The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements.
Preparing for Your CMMC Audit
We recognize that CMMC has created a number of questions for you and your team. Am I ready for a CMMC audit? What maturity level does my organization need to pursue? We’ll connect the dots, using what we’ve learned over the past decade to help you move quickly and efficiently through to compliance and beyond. As experienced CMMC compliance consultants, we not only create documentation, but also establish continuous monitoring and build IT infrastructure to maintain your CMMC compliance.
3 Steps You Can Take To Ensure You’re Ready to Meet CMMC Requirements:
- Get a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in place.
- Configure your existing environment or build a new environment to NIST 800-171 r2 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
- Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider (MSP).
The Five CMMC Levels Explained
CMMC Version 1.0 outlines five different maturity levels for organizations, which range from maintaining basic cyber hygiene to implementing an advanced cybersecurity program.
Basic Cyber Hygiene
CMMC level 1. This first level includes basic cybersecurity appropriate for organizations utilizing a subset of universally accepted standard practices, at least in an ad hoc manner. This level has 17 security practices that must be successfully implemented.
Intermediate Cyber Hygiene
CMMC level 2. At this level, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of its cybersecurity program. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 55 security practices beyond that of Level 1.
Good Cyber Hygiene
CMMC level 3. An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 includes an additional 58 practices and indicates a basic ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs).
Proactive Cyber Hygiene
CMMC level 4. At this level, an organization will need to implement advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, adequately resourced, and are improved across the enterprise. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. This level has an additional 26 practices beyond the first three levels.
Advanced/Progressive Cyber Hygiene
CMMC level 5. Here, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 15 practices.
Flexible Services for Your CMMC Needs
No matter what level of support your organization needs, we will ensure you are ready for CMMC. Our team of professionals can assist you with a comprehensive suite of services, ranging from a routine assessment to fully implementing all the new CMMC measures.
CMMC Assessment & Gap Analysis
This is your first step in preparing for CMMC compliance. We will perform a traditional CUI assessment with all 110 controls in NIST SP 800-171 with the additional 20 practices required in CMMC Level 3 (130 in total).
Depending on your organization’s infrastructure, we will complete the compliance assessment onsite or through remote access. Upon completion of the assessment and gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns.
CMMC System Security Plan (Policies & Procedures) Engagement
For organizations that have more robust IT knowledge, we will work alongside their IT department to manage the compliance paperwork and procedures while they implement the CMMC measures.
The SSP Engagement includes writing and maintaining the CMMC SSP Plan (to meet ML 3.997, ML 2.998, & ML 2.999). We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.
Assured Defense – Managed Security Support Plan
For organizations in need of a more hands-on approach, we can manage and implement any part or call of your CMMC compliance transition. Our Assured Defense Plan is a menu style offering where you decide what services work best for your organization’s needs. The Assured Defense Plan provides solutions and drafts a POA&M to track the progress. Our team will create and maintain your SSP policies and procedures with monthly and quarterly updates to meet the requirements of ML 2.998, 2.999 & ML 3.997. In addition, our continuous monitoring will include audit reviews, vulnerability management, anti-malware / firewall monitoring and management, and web filtering monitoring. As needed, we will implement and configure hardware and software to meet CMMC compliance.
Build Your Path to CMMC Compliance Success
Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.