What Is CMMC?
The first official version of the DOD’s CMMC has been published — do you know what’s included, and what it means for your organization?
The first official version of the DOD’s Cybersecurity Maturity Model Certification (CMMC) was released earlier this year.
These new requirements are a part of an ongoing effort to continually provide more accurate and more effective insight into modern cybersecurity best practices for organizations involved with DOD operations.
Do you know what CMMC is? Check out our latest video to discover what it means for you:
What Is CMMC?
CMMC is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain.
This builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI). These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.
As a U.S. DOD contractor who collects, stores, or transmits Covered Defense Information (CDI) or CUI you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance.
If you don’t, you can’t bid on DOD contracts, and you may lose the ones you have. CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.
What Cybersecurity Requirement Levels Are Included In CMMC?
CMMC introduces 5 levels of security requirements:
- Level 1: The first level requires basic cybersecurity practices, including anti-virus software, strong passwords, and overall, fairly standard measures.
- Level 2: The second level is designed to protect controlled unclassified information, and as such, requires more complex measures:
- Access controls
- Awareness and training
- Identification and authentication
- Configuration management
- Audit and accountability
- Incident response
- Media protection
- Physical protection
- Personnel security
- Security assessment
- Risk assessment
- Systems and communications protections
- Systems and information integrity
- Level 3: The third level is based on an extension of the NIST 800-171 r2 standards. There are 47 security controls that must be in place to comply with this level.
- Level 4: The fourth level requires contractors to be proactive when it comes to measuring, detecting, and defending against threats. Some requirements are similar to DFARS while requiring contractors to be prepared to handle advanced persistent threats.
- Level 5: The fifth and final level includes 30 extra security controls above and beyond level four that must be put in place. They revolve around auditing and management processes as opposed to technical requirements.
Need Expert Assistance Implementing CMMC?
Don’t leave the defense contracting sector just because it’s become more difficult to stay compliant. If you’re looking for guidance, Intelice Solutions is here to help.
Becoming CMMC compliant with our expert assistance is easy:
- Contact our team and book your free CMMC consultation at a time that fits your schedule.
- Our team will assess your systems to determine your current state of compliance.
- Our team will layout the necessary changes to achieve CMMC compliance.
- You can continue to work with the DoD without having to worry about your compliance.