Cyber Security Maturity Model Certification (CMMC)
Achieve DOD Cybersecurity Compliance
What is the Cybersecurity Maturity Model Certification (CMMC)?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC is a verification mechanism that the U.S. Department of Defense will use (starting in mid-2020) to ensure that appropriate cybersecurity controls have been implemented to protect “controlled unclassified information” or CUI residing on systems in the defense industrial base (i.e. DoD contractors). CMMC is a replacement for NIST SP 800-171. No longer will a system security plan (SSP) and plan of action & milestone (POA&M) suffice to meet department of defense contract requirements. The earlier contractors begin working on their cybersecurity program the more likely they are to achieve a higher score, allowing them to win more contracts.
Desired Outcomes can help you achieve a higher cybersecurity maturity score thus opening up more contact opportunities for your company (firstname.lastname@example.org).
What is the difference between NIST SP 800-171 & CMMC?
The CMMC will combine cybersecurity control standards such as NIST SP 800-171 and ISO 27001 into one unified cybersecurity standards. The CMMC will not only look into the implementation of an organization’s cybersecurity controls, it will also assess the maturity of an organization’s cybersecurity practices, something that the NIST SP 800-171 framework did not consider. Maturity levels will be assigned to contractors based on the state of their cybersecurity program with 1 being the lowest rating and 5 being the highest maturity rating.
What are the different CMMC Maturity Levels?
There are 5 cybersecurity maturity model certification (CMMC) levels. The below graphic explains them quite well:
Why Maturity Levels are important
A higher maturity levels will allow you to bid on more contracts. If you have a maturity level of 1 or 2 you will not be able to win DoD contracts that require maturity levels of 3, 4, or 5 thus significantly limiting your business opportunities.
What cybersecurity control domains does the CMMC cover?
The CMMC covers 18 cybersecurity domains, ranging from access control to personnel security. The domains are very similar to what was required under NIST SP 800-171. A draft of all CMMC controls has been made available by the Department of Defense.
When will the DoD require CMMC & who needs to certify?
Version 1.0 of the CMMC framework will be available beginning in January 2020, starting in June 2020 CMMC requirements will be part of DOD requests for information (RFI). All companies doing business with the DoD must be CMMC certified whether they handle CUI or not.
Cybersecurity is now an "allowable cost"!
Yes, you can now charge costs spent towards your cybersecurity program to your contract. “Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, made this bold statement before a roomful of vendors.
“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?” Arrington said during an acquisition conference sponsored by the Professional Services Council in Arlington, Virginia. “Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.”
How we can help
Desired Outcomes can help you prepare for the new CMMC framework by providing strategic guidance and technical assistance to help you meet DoD requirements.
Every contractor will be audited by an independent non-profit third party that will assign them a cybersecurity “maturity” level between 1 and 5 with 5 being the highest score. The score received will either limit or enhance their ability to win contracts. For example, a company with a maturity level 1 will likely not be eligible as the prime contractor for a fighter jet program but may be able to produce boot laces, as a result; the higher a contractor’s maturity level the more contract opportunities they have. To achieve a high score, contractors must have robust security controls in place, we can help you achieve that objective.
Related Blog Articles: