The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for assessing the cybersecurity posture of Department of Defense (DoD) contractors and subcontractors - but indications are that most if not all Government Agencies will adopt the requirements of CMMC.
The CMMC framework includes three levels of cybersecurity maturity, each with a set of controls and processes that must be implemented and maintained to achieve compliance. The need for compliance with CMMC is driven by the DoD's commitment to safeguarding its sensitive data and intellectual property from cyber threats. The DoD relies on contractors and subcontractors to perform critical functions and provide essential services, making them potential targets for cyber attacks. Compliance with the CMMC framework helps to ensure that these contractors and subcontractors have adequate cybersecurity measures in place to protect against cyber threats and prevent unauthorized access to sensitive information. CMMC compliance is also essential for contractors and subcontractors who want to compete for DoD contracts. Starting in 2025, all DoD contracts will require compliance with at least one of the five CMMC levels. Therefore, contractors and subcontractors who do not comply with CMMC risk losing business opportunities and potentially damaging their reputation in the industry. CMMC MATURITY LEVELS
The CMMC Framework requires a systematic approach to certification mapped to three organizational maturity levels: Foundational, Advanced, and Expert.
Level 1 - Foundational. An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."
Level 2 - Advanced. An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes
Level 3 - Expert. An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.
CMMC FRAMEWORK LEVELS
The CMMC framework, links the model to a systematic approach to achieve certification level, consists of several assets: domains (14), and practices (110+) corresponding to the certification level.
Level 1 (Performed: 17 practices). An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."
Level 2 (Managed: 110 practices). An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.
Level 3 (Optimizing: 110+ practices). An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics. In summary, the need for compliance with CMMC is driven by the DoD's commitment to protecting its sensitive data and intellectual property from cyber threats and is essential for contractors and subcontractors who want to compete for DoD contracts.
Comments