Cybersecurity Maturity Model Certification (CMMC)
ATTENTION SUPPLIERS TO THE DoD:
In the near future Suppliers to the Department of Defense will be required to seek CMMC.
The CMMC ecosystem was developed and consists of maturity processes and cybersecurity best practices from various cybersecurity standards and is built on FAR 52.204-321 and DFARS 252.204-7012. The CMMC is the accreditation body that certifies third party assessment organizations referred to as C3PAO’s. These organizations will facilitate the assessments.
This set of requirements has been developed to standardize and protect Federal Contract Information (FCI) as well as Controlled Classified Information (CCI) developed, maintained or supported by the Defense Industrial Database (DIB). It is anticipated that by RFP by the DoD will include a specific CMMC level as a pre-requisite to any new contract awards.
The DoD will begin rolling out the program commencing 4th Quarter 2020 and will extend through FY 2025. Effective January 2026, all new DoD contracts will contain the CMMC requirement.
There are five Levels of Security and Five Maturity Levels of Practices. Each Level will include a specific number of Practices. The sources of these Practices include: 48 CFR52.204-21, NIST SP 800-171 lrl, Draft NIST SP 800-171B, and CMMC specific practices. (most practices are from FAR and NIST 800-171)
- CMMC Level 1 – This is the considered Basic Safeguarding of Federal Contract Information or FCI. At this level, processes are performed by not necessarily documented. Level 1 focuses on basic cyber hygiene practices specified in 48-CFR 52.204.21. There are 17 practices from six domains at this level.
- CMMC Level 2 – Unlike ML 1, this level requires than an organization establish and document practices and policies. As an organization continues to develop mature capabilities, this level serves as a transitional level from levels 1 and 3. 55 practices are introduced at this level with 48 of these practices from NIST SP 800-171lrl plus 7 additional practices.
- CMMC Level 3 – At this maturity level, organizations must establish, maintain, and resource a plan demonstrating the management of activities. Level 3 focuses on the protection of Controlled Unclassified Information or CUI. There are 58 Practices included at this level, 45 of which derive from NIST SP 800-181lrl plus 13 additional practices.
- CMMC Level 4 – and CMMC Level 5 – As CMMC is based on the maturity of cyber security practices, these levels can be attained over time.
More advanced Levels –
It is important to note that to advance to the next level, contractors must have met the criteria of the previous level.
Perry Johnson Consulting has Information/Cyber Security Consultants to assist in in meeting the criteria and preparing an organization for certification.
Following are the suggested implementation steps:
- Select a reputed consultancy partner to guide the certification project
- Perform gap assessment against the intended security level
- Awareness training of CMMC
- IT asset inventory and classification of assets
- Prepare documentation (Context, Policies, Processes, Procedures, WI, Plans, etc.)
- Perform risk assessment/evaluation/risk treatment
- Selection of practices for identified risks
- Prepare system security plan
- Implementation of all processes to the intended level of certification
- Implement monitoring and measurements
- Analysis and evaluation of measurements
- Train internal auditors
- Perform internal audits and capture levels of processes and practices
- Report levels to top management and review for changes
- Selection of third party assessment organizations approved by CMMC AB (Accreditation Body)
- Corrective action
- Certification audit by the selected third-party assessment organization
- Corrective action for the identified deficiencies, if any