The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework or model used by the DoD to ensure compliance and protection of controlled unclassified information (CUI) from nefarious actors in the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. Prior to the development of the CMMC 1.0 model, the DoD contractors and subcontractors were using self-assessment models to various NIST standards, a process that has too many growing concerns and cannot be trusted. CMMC continues to mature with new CMMC 2.0 standards in place today, but let’s look at how CMMC started as a foundation of where it is headed.
Who needs to comply with CMMC?
Any entity that plans on doing business with United States Department of Defense (DoD) in some capacity needs to adhere to current CMMC standards. CMMC certification is a requirement for both prime, contractors, and subcontractors to attain to do business with the DoD. CMMC measures a contractor's ability to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What was the CMMC 1.0 Model?
The CMMC 1.0 model was based on at the time existing best practices of different cybersecurity standards:
- ISO 27001, ISO 27002
- ISO 27032
- A Quick Guide to NIST 800-53, NIST 800-171, CMMC, and FedRAMP
- NIST Special Publication (SP) 800-171(PDF)
- NIST SP 800-172(PDF)
- NIST SP 800-53(PDF)
- UK Cyber Essentials
There are 5 processes across 5 levels to measure the maturity level of an organization. To meet a specific level, an organization must attain the practices within that level and each of the levels before it.
The 5 levels of CMMC:
- Level 1
Basic Cyber Hygiene has the lowest level of security controls required this tier only requires 17 practices. CMMC Level 1 Practice Areas and Controls
- Level 2
Intermediate Cyber Hygiene is the next step up from level 1 and requires 72 practices.
- Level 3
Good Cyber Hygiene is a graduation from levels 1 and 2 and adds an additional 58 practices making 130 practices altogether for this level of maturity.
- Level 4
Proactive is the fourth level and adds on 26 practices from the previous one. This level requires 156 practices.
- Level 5
Advanced/Progressive is the last level of maturity and requires 171 practices.
The CMMC 1.0 model showcased the idea of building your cyber defense in layers. With CMMC 2.0 the model was further refined and updated.
How to get a CMMC certification
CMMC Accreditation Body (AB) is the accreditation board that works with the DoD and other industry members and is responsible for the certification and accreditation process, the training process.
The CMMC-AB recommends starting planning certification at least 6 months of the anticipated certification date. The first in the certification process is to understand the requirements, identify the scope, and the desired maturity level. An assessment can be conducted after this step using a RPO (Registered Provider Organizations) or C3PAO (CMMC Third Party Assessment Organization). Finding needs to be resolved within 90 days before the CMMC-AB reviews any submitted assessment. Once approved, the certificate is issued for 3 years.
CMMC is a mandate for doing business with DoD, and it gives an indication on where security practices are headed. In the history of cybersecurity frameworks, there has been a continuous trend where the best and strongest cybersecurity controls come out of a military mindset, this reaches the whole government and eventually becomes the adopted best practice for commercial businesses and industries.
Need Expert Help to attain your CMMC certificate?
As a CMMC Provisional C3PAO and RPO, MindPoint Group’s CMMC assessment and end-to-end cybersecurity delivery capabilities ensure our customers receive thorough guidance available at any required CMMC level. MPG offers strategic services to prepare your organization for CMMC success.
Article authors and contributors: Noelie Vias and Hailey Frazier