Continuous surge in Information Theft is a cause for concern for all sect of the digital world, whether it is corporate, not for profit or Government bodies. We are experiencing rising threats coming from multiple entities from state sponsored targeted attacks, organized crime groups, individual hackers, to insiders. These entities are threating to access everything from personal to state-level confidential information. Government bodies are a relentless target of such threats primarily due to the sensitivity of the data involved.
The US Government is working with Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD) to better protect digital assets. In comes the Cybersecurity Maturity Model Certification (CMMC), a mandatory compliance for DoD contractors to enhance and sanitize their cybersecurity posture.
At a high level, CMMC is a collection of cybersecurity requirements from multiple existing frameworks including:
As part of the CMMC, contractors are required to take specific measures to protect certain information in a prescribed manner. These information are categorized as:
FCI is information provided by or generated for the Government under contract not intended for public release.
CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.
The framework is tier-based with five certification level to demonstrate contractor’s cybersecurity infrastructure and capability in safeguarding FCI and CUI. Each level is certified based on successful achievement and reflection of certain processes and practices.
Here is a highlight of the five levels of processes and practices:
The CMMC establishes five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels are tiered and build upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.
Below is an overview of the relevant processes and practices of each level:
Organization must undertake standard cybersecurity practices to demonstrate “basic cyber hygiene”. This level is essentially an entry-point for any organizations to implement data security measures (regardless of CMMC requirement) in order to better prepare themselves for the inevitable security threat. Organizations must have measures in place to protect Federal Contract Information (FCI).
Organization must implement documenting certain data security practices to protect CUI. NIST’s Special Publication 800-171 R2 is required to be followed in order to meet the certification requirements. This is a transition phase from Level 1 of “basic” to Level 3 of “good” cyber hygiene.
Organization must develop and implement a comprehensive cybersecurity management plan to protect CUI. The security measures in this level is highly recommended to be followed as it requires organizations to create and follow System Security Plan (SSP) to defines system boundary, identify assets, and networks for CUI Data.
Organization must document each practice and have processes to review and measure the effectiveness of those implemented practices. Additional practices are undertaken to safeguard data against Advanced Persistent Threats (APTs). In this level, adherence is verified through formal assessments.
Organization must optimize processes and standardize strict cybersecurity measures across the organization. Implement additional advanced security measures to detect and respond to APTs.
CompCiti has experience in helping organization with compliance regulations with NIST Framework. We can help you with:
Help you prepare and get ready with assessment and remediation plan. We perform pre-certification audit to evaluate your existing security standing and what needs to be done to get ready for certification.
Help you perform review to get you certified. We work with you through-out the certification process.
Remember, you need to get reassessed every 3 years to get certified. We help perform certification review to help sustain your certification posture.
CMMC applies to DoD Contractors and Sub-contractors
DoD begun issuing CMMC specific information requests in limited numbers beginning September 2020. All DoD contractors will be required to get CMMC for all requests for proposal considerations starting in 2026.
No, your organization cannot get self-certified.
You will need to get reassessed every 3 years.
DoD will indicate the level of certificate required for any RFPs and RFIs they release. However, most organizations should strongly consider getting themselves at L2 or L3 at the least.