Cybersecurity Maturity Model Certification
Are you currently a contractor or subcontractor with the Department of Defense, or are you looking to be?
If so, you need the Cybersecurity Maturity Model Certification (CMMC).
In an effort to ensure that contractors are protecting sensitive defense information, the DoD released the CMMC framework in January 2020. The CMMC is a unified standard for cybersecurity across the defense industrial base which includes over 300,000 companies in its supply chain.
This DoD developed framework includes a certification and compliance process, which is required to bid on new work. In the past, contractors were responsible for implementing, monitoring and certifying the security of the Information Systems. Now a third-party audit and assessment (performed by an accredited CMMC Third Party Assessment Organizations – C3PAOs) is required to certify that a company is following mandatory practices and procedures.
Click below to learn more about the CMMC and how Mission Critical Systems is a Registered Provider Organization for the CMMC governing body accreditation board.
Click below to get in touch with Mission Critical Systems to set up an appointment to help you navigate getting and staying CMMC certified.
5 Certification Levels
The CMMC encompasses 5 maturity levels that range from Basic Cybersecurity Hygiene to Advanced/Progressive, with each level building on the other’s requirements. The certification level required for a company will be based on the type of work and data they store for the DoD. Once certified the CMMC certificate should be valid for 3 years.
The 5 CMMC levels are:
Level 1 – Basic Cyber Hygiene – This includes 17 controls covering very basic security such as using antivirus software, regular employee password changes, and employee cyber security training. This level is intended to protect Federal Contract Information (FCI).
Level 2 – Intermediate Cyber Hygiene – Includes 72 controls covering basic and moderate security such as enabling audit trails, enforcing password complexity, routine maintenance for security patches and documentation of practices to start protecting Controlled Unclassified Information (CUI), meeting some NIST 800 171 r2 requirements.
Level 3 – Good Cyber Hygiene – Includes 130 controls covering basic through advanced security and proactive monitoring. A company must have an institutionalized management plan that includes all the security controls to protect CUIs and fully meet NIST 800 171 r2 requirements.
Level 4 – Proactive – Includes 156 controls covering basic through advanced security, proactive monitoring, and proactive security management. A company must be proactive in measuring, detecting and defeating threats. It requires that a company can respond to APTs (advanced persistent threats) including their changing tactics, processes and capabilities.
Level 5 – Advanced/Progressive – Includes 171 controls covering basic through advanced security, proactive monitoring, and advanced security management. A company must be advanced, progressive and state of the art in cybersecurity at this level. This includes additional security controls that allow a company to detect and respond to changing APTs.
How will you know which level of CMMC is required? The DoD will specify the required CMMC level in each RFI and RFP.
Timeline
In January 2020, the first full version of CMMC was released. At this stage, much of the rest of the timeline is still developing. But as of now, this is where the timeline stands:
- June 2020 – the DoD will start posting CMMC requirements in RFIs
- Sept. 29 2020 – Interim Rule released for public comment
- Nov. 22, 2020 – Interim Rule comment period ends
- Nov. 30, 2020 – Interim Rule takes effect
- 2021 – Contractors will need to get certified by a C3PAO in order to bid on work
FREE – Risk Assessment