background




Governance, Risk & Compliance

CMMC





What Is A Cybersecurity Maturity Model Certification? (CMMC)

The Cybersecurity Maturity Model Certification is a new unified standard for implementing cybersecurity across the defense industrial base (DIB). The CMMC is the Department of Defense`s (DoD) response to significant compromises of sensitive data located within their supply chain, which consists of over 300,000 companies.







Preparing For Your CMMC Audit

We recognize that CMMC has created several questions for you and your team, such as:
  • Am I ready for a CMMC audit?
  • What maturity level does my organization need to pursue?
3 Steps You Can Take To Ensure You`re Ready To Meet CMMC Requirements:
  • Get a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M) in place.
  • Configure your existing environment or build a new environment to NIST 800-171 r2 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process.
  • Begin building budgets for the enhanced support requirements and modifying rates to include the enhanced security requirements. Weigh the costs and consider outsourcing security, compliance, and information system management with a Managed Service Provider (MSP).






The Five CMMC Levels Explained

CMMC Version 1.0 outlines five different maturity levels for organizations, which range from maintaining basic cyber hygiene to implementing an advanced cybersecurity program.

1. Basic Cyber Hygiene

CMMC level 1. This first level includes basic cybersecurity appropriate for organizations utilizing a subset of universally accepted standard practices, at least in an ad hoc manner. This level has 17 security practices that must be successfully implemented.

2. Intermediate Cyber Hygiene
CMMC level 2. At this level, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of its cybersecurity program. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 55 security practices beyond that of Level 1.

3. Good Cyber Hygiene
CMMC level 3. An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3. CMMC Level 3 includes an additional 58 practices and indicates a basic ability to protect and sustain an organization`s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs).

4. Proactive Cyber Hygiene
CMMC level 4. At this level, an organization will need to implement advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, adequately resourced, and are improved across the enterprise. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. This level has an additional 26 practices beyond the first three levels.

5. Advanced/Progressive Cyber Hygiene
CMMC level 5. Here, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 15 practices.







CMMC Assessment & Gap Analysis

This is your first step in preparing for CMMC compliance. We will perform a traditional CUI assessment with all 110 controls in NIST SP 800-171 with the additional 20 practices required in CMMC Level 3 (130 in total). Depending on your organization`s infrastructure, we will complete the compliance assessment onsite or through remote access.

Upon completion of the CMMC assessment and gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns.







CMMC System Security Plan Engagement

For organizations that have more robust IT knowledge, we will work alongside their IT department to manage the compliance paperwork and procedures while they implement the CMMC measures.

The SSP Engagement includes writing and maintaining the CMMC SSP Plan (to meet ML 3.997, ML 2.998, & ML 2.999). We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.



Start Your System Security Plan Engagement