CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
FOR THE DEPARTMENT OF DEFENSE (DOD)
WHAT IS THE “CMMC”?
The Cybersecurity Maturity Model Certification (CMMS) is an effort by the Department of Defense to facilitate, certify and enforce standards for organizations working with the Department of Defense to meet minimum cybersecurity requirements.
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.
For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
The CMMC effort builds upon existing regulation, that is based on trust by adding a verification component with respect to cybersecurity requirements. The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. The intent is for certified independent third party organizations to conduct audits and inform risk.
Specific Existing Regulations:
- 48 Code of Federal Regulations (CFR) 52.204-21
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
- NIST SP 800-171 rev 1
- NIST SP 800-171B (Draft)
- United Kingdom's Cyber Essentials
- Australia's Essential Eight [4,11,12,47]
WHEN WILL THE CMMC FRAMEWORK BE RELEASED?
CMMC framework will be available in January 2020 to support training requirements. In June 2020 , industry should begin to see the CMMC requirements as part of Requests for Information. You should not wait until then to begin your compliance efforts.
HOW WILL MY ORGANIZATION BECOME CERTIFIED?
Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier. You should take the steps to be ready and maintain yourself ready (this is an on-going effort).
RB Advisory's services are designed to support your organization, sustain and maintain a state of readiness for compliance.
BRIEFING ON CMMC
Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier. You should take the steps to be ready and maintain yourself ready (this is an on-going effort).
CMMC Levels
The CMMC model has five defined levels, each with a set of supporting practices and processes, illustrated in Figure 2. Practices range from Level 1 (basic cyber hygiene) and to proactive and advanced Levels 4 and 5.
In parallel, processes range from being performed at Level 1, to being documented at Level 2, to being optimized across the organization at Level 5.
To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.
Summary of CMMC Levels
| Level 1 | Level 2 | Level 3 | Level 4 | Level 5 | |
|---|---|---|---|---|---|
| Technical Practices | Demonstrate basic cyber hygiene, as achieved by the Federal Acquisition Regulation (FAR) | Demonstrate intermediate cyber hygiene | Demonstrate good cyber hygiene and effective NIST SP 800-171 Rev 1 security requirements | Demonstrate a substantial and proactive cybersecurity program | Demonstrate a proven ability to optimize capabilities in an effort to repel advanced persistent threats |
| Process Maturity | No process maturity | Standard operating procedures, policies, and plans are established for all practices | Actvities are reviewed for adherence to policy and procedures and adequately resourced | Actvities are reviewed for effectiveness and management is informed of any issues | Activities are standardized across all applicable organizational units and indentified improvements are shared |
CMMC Domains
The CMMC model consists of 17 domains. The majority of these CMMC domains originated from the FIPS 200 security-related areas and the NIST SP 800-171 control families. The CMMC model also includes the Asset Management, Recovery, and Situational Awareness domains.
These domains are shown in Figure 3 with their abbreviations as used in the model practice numbering system.
Figure 3. CMMC Model Domain
CMMC Level and Domains
CMMC Level and Domains
The approach taken by RBA considers using best-practice professional services with automation of repetitive testing and an array of outsources and managed services to complement the organization’s needs in the most comprehensive and cost-effective manner.
Contact Us
Our mission is to empower companies to successfully manage global cybersecurity risks, vulnerabilities, and compliance requirements.
RB Advisory LLC is a cybersecurity advisory firm with headquarters in Winter Park, Florida. Our business model is designed to help ALL companies, public and private, with IT security and compliance issues. The services we provide are custom designed for all companies, to secure platforms, networks, IoT, social, and cloud platforms in all industries.
