Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification

Cybersecurity remains a significant global concern. Contractors must adopt comprehensive protocols to protect vital information assets as cyber threats evolve. CMMC focuses on protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) has developed the Cybersecurity Maturity Model Certification (CMMC) framework collectively with Department of Defense (DoD) stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the DIB sector.

CMMC model incorporates fundamental security practices for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision (Rev) 2 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.

DFARS clause 252.204-7012 specifies additional requirements beyond the NIST SP 800-171 security requirements, such as incident reporting.

When implementing the CMMC model, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending on where the information to be protected is handled and stored.

Types of Unclassified Information within the Supply Chain

Federal Contract Information (FCI):

FCI is information provided by or generated for the Government under contract not intended for public release. 

Controlled Unclassified Information (CUI):

CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

Types of Unclassified Information within the Supply Chain

CMMC Process

Readiness

  • Assess your cybersecurity practice against the NIST Special Publication (SP) 800-171 r2
  • Create a System Security Plan (SSP)
  • Create a Plan of Action & Milestones (POA&M)

Remediation

Implement the security requirements

 

Maintenance

Maintain Compliance

 

CMMC Levels

No alt text
CMMC Level 1

Foundational

Level 1 focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.

No alt text
CMMC Level 2

Advanced

Level 2 focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST (SP) 800-171 r2

No alt text
CMMC Level 3

Expert

Level 3 will be based on a subset of NIST (SP) 800-172 requirements. Details will be released at a later date.

The CMMC levels and associated sets of practices across domains are cumulative. For an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. When an organization does not meet its targeted level, it will be certified at the highest level for which it has achieved all applicable practices.

CMMC Domains

The CMMC model consists of 14 domains that align with the families specified in NIST SP 800-171. These domains and their abbreviations are as follows:

Access Control (AC)

Awareness & Training (AT)

Audit & Accountability (AU)

Configuration Management (CM)

Identification & Authentication (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Personnel Security (PS)

Physical Protection (PE)

Risk Assessment (RA)

Security Assessment (CA)

System and Communications Protection (SC)

System and Information Integrity (SI)

What is the Supplier Performance Risk System (SPRS) score?

SPRS score measure the contractor’s current cybersecurity compliance with NIST 800-171. The score is a tool used by the Department of Defense (DoD) to measure the risk of a contractor’s cybersecurity position in protecting sensitive DoD information (CDI/CUI).

What is the difference between Supplier Performance Risk System (SPRS) and CMMC 2.0?

Both use CMMC 2.0 and SPRS use NIST 800-171a as their standard, they serve defense contractor different purposes. DFARS 7019 requires to assess and report their SPRS score to the government. The purpose of this score is to show the government the level of compliance; however it doesn’t set a standard to meet.

CMMC 2.0 Level 2 requires a third party assessor (C3PAO) to verify the contractors adherence to all 110 controls of NIST 800-171a r2. Beginning in 2025, the CMMC verification will be a contract requirement for Department of Defense (DoD) contracts.

Why is the CMMC Ecosystem important?

  • The implementation of the cybersecurity practices, contractors can better protect data from cyber threats.
  • Risk mitigation by establishing a baseline security posture that helps mitigate the risk and ensure contractors a prepared to defend against cyber threats.
  • Strengthens the entire supply chain by requiring all contracts to meet specific cybersecurity standards.
  • Ensures compliance with federal regulations concerning the handling of Controlled Unclassified Information (CUI).
  • Competitive advantage in securing defense contracts.
  • Builds trust among contractors and DoD, assuring that cybersecurity measures are upheld.

How Do You Integrate CMMC and ISO 27001?

arrow
How Do You Integrate CMMC and ISO 27001?

Two critical tools that contractors can leverage to improve their cybersecurity posture are the Cybersecurity Maturity Model Certification (CMMC) and ISO 27001 Information Security Management System (ISMS).

Contractors aspiring to achieve CMMC can solidify their efforts by adopting ISO 27001 practices. Integrating these security standards can provide a more comprehensive and resilient approach to tackle evolving cyber threats, and enhance cybersecurity protocol, meet regulatory and legal requirements. This multi-disciplinary approach offers a well-rounded security shield, crucial for standing against the multitude of cyber threats plaguing today’s digital ecosystem.

Cybersecurity Maturity Model Certification

We are proudly recognized as a CMMC Registered Practitioner Organization (RPO). This highlights our commitment to providing industry-leading cybersecurity services and assisting organizations in achieving CMMC compliance. We are accredited and trained to assist organizations navigate the complexities of the CMMC requirements and enhance their cybersecurity posture.