The DOD has implemented a new cybersecurity framework standard called the Cybersecurity Maturity Model Certification to simplify the Department of Defense (DOD) contractors’ requirements. This new standard includes NIST 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21 and beyond. This new model replaces NIST 800-171 on DoD RFIs and RFPs.
The Cybersecurity Maturity Model Certification (CMMC) now no longer requires government contractors to obtain a 3rd-party certification if they do not touch-controlled unclassified data, which will reduce the compliance cost for thousands of contractors.
The updated CMMC model, now known as CMMC 2.0, has reduced the number of security tiers from five to three and eliminated the Novel CMMC maturity practices as well
Achieving the CMMC for your organization can be a daunting and overwhelming job.
No matter your current state of Cybersecurity, to have a clear path forward, the initial step must be an in-depth and impartial look at your organization’s Cybersecurity. Our CMMC GAP Assessment does precisely that.
Conducting a thorough inquiry defines the discrepancies between your current status and CMMC requirements based on the level you want to achieve.
If you would like to speak to our team to discuss your CMMC consultancy, please contact us through the form below.
The model consists of two parts, each with three maturity levels of certification:
The first part is the Processes, such as whether policies, standards, and procedures exist and vary in maturity levels from Performed (Level 1) to Optimized (Level 3).
The second part is the Practices, a checklist of cybersecurity items that range from Basic Cybersecurity Hygiene (Level 1) to Advanced/Progressive (Level 3).
The enhanced CMMC 2.0 program retains its original goal of safeguarding sensitive information, while:
The DoD requires organizations to meet both Processes and Practices for the level they are trying to achieve. Once a company passes the certification process, they receive a certificate that is valid for three years.
We can help with our Cybersecurity Consulting Service by starting with CMMC focused implementation plan today.
Implementing the new standard can take several months, depending on your current cybersecurity status and the level you need to achieve. Implementing the requirements and cybersecurity best practices will save precious time and get ahead of the curve and competition.
Once the final certification standard is released, we will help you make final adjustments and implementations to ensure you are compliant and ready for the certification audit.
See where you stand and which areas you have to address to achieve compliance.
Receive help in achieving compliance and being ready for the audit. To provide a clear implementation path, we are at your side to support you with documentation, advise and execute proper controls, monitor, and perform a pre-certification audit.
Level 1 is the base level of certification and consists of practices that correspond to essential safeguarding conditions in Federal Acquisition Regulation (FAR) clause 52.204-21. It consists of 17 basic cybersecurity practices such as implementing Identity and Authentication and basic Access Controls. Level 1 is all about protecting Federal Contract Information (FCI), and the DoD requires it for anyone obtaining a DoD contract.
The purpose of Level 2 is to create a base level of cybersecurity for any organization that has Controlled Unclassified Information (CUI) in their organization and, therefore, requires a higher level of security than those who only have FCI and not CUI. Level 2 certification requires recorded policies for each of the 17 domains covered by the certification and documented practices for completing the policies for each domain. It is also a more extensive set of security practices that are a subset of the security requirements listed in NIST SP 800-171, with a total of 55 additional practices in addition to those listed in Level 1.
At Level 3, the focus is on fleshing out the base security practices instituted in Levels 1 & 2 and expanding its overall security. Level 3 certification requires that the organization establish and maintain a plan that shows the plan for the implementation of CMMC. Currently, the practices encompass all the security requirements in NIST SP 800-171 and additional practices and standards for a total of 58 new practices in addition to those listed in Level 2.
If an organization is required to achieve Level 4 certification, then the central focus shifts to heightening its effectiveness of protecting CUI from Advanced Persistent Threats (APTs). Although it doesn’t have as many new practices to complete as Levels 2 and 3, the practices listed are more involved and arduous to execute and manage. CMMC Level 4 requires that an organization review and measure practices for effectiveness and implement a subset of heightened security practices from DRAFT NIST SP 800-171B and other security best practices for a total of 26 additional practices.
CMMC Level 5 requires organizations to standardize and optimize process implementation over the organization. This level centers on CUI’s security from APTs and implements many more high-level security practices for the organization. The added practices enhance the depth and posture of cybersecurity techniques for the organization and consists of an additional 15 practices above CMMC Level 4.