Cybersecurity Maturity Model Certification

Explaining Cybersecurity Maturity Model Certification in Plain Language

Many businesses or companies looking to work with the Department of Defense (DoD) are now required to be CMMC compliant. Although this is the case, more government agencies outside the DoD are also joining the pool by requiring contractors to obtain CMMC compliance.

The CMMC heavily borrows from NIST and seeks to protect any DoD data categorized as Controlled Unclassified Information (CUI) and/or FCI (Federal Contract Information).

Although CMMC 1.0 has been in application since 2020, the launch of CMMC 2.0 in November 2021 opens another door of compliance requirements.

CMMC 2.0 at Glance

CMMC version 1 placed a weighty burden on organizations seeking compliance and was more complicated. With CMMC 2.0, the framework has updated processes to make assessment and compliance easy. The core of the framework includes:

• Streamlined Model: Instead of 5 maturity levels, organizations now have only 3 maturity levels to comply with, depending on the sensitivity of the information. Also, CMMC 2.0 only focuses on implementing controls of NIST SP 800-171.
• Dependable Assessment: Organizations can now self-assess to demonstrate CMMC level 1 and 2 compliance, and only Level 3 will need Third-Party Assessment Organizations (CP3AOs). Besides, there is an improved accountability requirement on the part of the CP3AOs.
• Smooth Implementation: The model considers companies that may be under specific limited circumstances and allows them to implement Plans of Action and Milestones (POS&Ms) and progressively obtain compliance.

The 3 CMMC Maturity Levels

• CMMC Level 1 (Foundational): Consist of about 17 best cybersecurity practices organizations should implement, primarily for organizations that deal with FCI
• CMMC Level 2 (Advanced): Apart from maintaining recorded policies for all of the level 1 practices, you’ll need to implement an additional 55 controls from NIST SP 800-171 to be CMMC Level 2 compliant.
• CMMC Level 3 (Expert): The organization must demonstrate to the CP3OA that they have implemented advanced cybersecurity practices against APTs (Advanced Persistent Threat) during the assessment to get the certification. These consist of over 100 best practices geared to protect CUI (which are taken from NIST SP 800-171 and NIST SP 800-172).

The Road Towards CMMC 2.0 Compliance

The CMMC will be effective once the federal rule-making process is over, estimated to be about 9-24 months (August 2022 – November 2023). However, you’d want to start preparing by conducting a pre-certification assessment to discover controls you need to implement in your IT environment. This can boost your chances of passing the CP3AO assessment on the first trial, reducing the risk of losing some contracts due to non-compliance. To prepare:

1. Define boundaries in the system where CUI is stored, transmitted, or manipulated. Also, define data sharing policies.
2. Use the DFARs rules to determine your current status with respect to requirements.
3. Conduct cybersecurity risks assessment to uncover loopholes.
4. Create remediation plans and implement missing controls.
5. Frequently assess yourself to ensure good compliance posture until the CMMC 2.0 is implemented.

The bottom line is that whether you’re into DoD contracts or not, CMMC compliance is an integral part of your IT if you need to maintain your systems and avert attacks. You can reach us to get help.