Mastering CMMC: Your Essential Guide to Cybersecurity Maturity Model Certification

The Department of Defense (DoD) has introduced the Cybersecurity Maturity Model Certification (CMMC) to enhance cybersecurity measures and address the slow adoption of its predecessor, the Defense Acquisition Federal Regulation Supplement (DFARS). This guide will help you understand and prepare for CMMC certification.

Key Areas Covered in the CMMC

The CMMC encompasses a range of control measures based on the NIST 800-171 framework, supplemented by additional controls specific to the DoD. These areas include:

Access Control: Managing who has access to your systems and data.
Awareness and Training: Ensuring employees are well-versed in cybersecurity best practices.
Auditing and Accountability: Keeping track of actions taken on systems to ensure accountability.
Configuration Management: Maintaining systems in a secure and consistent state.
Identification and Authentication: Verifying the identity of users and devices.
Incident Response: Planning and detecting responses to cybersecurity incidents.
System Maintenance: Regularly updating and patching systems to protect against vulnerabilities.
Media Protection: Safeguarding physical and digital media.
Personnel Security: Ensuring that personnel with access to sensitive information are trustworthy.
Physical Security: Protecting physical assets from unauthorized access.
Risk Assessments: Identifying, evaluating, and managing risks to your systems and data.
Security Assessments: Regularly assessing the effectiveness of your security measures.
System and Information Integrity: Ensuring the integrity of systems and information.

CMMC Maturity Levels

The CMMC outlines five maturity levels, each with specific requirements:

Level 1 – Basic Cyber Hygiene: Implementation of 17 controls from NIST 800-171 rev1.
Level 2 – Intermediate Cyber Hygiene: Implementation of an additional 48 controls from NIST 800-171 rev1 plus 7 new controls.
Level 3 – Good Cyber Hygiene: Implementation of the final 45 controls from NIST 800-171 rev1 plus 14 new controls.
Level 4 – Proactive: Implementation of 13 controls from NIST 800-171 RevB plus 13 new controls.
Level 5 – Advanced/Progressive: Implementation of the final 5 controls in NIST 800-171 RevB plus 11 new controls.

Important Dates for CMMC

Here are some key dates to keep in mind for CMMC compliance:

January 2020: Release of official CMMC Levels and requirements, along with training materials for the CMMC Accreditation Board.
February-May 2020: Training of the initial round of assessors.
June-September 2020: Commencement of the initial round of audits for select DoD Programs/RFIs.
October 2020 and beyond: DoD contractors need to be certified by an accredited Assessor/C3PAO to bid on new work.

Note: The COVID-19 pandemic has caused delays in many CMMC compliance schedules. New information will be published as it becomes available.

Steps to Prepare for CMMC

To prepare for CMMC certification, follow these steps:

Assess Your Operations: Evaluate your compliance with the NIST 800-171 standard, which forms the basis of the CMMC.
Create a System Security Plan: Document your current protective measures for Controlled Unclassified Information (CUI).
Document Remediation Plans: Address areas of non-compliance with the NIST 800-171 standard.
Execute Remediation Plans: Work with consulting organizations or Managed Services Providers to address cybersecurity gaps efficiently.
Document Processes: Maintain artifacts or evidence to prove compliance during audits.

For more information, visit the official CMMC website.