What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is coming. Businesses that perform work for the federal government are feeling the pressure to comply with standards for safeguarding, handling, and marking Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC) to help them secure the Defense Supply Chain (DSC). This model is based on companies being evaluated on the level of maturity of their cyber security practices and processes. The CMMC-AB has developed the “Ecosystem” to outline the various organizations and components.
The CMMC-AB is responsible for overseeing the training, certification of assessors and C3PAO organizations.. All DIB organizations will need to be certified at a level equal to or greater than the required level within their contract.
Are you ready? Do you know what is required of your organization, whether you are a 3-person shop or a 3,000-person shop? The Maturity Level certification is a Pass/Fail assessment, this means you need to meet 100% of all practice areas.
There are 3 levels of maturity that an organization may obtain a certification, these are:
CMMC Level 1: 17 Practices
CMMC Level 2: 110 Practices (Based on NIST SP800-171)
CMMC Level 3: 130 Practices (Level 2 + NIST SP800-172)
Who is conducting CMMC Assessments?
The first Provisional Assessors are trained, Registered Practitioners (RP) are being designated and companies are becoming Authorized as CMMC Third Party Assessor Organizations (C3PAO). The CMMC Ecosystem is starting to grow and preparation for the DoD CMMC requirement that will be replacing the FARS 52.201-21 and the DFARS 252.204-7012 clauses. CISEVE is a Candidate C3PAO and has a CMMC-AB trained and certified Provisional Assessor on the team that can provide “prep” services that can assist you to identify your weak areas and what evidence you will need. If you are “ready” for an assessment, we can help you there too, we can conduct your independent assessment. Ethically, however we are only able to assist with either preparation or assessment.
When is CMMC being Implemented?
The CMMC requirement rollout will be determined by the DOD, at this time the Final Rule has not been published. Until that time the DoD will be allowing and providing incentives to OSC that have a Voluntary Assessment conducted before the Final Rule is released.
DoD DFARS clause (252.204.7021) which when added to a contract will require compliance with the CMMC standard. This certification process is to evaluate what level of maturity your organization's security program is at and whether you can properly secure FCI and CUI.