Understanding the CMMC

What is the CMMC (Cybersecurity Maturity Model Certification)?

The CMMC is a new cybersecurity standard for companies working with the U.S. DoD (Department of Defense) and its data. This framework will serve as a tiered certification scheme to help the DoD assess cybersecurity readiness when seeking suppliers and subcontractors. It was developed to improve measures for protecting the U.S. defense supply chain, and its objective is to standardize cybersecurity controls to ensure that effective measures are in place to protect controlled government information residing on contractor systems and networks.

What does the CMMC require?

First, it is important to remember that the CMMC is not yet finalized. The model is created and managed by the DoD, and a PDF of the most recent version is available on the DoD website.

The current version encompasses 171 security practices spread across 5 different levels to measure the technical capabilities of a contracting organization. These 171 practices are grouped into 17 capability domains, which cover topics seen in other, similar IT security frameworks, including access control, incident response, physical protection, and risk management. From summer 2020, the DoD acquisition process will require that companies demonstrate they meet a certain level by virtue of implementing its attendant practices.

The levels are overlaid with a process maturity model to help determine the degree of implementation that has been achieved. For example, are the practices merely performed (Level 1), or are they documented, managed, reviewed, and optimized (Levels 2–5)? By measuring process maturity, the DoD hopes to better understand the extent to which the activities are consistently and effectively repeated by the organization. Check out the below graphic, courtesy of the Office of the Under Secretary of Defense for Acquisition & Sustainment, the office tasked with developing the CMMC:

CMMC levels and associated focus

As a result, the CMMC will require any organization doing business as a part of a defense contract or its supply chain to demonstrate the implementation of certain, required security controls in addition to managing the performance of those controls at an institutional level. Assessment and validation of the implementation will be conducted by certified third-party assessment organizations (C3PAOs), which are accredited by the CMMC Accreditation Body to conduct audits against the CMMC standard.

How do I prepare for a CMMC audit?

The CMMC standard is still not yet finalized, so currently there are no accredited organizations capable of providing assessment and audit against it. The DoD had indicated that it would provide training and guidance to the CMMC Accreditation Body in early 2020, but this has undoubtedly been delayed due to the COVID-19 pandemic. Work is still ongoing in that regard.

However, pre-assessments conducted against either the most current draft of the Standard or other similar frameworks used to create the CMMC are both accepted and encouraged, according to the CMMC Accreditation Body. Early drafts of the CMMC “provide good insight for organizations wishing to get ahead of the CMMC compliance process.”

The first step is to identify the type of government data that your entity deals with, either directly or through a business partner. Depending on the level of processing contemplated by the contract, differing levels of compliance may be needed.

From there, a gap analysis can be conducted against existing cybersecurity standards like ISO 27001 or NIST 800-171. Remediation planning can then take place to resolve any gaps in practice/level or process maturity.

Through our years of experience assisting more than 1,000 organizations with ISO 27001 implementation and certification projects, we know exactly what certification bodies and accreditation boards expect. As a result, we can offer you unrivalled advice and expertise on how to prepare for CMMC certification.

Speak with one of our experts today for more information.

find out more