources, and improved constantly in the contractor company. This level adds another 95 security controls.
Level 5: Advanced/Progressive
As the last and most important level, level 5 incorporates the most advanced, sophisticated practices for optimizing cybersecurity to address all APTs. The processes of contractors that come under this level need to be consistently enhanced. This level has 34 extra security controls over the previous 4 levels.
How CMMC Impacts DoD Contractors
Meeting CMMC will help DoD contractors to verify that their processes have met the required level of cybersecurity. An organization that wishes to hold a contractual agreement with DoD or operate as a sub-contractor on a project of the department needs to comply with CMMC.
CMMC for contractors increases the ability to compete for contracts.
Another useful advantage of CMMC is the removal of ambiguity with security compliance in the DoD sector. This certification verifies a company’s compliance to cybersecurity controls and activities, and their efforts to protect the CUI maintained by the defense industrial base (DIB) devices and networks.