Cybersecurity Maturity Model Certification (CMMC)
ATTENTION SUPPLIERS TO THE DoD:
In the near future Suppliers to the Department of Defense will be required to seek CMMC.
This set of requirements has been developed to standardize and protect Federal Contract Information (FCI) as well as Controlled Classified Information (CCI) developed, maintained or supported by the Defense Industrial Base (DIB). It is anticipated that by RFP by the DoD will include a specific CMMC level as a pre-requisite to any new contract awards.
There are Five Levels of Security and Five maturity levels of processes.
If you are a current DoD supplier you may have recently been asked to comply with certification to a specific level.
Perry Johnson Consulting has Information/Cyber Security Consultants to assist in in meeting the criteria and preparing an organization for certification.
Following are the suggested implementation steps:
- Select a reputed consultancy partner to guide the certification project
- Perform gap assessment against the intended security level
- Awareness training of CMMC
- IT asset inventory and classification of assets
- Prepare documentation (Context, Policies, Processes, Procedures, WI, Plans, etc.)
- Perform risk assessment/ evaluation/ risk treatment
- Selection of practices for identified risks
- Prepare system security plan
- Implementation of all processes to the intended level of certification
- Implement monitoring and measurements
- Analysis and evaluation of measurements
- Train internal auditors
- Perform internal audits and capture levels of processes and practices
- Report levels to top management and review for changes
- Selection of third party assessment organizations approved by CMMC AB (Accreditation Body)
- Corrective action
- Certification audit by the selected third-party assessment organization
- Corrective action for the identified deficiencies, if any