CMMC is a certification that the government will require for every firm that does business with the Department of Defense (DoD). Accordingly, the government announced CMMC during 2019 and will be seen in RFIs starting in June 2020. Therefore, now is the time to prepare for CMMC.
Levels of certification range from 1-5, with 5 being the most sophisticated/advanced. Given that, we anticipate that other federal agencies will follow the lead of the DoD. Therefore, any organization that does business with the federal government should start this planning process. The standards recommended by CMMC are also just good business practice!
Note that the current draft of the CMMC is v0.7 and is out for public comment. The final version is due to be released this month (January 2020), so stay tuned for updates.
Why is the government doing this?
CMMC is a program to assess and enhance the cybersecurity posture of the U.S. Defense Industrial Base (DIB). Specifically, the DIB includes all domestic and international firms that perform work for the DoD and other Federal agencies that support military operations. Thus it sets standards, processes, and a verification mechanism to protect controlled unclassified information (CUI) that resides on DoD’s industry partners’ networks. With this in mind, CMMC combines various standards into one unified set of criteria for cybersecurity. In summary, these current standards include CFR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032 and AIA NAS9933.
Because past programs only required only self-attested compliance they were by nature not as stringent. With this in mind, CMMC will include third party commercial certification organizations (C3PAOs) with a single non-profit entity that will certify them.
CMMC also sets varying cybersecurity maturity levels (1-5) to apply to varying contract needs and vendor size.
So what should you be doing now to prepare?
In summary, our advice is to familiarize yourself with CMMC (CMMC Draft 0.7). Firstly, review your systems that hold Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) against the Domains, Capabilities, and Practices defined in the available version of CMMC. Then, note that that this FAQ page is a good source of information. Finally, fill out the form below we’ll follow back with more details and ongoing updates about CMMC.
CMMC Model Framework:
- Domains – Key sets of capabilities for cybersecurity
- Capabilities – Achievements to ensure cybersecurity within each domain
- Practices & Processes – Activities required by level to achieve a capability
|CMMC Level 1||Basic Cybersecurity||Practices are ad hoc|
|CMMC Level 2||Universally accepted cybersecurity best practices||Practices are documented|
|CMMC Level 3||Coverage of all NIST SP 800-171 rev 1 controls||Processes are guided by policy, maintained and followed|
|CMMC Level 4||Advanced and sophisticated cybersecurity practices||Practices are periodically evaluated and revised|
|CMMC Level 5||Highly advanced cybersecurity practices||Practices are continuously improved and shared across the enterprise|