CMMC: Key Information, Definitions & Why CMMC Matters
If you do business with the DoD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework that comes into effect this year. Anyone operating in the DoD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI). If you’re not familiar with CMMC, we’re here to give you the key information and definitions you need.
We know there’s a wealth of information about the CMMC out there and we’re glad you came to us. Advantage Industries has been in the information technology industry for nearly two decades. We’ve worked with organizations and contractors within the DoD supply chain for quite a while and we’ve stayed on top of the CMMC since it was announced back in September 2019. You can trust that we know what we’re talking about.
In fact, you can trust that we can help you become certified because we not only have the knowledge to assist, but we also have three separate partners to help our clients with the entire process:
- Assessment – Handled by a Registered Provider Organization (RPO)
- Remediation – Handled by a Managed Service Provider (MSP)
- Certification – Handled by a Certified Third-Party Assessor Organization (C3PAO)
Now that we’ve introduced ourselves a bit more, let’s go into the key information and definitions that brought you to this page.
What Is CMMC?
CMMC, which stands for Cybersecurity Maturity Model Certification, was announced on September 4, 2019, as a certification and compliance process. The Department of Defense (DoD) developed it to certify that all contractors have the right controls in place to protect federal contract information and controlled unclassified information (CUI). CMMC helps clarify the level of security necessary for various engagements with multiple maturity levels ranging from basic to advanced.
When Does CMMC Take Effect?
The DoD is planning to migrate over to the new CMMC framework this year (2020) – meaning all organizations or contractors that do business with the DoD, NASA, GSA, and any other state or federal agencies must be ready to comply. As of June 2020, CMMC replaces the cybersecurity controls in NIST 800-171.
Why Is CMMC Important?
The Department of Defense (DoD) estimates that the total value of data lost to our adversaries is a staggering $60 BILLION per year. Contractors doing business with the DoD, NASA, GSA, and any other state or federal agencies are at a major risk, especially as cybercrime continues to evolve. Our adversaries are well aware that contractors have access to a ton of sensitive, confidential data.
Although NIST 800-171 and DFARS 252-204-7012 were created to help contractors better secure their information systems, they’re not fool-proof, and for many, they can be difficult to understand. There tends to be a lot of confusion amongst those in the industry because there are various standards that are current. CMMC eliminates this confusion with one unified framework.
How Does CMMC Differ From NIST 800-171 Or Other Requirements?
Good news: many of the controls found in CMMC are the same as NIST 800-171, however, CMMC brings together various compliance processes into one unified framework. You will find aspects of the following:
- NIST 800-171
- NIST 800-53
- ISO 27001
- ISO 27032
- AIA NAS9933
Contractors will likely have to implement some new controls that they don’t already have in place. There are five different levels of certification. Not every contractor needs to attain the highest level. While some do, others may only need to attain level one or two certifications.
What 5 Levels Of Security Requirements Are Outlined In CMMC?
CMMC introduces 5 levels of security requirements starting with the first level, which is fairly restrictive in terms of requirements, all the way to the fifth level, which is much stricter in terms of requirements. Here is a general overview:
- Basic cyber hygiene: The first level requires basic cyber hygiene practices, including anti-virus software, strong passwords, and overall, fairly standard measures.
- Intermediate cyber hygiene: The second level is designed to protect controlled unclassified information, and as such, requires more complex measures:
- Access controls
- Awareness and training
- Identification and authentication
- Configuration management
- Audit and accountability
- Incident response
- Media protection
- Physical protection
- Personnel security
- Security assessment
- Risk assessment
- Systems and communications protections
- Systems and information integrity
- Good cyber hygiene: The third level is based on an extension of the NIST 800-171 r2 standards. There are 47 security controls that must be in place to comply with this level.
- Proactive: The fourth level requires contractors to be proactive when it comes to measuring, detecting, and defending against threats. Some requirements are similar to DFARs while requiring contractors to be prepared to handle advanced persistent threats.
- Advanced/progressive: The fifth and final level includes 30 extra security controls above and beyond level four that must be put in place. They revolve around auditing and management processes as opposed to technical requirements.
How Do Organizations And Contractors Become Compliant With CMMC?
Each organization or contractor should schedule a CMMC assessment with a third-party RPO to review their cybersecurity protocols, processes, and practices. The completion of this assessment will result in a Plan of Action and Milestones (POAM), which can then be handed off to an MSP for remediation. Following remediation and the knowledge that your company is 100% compliant with your target security level, a C3PAO audit can be scheduled with a company separate from your RPO. Upon completion of this C3PAO audit, a level of certification will be given depending on their organizational maturity level. CMMC version 1.0 has been in effect for new RFI’s since June of 2020, as well as RFP’s in September of 2020.
Schedule Your Assessment, Remediation, and Certification
The Department of Defense is clearly serious about cybersecurity – and for good reason. We must take the right precautions to protect our data against adversaries. Advantage Industries has been in the information technology industry for nearly two decades. We’ve worked with organizations and contractors within the DoD supply chain for quite a while and we’ve stayed on top of the CMMC since it was announced back in September 2019.