Cybersecurity Maturity Model Certification (CMMC) Overview

What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. This certification was enacted by the DoD (Department of Defense) in 2020. There are various levels of CMMC certification, ranging from basic cybersecurity to advanced. There is no self-certification for CMMC. All companies that have associated business with the DoD must be certified. The level of CMMC certification will depend upon the amount of CUI (Controlled Unclassified Information) a company handles.

DOD’s Expectations

So, DoD has asserted that cybersecurity is the number one business priority right now. Costs are escalating in companies, not only to defend against cyber-attacks but also ransomware, which can have enormous costs to those companies that get breached. The DoD realizes that some small to mid-sized companies are more vulnerable to attack and may have significant CUI. Robots are exponentially increasing attacks. The DoD, and the government overall, firmly believe that cybersecurity threats are continuing to rise at an exponential rate. Now the DoD will have an RFP/Contract for each company doing business with them, and each RFP has a level of security assigned to it. This will not depend on the firm size. Currently, the DOD is using DFARS and NIST 800-171 to regulate.

CMMC Framework

CMMC draft v0.7 is being reviewed for accredited 3rd party contractors. Also, there are no POA&Ms before going into the bidding process. There are five specific level requirements in the contract. Draft v0.7 has 173 controls (supplemented by non-NIST controls), and these controls may vary accordingly, whereas NIST SP800-171 is a self-assessment where POA&Ms are permitted. It remains unclear what is required by this contract. There are 143 controls (171 & 171B). CMMC is a great effort by DOD to secure the DIB (Defense Industrial Base).

Where is CMMC now?

The question is, “Where is CMMC now?” If I was a genie, I could walk across the walls and can tell you these exact things. A credentialed body or a non-profit organization established named CMMC Accreditation Body is responsible for this. The layout of Accreditation Body management has five sectors: Training, Infrastructure, Accreditation, Credentialing, and Assessment Operations.

CMMC Implementation

The first thing that we can accomplish is to clear all of the POA&Ms. Then, prepare for the pre-assessment of CMMC., NIST 800-171 is useful here because we can self-assess based on its findings. It will help us resolve all of our POA&Ms. The next step is to prepare for the RFP assessment accordingly. And then, the last step, which seems simple, is to get organized for the CMMC assessment. Many contractors might not go through pre-assessment, not understanding the way it is supposed to be done. So, we should make sure that everything is managed, reporting trees are in place, and follow proper procedures.

Motivation

The whole idea of cyber security and the maturity model that they have is for protecting the country’s sensitive information. The DoD needs to declassify data so contractors can collaborate. While CUI is sensitive, it is more at risk because it is exposed. All organizations doing business with the government should be certified.