The Defense Department’s new high-profile cybersecurity regulations, CMMC, is on schedule for implementation this year. The CMMC Certification is part of the Defense Department’s push to protect industrial base networks and controlled unclassified information from cyber¬attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies adhere to specific standards. Organizations will be required to meet different security requirements depending on the type of work they are doing, with level 1 being the lightest and level 5 the most stringent.
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a contract award requirement.
Why is the CMMC Certification Important?
CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides in the Department’s industry partners’ networks.
All 300,000 DOD contractors (except for providers of commercial-off-the-shelf goods) will need to get an in-person assessment and be certified to one of the five levels of cybersecurity maturity by an assessor to be awarded a contract from the DOD.
By 2026, the Pentagon plans to require all contractors to earn a CMMC certification before they’re eligible for new awards. The type of work they’re bidding on will determine which of the five levels of CMMC accreditation they’ll need.
Five levels of CMMC Certifications
The CMMC establishes five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels are tiered and build upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of new processes to implement specific cyber security-based practices.
- Level 1: A company must perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or certain transactional information.
- Level 2: a company must document certain “intermediate cyber hygiene” practices to begin to protect any Controlled Unclassified Information (CUI) through the implementation of some of the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information.
- Level 3: A company must have an institutionalized management plan to implement “good cyber hygiene” practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and additional standards.
- Level 4: A company must have implemented processes for reviewing and measuring the effectiveness of practices and established other enhanced practices to detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
- Level 5: A company must have standardized and optimized processes across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
Speed up your CMMC Certification Process
You need to expand your business’ services into government markets while minimizing performance and operational risks. Accomplish this with our industry-leading, innovative, and cost-effective CMMC solutions and C3PAO services.
CMMC is a program that enables DoD contracting organizations to meet and demonstrate the security requirements embedded with FISMA and the NIST publications so that an agency may conduct business with the confidence that its contract holder is meeting those requirements.
Continuum GRC provides CMMC, NIST-based, and C3PAO solutions for public and private DoD contracting organizations. We work smarter, not harder, to drive down your costs by giving you access to Continuum GRC’s IT Audit Manager application, the top ranked CMMC-ready SaaS GRC audit software solution. This solution is the only FedRAMP High assessment application tailor-made for the CMMC.
Our proven CMMC assessment approach and technology dramatically improves the completion process. We average a massive 46% reduction in the traditional assessment time due to our critical path methodology, proactive philosophy, and usage of the Continuum GRC IT Audit Manager platform. You have 24/7 access allowing everyone to get-in-and-get-out quickly.
The cyber security experts at Continuum GRC have in-depth knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies worldwide sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?