Security7 Networks has seen a sharp uptick in people requesting immediate support regarding the Department of Defense's Cybersecurity Maturity Model Certification (CMMC).
We felt it would be helpful to put together a brief beginner's guide so that our readers could better understand a new certification that might impact how they do business if they do business with the United States Department of Defense as a part of its supply chain.
What is CMMC?
CMMC is an auditable security standard designed to help ensure contractors in the DoD's supply chain are limiting exposure to sensitive controlled unclassified information (CUI) by having secure information systems.
The certification was developed in-house by the DoD with input from universities across the country, federally funded research, and direct input from the defense contractor industry.
The first version of that certification was released by the DoD on January 31, 2020. CMMC is currently on version 1.02.
Why was CMMC Implemented?
In the past, independent military contractors had to self-attest to the security of their cybersecurity ecosystem. Unsurprisingly, the DoD realized over time that many of the contractors were overestimating their cybersecurity posture and the self-attestation model wasn't working, consequently, the DoD's cybersecurity posture was only as strong as its weakest supply partner.
What Does CMMC Implementation Entail?
There are various levels of CMMC certification, five in total. The five levels of CMMC certification are:
- Basic Cyber Hygiene
- Intermediate Cyber Hygiene
- Good Cyber Hygiene
- Proactive Cybersecurity
- Advanced/Progressive Cybersecurity
Except for level 1 each level of certification requires a set number of practices and procedures. The controls implemented can vary greatly from contractor to contractor.
Security control families include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- System and Communications Protection
- System and Information Integrity
- And more...
As mentioned above, the previous self-attestation model had failed, and as a result, after implementing the practices and procedures, the contractor needs to undergo a third-party audit to assess their compliance and gain certification.
Those third-party organizations are referred to as CMMC Third Party Assessment Organizations (C3PAO). These organizations also need to meet several DoD requirements, including the implementation of ISO/IEC 17020.
ONLY authorized and accredited C3PAOs listed on the CMMC-AB Marketplace are able to conduct CMMC assessments. The certificate is valid for up to 3 years after being obtained.
If You're a Defense Contractor, What Steps Should You Take to Achieve CMMC?
The Department of Defense has set up a helpful CMMC FAQ page on their website. It includes some of the information I've shared here as well as more specific information that might be helpful.
There are 26 questions and Security7 suggests reading through them if you're looking for a bit more clarity.
Is Security7 Networks a C3PAO?
No. We are not. But we can help an organization achieve CMMC by partnering with them to implement the practices and procedures necessary to achieve the certification.
If interested you can contact us via our CMMC page here.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.