The DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0 more closely aligns with NIST 800-171 — a cybersecurity standard used in private and public sectors — than the previous CMMC program. The DoD’s 2.0 maturity model assesses contractors’ cybersecurity capabilities for protecting controlled unclassified information (CUI) and federal contract information (FCI).
The original CMMC framework had five levels of certification ranging from basic cybersecurity postures to sophisticated technologies to stop Advanced Persistent Threats (APTs). Release 2.0 reduces the certification levels to three by eliminating transition levels two and four.
- Foundational: Level 1 only applies to companies with FCI data. Protecting the information requires 17 controls for the basic safeguarding of FCI data. It focuses on reducing user access, storing protected materials, and restricting physical access.
- Advanced: Level 2 includes protecting CUI data. The framework uses NIST 800-171, with its 14 security levels and 110 security controls.
- Expert: Level 3 reduces the risk of successful APTs. These requirements establish a framework for defending against ongoing threats from cybercriminals.
CMMC is a maturity model, meaning that companies are evaluated on a continuum of cybersecurity capabilities. Instead of producing a requirements document with a set date for compliance, the maturity model assesses compliance on a continuum of increasing cybersecurity capabilities.
What Is CMMC Certification?
CMMC requirements align with the different CMMC compliance levels. Every contractor must conduct an annual self-assessment. The self-assessment serves as a benchmark for businesses to ensure they are moving toward the maturity of their cybersecurity plans.
Level 1 Certification requires contractors to complete a self-assessment and identify the people and facilities that store, use, or transmit FCI data. In addition, they must identify the technology used to protect the FCI at rest and in transit. Companies must also check that their supply chain vendors’ access to their systems complies with DoD requirements.
Certification at Level 2 requires a third-party assessment. Contractors must be assessed by accredited CMMC Third Party Assessment Organizations (C3PAOs) or certified CMMC assessors. The accredited or certified entities have completed a rigorous process for evaluating a contractor’s CMMC compliance.
Certification requirements for Level 3 are under advisement. Because the assessment must address APTs, the tools and methods are more complex. For example, how will contractors demonstrate the ability to protect against a sustained attack on resources? How can that environment be simulated?
Cybersecurity Maturity Model Certification assesses contractors’ cybersecurity capabilities. Based on where a company is on its security journey, the requirements vary. However, the farther along a business is on the journey, the more stringent the standards.
How to Become CMMC Certified
The first step in the certification process is to read CMMC 2.0 to identify where your business fits in the maturity model. Then, assess where you stand concerning the requirements. A vulnerability assessment records where you are and where you need to be. It can also provide a roadmap for preparing for CMMC certification and compliance.
Complying with CMMC can take months to complete. Given the projected implementation date of July 2023, now’s the time to begin the process. If your organization needs a third-party assessment for certification, you need to consider lead times. The closer it gets to July 2023, the harder it will be to find slots for third-party audits. Because auditors must go through a certification process to become accredited, the number of providers is limited.
Failing an audit requires remediation. First, your business must correct the deficiencies and request a retest. But this process takes time and money. It’s more cost-effective to conduct internal assessments until you are comfortable with your cybersecurity model. Only then should you request a test date.
How to Find a Partner for Your Cybersecurity Maturity Model Certification Process
Reading through pages of requirements on everything from physical security to compliance
reporting can be overwhelming. Deciding on a path to achieve CMMC compliance can feel impossible. It can also be costly; for example, actions such as vulnerability and pen testing should be performed with automated tools.
Cask Government Services has years of experience servicing government agencies and their contractors. We have the tools and expertise to guide you through the process from beginning to end. Contact us today to discuss how to achieve CMMC certification.