The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements.

Preparing for Your CMMC Audit

We recognize that CMMC has created a number of questions for you and your team. Am I ready for a CMMC audit? What maturity level does my organization need to pursue? We’ll connect the dots, using what we’ve learned over the past decade to help you move quickly and efficiently through to compliance and beyond. As experienced CMMC compliance consultants, we not only create documentation, but also establish continuous monitoring and build IT infrastructure to maintain your CMMC compliance.

3 Steps You Can Take To Ensure You’re Ready to Meet CMMC Requirements:

  1. Get a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in place.
  2. Configure your existing environment or build a new environment to NIST 800-171 r2 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
  3. Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider (MSP).

The Five CMMC Levels Explained

CMMC Version 1.0 outlines five different maturity levels for organizations, which range from maintaining basic cyber hygiene to implementing an advanced cybersecurity program.

  1. Basic Cyber Hygiene

    CMMC level 1. This first level includes basic cybersecurity appropriate for organizations utilizing a subset of universally accepted standard practices, at least in an ad hoc manner. This level has 17 security practices that must be successfully implemented.

  2. Intermediate Cyber Hygiene

    CMMC level 2. At this level, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of its cybersecurity program. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 55 security practices beyond that of Level 1.

  3. Good Cyber Hygiene

    CMMC level 3. An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 includes an additional 58 practices and indicates a basic ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs).

  4. Proactive Cyber Hygiene

    CMMC level 4. At this level, an organization will need to implement advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, adequately resourced, and are improved across the enterprise. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. This level has an additional 26 practices beyond the first three levels.

  5. Advanced/Progressive Cyber Hygiene

    CMMC level 5. Here, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 15 practices.

Flexible Services for Your CMMC Needs

No matter what level of support your organization needs, we will ensure you are ready for CMMC. Our team of professionals can assist you with a comprehensive suite of services, ranging from a routine assessment to fully implementing all the new CMMC measures.

CMMC Assessment & Gap Analysis

CMMC Services

This is your first step in preparing for CMMC compliance. We will perform a traditional CUI assessment with all 110 controls in NIST SP 800-171 with the additional 20 practices required in CMMC Level 3 (130 in total).

Depending on your organization’s infrastructure, we will complete the compliance assessment onsite or through remote access. Upon completion of the CMMC assessment and gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns.

Cybersecurity Maturity Model Certification (CMMC) Compliance Services

CMMC System Security Plan (Policies & Procedures) Engagement

CMMC Services

For organizations that have more robust IT knowledge, we will work alongside their IT department to manage the compliance paperwork and procedures while they implement the CMMC measures.

The SSP Engagement includes writing and maintaining the CMMC SSP Plan (to meet ML 3.997, ML 2.998, & ML 2.999). We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.

Cybersecurity Maturity Model Certification (CMMC) Compliance Services

Assured Defense – Managed Security Support Plan

CMMC Services

For organizations in need of a more hands-on approach, we can manage and implement any part or call of your CMMC compliance transition. Our Assured Defense Plan is a menu style offering where you decide what services work best for your organization’s needs. The Assured Defense Plan provides solutions and drafts a POA&M to track the progress. Our team will create and maintain your SSP policies and procedures with monthly and quarterly updates to meet the requirements of ML 2.998, 2.999 & ML 3.997. In addition, our continuous monitoring will include audit reviews, vulnerability management, anti-malware / firewall monitoring and management, and web filtering monitoring. As needed, we will implement and configure hardware and software to meet CMMC compliance.

 

Cybersecurity Maturity Model Certification (CMMC) Compliance Services

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.

CMMC Resources

CMMC Certification – Tips for Preparation

This is a transcript of the CMMC Certification webinar broadcast on October 7, 2020. This transcript was generated primarily…

Read Post

What is CMMC?

What is CMMC (Cybersecurity Maturity Model Certification)? The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD)…

Read Post

5 Reasons every DoD Contractor Needs A CMMC Assessment

Every year, the Department of Defense spends over 8.5 billion dollars on cybersecurity funding. For many of us, DoD…

Read Post

4 Steps Your Organization Should Be Taking To Prepare for CMMC

The DoD officially released version 1.0 of its Cybersecurity Maturity Model Certification (CMMC) approach. Now, DoD contractors are running…

Read Post

Managing CMMC compliance with an MSSP

Key Article Takeaways The Cybersecurity Maturity Model Certification (CMMC) will become the new standard for verifying cybersecurity controls and…

Read Post

3 Ways Defense Contractors Can Improve Cybersecurity And Compliance

Key Article Takeaways Cybersecurity compliance is vital to successfully bidding on DoD contracts in 2020. CMMC level compliance must…

Read Post

CMMC – The Train is Rolling. How to Stay Ahead, and Not Get Crushed.

Thad Wellin joined the ThreatSwitch team to talk about CMMC and how to stay ahead of the coming compliance…

Read Post

CMMC and Protecting the DoD Supply Chain

In less than a year, CMMC requirements will begin appearing in DoD RFIs and RFPs. Combining large organizational impact…

Read Post

Cybersecurity Maturity Model Certification (CMMC) Version 0.6 – What we know so far

On November 7, 2019, the U.S Department of Defense released for public review the Cybersecurity Maturity Model Certification (CMMC)…

Read Post

Managing CMMC for Defense Contractors

Hackers are targeting government organizations with increasing frequency, as shown by the U.S. Department of Defense (DoD) data breach…

Read Post

Meet Thad Wellin, Lead Cybersecurity Analyst & CMMC Lead

Thad Wellin, CISSP, SEC+, Certified Expert RMF Professional (CERP)Lead Cybersecurity Analyst in Tampa, FLSpecializing in RMF, CUI (CMMC) Joined…

Read Post

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.

About CMMC CUI

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements. Learn more.

Controlled Unclassified Information (CUI) is sensitive, but unclassified, information that the government requires its handlers to keep safe. The handlers of CUI include private defense contractors. CUI was born out of the fact that agencies and services have different ways of managing sensitive unclassified information.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

There are strict rules concerning dissemination of CUI. CUI requirements are currently outlined only by NIST-800-171. It is regulated by the Information Security Oversight Office (ISOO) that as part of the National Archives, was established in September 2016 with an executive order from President Barack Obama. Commonly, it’s contractually obligated through the DFARS Clause 252.204-7012. As of October 2020, Executive Order 13556 and 32 CFR, part 2002 designates the National Archives and Records Administration (NARA) as CUI Executive Agent for the CUI Registry. Their guidance is binding.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

CUI is information that requires safeguarding or dissemination controls that’s consistent with applicable laws, regulations, and government policies. There are two main types of CUI: Basic and Specified. Examples of Basic CUI include Controlled Technical Information (CTI) and International Traffic and Arms Regulations (ITAR).

There are currently 24 categories of CUI, 92 sub-categories, and 110 types, all of which is detailed in the CUI registry. If the government wants to protect data that does not fall into one of those categories or types, they can add another category, sub-category, and type to the CUI registry.

Some of the data that falls into CUI territory includes:

  • Government financial information
  • Research data
  • Critical infrastructure plans & policies
  • Procurement & government supply information
  • Export control and restriction information
  • …and much more; you can find a complete list on the CUI Registry.

CUI can be digital, physical documents, representations, images, and items (parts). For example, CUI can be either electronic information stored on a PC or it can be a printed document. It can be a part, like a circuit board, or it could be an image of that board. You need to have the proper marking and protections in place.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

CUI does not include information that is lawfully publicly available without restrictions or classified information.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.