C.M.M.C (Cybersecurity Maturity Model Certification)

We can Assist your company with CMMC.

What is the CMMC (Cybersecurity Maturity Model Certification)?

The Department of Defense (DoD) has implemented a new program called the Cybersecurity Maturity Model Certification (CMMC). The CMMS program will serve as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. Scheduled for implementation in 2020, this program aims to improve CUI (Certified Unclassified Information) and FCI (Federal Contract Information) security by introducing a formal audit compliance process.

To find the latest version of CMMC, go to https://www.acq.osd.mil/cmmc

 Highlights of the CMMC

  • Provides a single standard across all DoD contracts starting in 2020-2021.
  • Determines “go/no-go” requirements.
  • Centers on the NIST 800-171 controls.
  • Identifies five levels of data security for contractors to implement reasonable security for their data.
  • Encourages government contract officers to select an appropriate security tier (not everything requires level 5).
  • Simplifies reporting with an automated tool to gather report data.
  • Pinpoints required CMMC levels within RFP sections L & M.
  • Authorizes a non-profit organization and accredited private-sector auditors to oversee the program.
  • Ensures cybersecurity is an “allowable cost” in DoD contracts.

Note:   DoD contractors must be certified at a specific security level to qualify to bid on contracts. Contractors who are noncompliant with the required level will not be able to retain DoD contracts.

Under CMMC a DoD contractor’s cyber maturity level will be certified by independent accredited third-party organizations. The CMMC framework includes five Levels.

Cyber Maturity Levels

Levels 1 and 2 are intended to provide basic cybersecurity standards that will include practices such as anti-virus, ad hoc incident response, awareness and training, risk management, and security continuity.

Level 3 will be required of any contractor who actually handles and stores CUI. It will include all NIST SP 800-171 Rev 1 requirements, an Information Security Continuity Plan and ensure you are able to communicate threat information to key stakeholders.

Levels 4 and 5 are targeted toward a small subset of the DIB (Defense Industrial Base) sector that supports DoD critical programs and technologies.

In Conclusion

When CMMC is fully implemented, all vendors will be required to be certified before they are qualified to bid on contracts. With the release of CMMC v0.6 businesses can begin working towards compliance and accreditation now.

We can help you prepare  for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Audits.  If you have any question please call we are happy to answer any question you would have.