Cybersecurity Maturity Model Certification

(CMMC)

CMMC:

What is CMMC?

The Cybersecurity Maturity Model Certification, or CMMC, is a distinct model meant for Department of Defense (DoD) contractors. It specifies the controls for protecting sensitive data for organizations that work with Federal Contract Information (FCI) and Controlled User Information (CUI), or are a part of the DoD supply chain.

The CMMC is simpler than earlier systems of data protection which required contracting authorities to request a System Security Plan and devise a Plan of Action & Milestones in order to adhere to the DFARS (Defense Federal Acquisition Regulation Supplement).

Currently, an appraisal or audit is not available for CMMC.

Cybersecurity Maturity Model Certification
CMMC Certification

CMMC Certification Details

CMMC contains 5 maturity levels, starting from the basic hygiene controls in level 1 to the newest advanced controls in level 5. The higher the level, the more secure the company is. Being at a higher level implies your company is able to handle more work, and therefore, is eligible for more contracts.

CMMC Levels Explained for You

Level 1: Basic Cyber Hygiene

This level has basic cybersecurity practices that are mainly applicable to small companies, including 35 controls that are a part of all universally accepted practices.

Level 2: Intermediate Cyber Hygiene

This includes all the universally-accepted practices for cybersecurity maintenance that need to be documented. This level will require multi-factor authentication to access CUI data, and level 2 brings 115 additional security controls to level 1.

Level 3: Good Cyber Hygiene

Level 3 includes coverage for all controls and cybersecurity practices that are not mentioned in the CUI protection scope. The processes at this level need to be accurately managed and followed, and there are 91 additional controls.

Level 4: Proactive

This includes all advanced and proactive cybersecurity practices that adapt their protection practices to APT (Advanced Persistent Threat). The processes at this level need to be reviewed, properly managed with resources, and improved constantly in the contractor company. This level adds another 95 security controls.

Level 5: Advanced/Progressive

As the last and most important level, level 5 incorporates the most advanced, sophisticated practices for optimizing cybersecurity to address all APTs. The processes of contractors that come under this level need to be consistently enhanced. This level has 34 extra security controls over the previous 4 levels.

How CMMC Impacts DoD Contractors

Meeting CMMC will help DoD contractors to verify that their processes have met the required level of cybersecurity. An organization that wishes to hold a contractual agreement with DoD or operate as a sub-contractor on a project of the department needs to comply with CMMC.

CMMC for contractors increases the ability to compete for contracts.

Another useful advantage of CMMC is the removal of ambiguity with security compliance in the DoD sector. This certification verifies a company’s compliance to cybersecurity controls and activities, and their efforts to protect the CUI maintained by the defense industrial base (DIB) devices and networks.

 

CMMC
ISO Consultant