Cybersecurity Maturity Model Certification (CMMC) is a program that allows the Department of Defense (DoD) to ensure that all companies and subcontractors working with them are practicing sound cybersecurity policies.
It defines five levels of cybersecurity that DoD contractors must meet in order to bid on and carry out projects in order to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while it is in their possession.
CMMC builds upon the existing frameworks laid out by the National Institute of Standards and Technology and incorporates additional processes and practices from other standards designed to provide a greater level of protection. In addition, it requires that DoD contractors obtain certification from third-party organizations rather than self-certifying.
Who Needs CMMC?
All DoD contractors are required to become CMMC compliant by implementing the relevant cybersecurity standards and passing an audit appropriate to the level that their business requires. It applies to contractors engaging directly with the DoD as well as subcontractors who provide services or products to these contractors.
However, it is important to note that the same levels of CMMC will not be required for every contract. Therefore, it is important to understand which levels your organization needs.
What Are The CMMC Levels?
Outlined below is a brief look at each of the five CMMC compliance levels.
Level 1
This serves as the foundation for the other levels and does not require any documentation. It is aimed at safeguarding FCI that is not intended to be released publicly and is relatively easy for many organizations to achieve.
Level 2
This level requires the organization to be compliant with the requirements of Level 1 in addition to implementing practices and processes that will protect CUI. This is often a transitional step on the way to achieving Level 3 compliance.
Level 3
Level 3 is used to indicate an organization has the basic ability to protect CUI by maintaining activities and reviewing processes and policies, and it involves implementing the final 45 controls in NIST SP 800-171 as well as 13 additional new controls.
Level 4
The greater cybersecurity practices involved in Level 4 give organizations the ability to use security practices that will defend CUI from malicious long-term-effect attacks aimed at mining for sensitive information known as Advanced Persistent Threats (APTs). This adds 15 new controls to the requirements from the first three levels.
Level 5
The highest level of CMMC compliance is focused on protecting CUI from APTs through optimization of cybersecurity capabilities and provides the strongest possible wall against potential attacks.
Achieving CMMC Certification
All organizations need to implement the processes outlined by the CMMC framework for their desired level of certification prior to seeking certification. The process typically entails adopting a cybersecurity plan, obtaining an initial assessment, outlining a plan for reform, and adopting the new policies needed to achieve compliance with the necessary CMMC level.
The first step in reaching your CMMC level is determining the level that you need to obtain and working toward the necessary NIST controls for the level in question.
A DIY preparation and assessment can be carried out by companies with an IT team that understands the requirements, but many organizations prefer to outsource this process to a third party with specific experience in the field.
A Managed Security Service Provider (MSSP) possesses the resources needed to analyze a company’s CMMC needs and current level, in addition to implementing the security processes needed to attain a higher level. They also have advanced tools that can be used to assess compliance readiness and can help organizations develop a plan to address any security gaps they identify.
Here is a closer look at the main steps in the process.
CMMC Readiness Assessment
Many contractors approaching CMMC do not have a baseline that can help them determine how close they are to reaching their desired level. A gap assessment is a third-party readiness assessment that can determine how much work must be done to get there. This will examine the organization’s current cybersecurity practices and identify those systems and processes that do not meet the minimum requirements for a particular level.
A readiness assessment addresses factors such as training procedures, how sensitive information is accessed in a network or system, the safety controls that are in place, the processes for developing and implementing response plans, and the processes and procedures for storing data and implementing security controls and standards.
Remediation Plan
Following the gap assessment, the organization must carry out a remediation plan prior to applying for certification. The contractor’s MSSP provider can identify the risks, determine the costs involved in any remedial steps that are needed, and prioritize activities to ensure timely compliance.
In some cases, minor changes may be needed, while others may require a complete overhaul, particularly if one of the top two levels of compliance is desired.
Get In Touch With The CMMC Compliance Professionals
If your organization needs assistance achieving a higher CMMC level, reach out to the cybersecurity team at Seaglass Technology in New York City for expert advice.