Cybersecurity Maturity Model Certification
CMMC model structure: Cybersecurity maturity across five levels
Source: Office of the Under Secretary of Defense for Acquisition & Sustainment, CMMC Model v1.0 Briefing, January 31, 2020.
The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for existing DoD contractors, replacing the self-attestation model and moving to third-party certification.
The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. This new certification is intended to tighten cybersecurity within the defense industrial base. CMMC consists of five levels to measure cybersecurity practices of contractors.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”
Why is CMMC being created?
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
How can my organization become certified?
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
How do I request certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.
I am a subcontractor on a DoD contract. Do I need to be certified?
Yes, all companies doing business with the Department of Defense will need to obtain CMMC.
How often does my Organization need to be reassessed?
The duration of a certification is still under consideration.
Partner Information Manager (PIM): Reduce risk while simplifying challenges managing and securing complex partner and supplier networks.
ForumPass Defense: Protect documents inside and outside your organization with a secure and intuitive platform.
Exostar PolicyPro: Build and maintain security policies more easily, and in line with NIST 800-171 and CMMC standards.
Source: Exostar, all rights reserved.
Source: Office of the Under Secretary of Defense for Acquisition & Sustainment, CMMC Model v1.0 Briefing, January 31, 2020.
WEBINARS
Understanding CMMC: How it will affect your organization and how to prepare.
Watch the webinar: CMMC is here and the pressure’s on for DoD prime contractors. Find out what the new regulations mean, when and how they affect OEMs, and how to take the guesswork out of compliance planning and implementation.
To download the presentation, click here.
Watch the two-part webinar with industry and government experts.
Watch Part 1: Katie Arrington, chief information officer, Office of the Under Secretary of Defense for Acquisition and Sustainment, discusses CMMC.
Watch Part 2: A panel of CISOs from Lockheed Martin, Raytheon, BAE Systems, and Huntington Ingalls Industries provide a detailed analysis of the CMMC impact on suppliers
Articles
What is CMMC and Why is it Essential?
The Verdict is In: Self-Attestation it Out.
Why security can’t be the Fourth Procurement Pillar
Links
Cybersecurity Maturity Model Certification: Office of the Under Secretary for Acquisition & Sustainment
FAQs
CMMC V.1 brief
CMMC model: Complete framework