Cybersecurity Maturity Model Certification (CMMC)

The CMMC started within the Department of Defense (DoD) to reduce the theft of military intelligence, but as expected, it doesn’t look like it will be long before it spreads to other sectors. There’s interest in amending Sarbanes-Oxley to include CMMC, which will impact the financial sector.  Don’t fear this is just an additional burden – the CMMC model is set up to be clearer and easier to implement.  Standardization in security compliance is a win for businesses trying to juggle multiple requirements.

Your First Step is to understand FCI and CUI and how your business interacts with it

Federal Contract Information (FCI) is information, not intended for public release, that is provided by or generated form the Government  under a contract to develop or deliver a product or service to the Government. It excludes information provided by the government to the public, or simple transactional information, such as that necessary to process payments.

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.dodcui.mil/CUI-Registry-New/

The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.¹

Level 1: Basic Safeguarding of FCI

• Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

• Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation. Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
• Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

• Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
• Achieve CMMC Status of Final Level 2.
• Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

For details of Assessment and Affirmation requirements and use of PAO&M, visit About CMMC

Your Second Step is to understand how prepared your business is to pass the certification

It is best to start with understanding your current state and how it compares to the desired level requirements.  Where you THINK you stand is often very different from where you actually stand.  The use of POA&M (Plan of Action and Milestones) must be closed out within 180 days for Levels 2 + 3, and not permitted for Level 1.  You must reach all requirements before you are considered certified.  There’s no “we are working on it”.

Next, you will most likely need assistance in preparing

Most companies benefit from partnering with a company well educated in cybersecurity and compliance. It seems every IT company says they do the same thing, whether they have 5 employees or 50.  Can that be true? No, but how can you tell?

It’s hard to understand the difference in the quality of staff, although experience and certifications can be a good indicator.  As for cybersecurity and compliance, measure your partners against this checklist.

Pre-Audit Partner Checklist

Experience in Risk Assessments mapped to compliance standards.

• Utilize NIST 800-30 guide for conducting those Risk assessments.
• Risk Assessment includes internal and external vulnerability scanning.
• Knowledge of NIST 800-171 Requirements and CMMC compliance requirements.
•  IT Team experienced providing security solutions including SIEM, SOC, Security Awareness training.
• Assessment that includes the examination of security controls including Administrative, Physical and Technical domains.
• Deliverables should include a prioritized work plan of risks mapped to specific compliance requirements that detail remediation steps.
• organized platform for Risk Assessment reports and work plan management.

There’s a lot of information out there, just like this post. Be sure to go straight to the source, that is what we do. https://dodcio.defense.gov/CMMC/About/

As you may suspect, The AME Group security division provides a broad range of services including free consultations. Contact Us to engage our security team.

¹About CMMC