What is CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a major Department of Defense (DoD) program built to protect the defense industrial base (DIB) from increasingly frequent and complex cyber attacks. It particularly aims to enhance the protection of controlled unclassified information (CUI) and federal contract information (FCI) shared within the DIB.
CMMC builds on existing trust-based regulations (DFARS 252.204-7012) by adding a verification component for cybersecurity requirements.
DoD’s Office of the Under Secretary of Defense for Acquisition & Sustainment [OUSD(A&S)] developed the CMMC Framework, working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry. The Framework combines various cybersecurity standards and best practices, intended to:
WHO IS SUBJECT TO CMMC?
All DoD prime- and sub-contractors planning to bid on future contracts with with the CMMC DFARS clause will be required to obtain a CMMC certification prior to contract award. Some prime- and sub-contractors accessing, processing or storing FCI (but not CUI) will minimally require a Level 1 attestation. A DoD contract will specify which level of compliance a contractor needs to meet.
CMMC MATURITY LEVELS
The CMMC Framework requires a systematic approach to certification mapped to three organizational maturity levels: Foundational, Advanced, and Expert.
- Level 1 – Foundational. An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
- Level 2 – Advanced. An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes
- Level 3 – Expert. An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.
Develop and implement sustainable CMMC security strategies that:
- Help our customers to implement and enforce NIST 800-53, NIST 800-171, DFARs, and CMMC requirements.
- Participate in the development, review and de-confliction of customer information system security policy and standards, including writing guidelines, standards, procedures, and other technical documentation (technical roadmaps, project plans, etc.).
- Support the development and maintenance of system asset lists; hardware, and software baselines.
- Provide detailed security-related reports including data, analyses, and conclusions upon completion of tests, scans, and assessments, including mitigations and, if indicated, appropriate escalation of identified risks and vulnerabilities.
- Verify and document the implementation of security controls necessary to achieve compliance.
- Keep management apprised of impending areas of concern, verbally and in writing.
- Convey project/task material to individuals, small and large groups.
- Review and develop System Security Plans (SSPs), Plans of Actions and Milestones (POA&Ms), and as well as necessary artifacts.
- Facilitate the Plan of Actions and Milestones (POA&M) program to ensure customer systems have accurately and fully provided information for POA&M activities to include valid remediation of findings.