The United States Department of Defense (DoD) requires any organization within the Defense Industrial Base (DIB) to follow the Cybersecurity Maturity Model Certification, or CMMC compliance framework. This cybersecurity standard is derived from multiple cybersecurity standards, frameworks, and references and is organized into maturity levels ranging from the level 1 to 3.
To achieve a specific CMMC level, a DIB company must demonstrate that the required CMMC level practices have been implemented and processes have been institutionalized for an extended period. The specific CMMC level a DoD contractor, subcontractor, or business associate must achieve depends on where and how they process, store, or transmit federal data.
CMMC Services and Support
If you’re looking to achieve CMMC compliance, our CMMC Registered Practitioners™ can assist you in identifying your security gaps, create a remediation plan, and manage your compliance-related tasks.
Start your journey to compliance here. We assess your current compliance posture, systems, and controls to determine how far or close you are to meeting your compliance obligations.
This service is designed for organizations who have identified their CMMC security gaps and are looking for support to implement remediation solutions and manage their CMMC compliance program.
The US Department of Defense (DoD) requires organizations that it conducts business with to adhere to the CMMC framework – pending rulemaking completion which is expected in 2023. The framework outlines cybersecurity standards an organization must have to handle Controlled Unclassified Information (CUI). CUI must be safeguarded at every stage of its existence (in use, storage, and transmission) until it is destroyed, disseminated, or decontrolled.
The Department of Defense created the CMMC framework to protect their supply chain, known as the Defense Industrial Base (DIB). If you are a DoD contractor or subcontractor, you are required to follow the CMMC framework. If you do business with DoD members in the DIB or have plans to bid on future DoD contracts, you also will need to adhere to CMMC standards set forth by the DoD.
For an organization to achieve CMMC compliance, they must identify and remediate the deficiencies in their defenses as it relates to their required CMMC level. A CMMC Gap Analysis is the first step in compliance. CMMC Gap Analysis looks at the current state of your security technologies and processes, and identifies missing or ineffective security controls based on your CMMC level. With these findings, a path towards CMMC compliance can be outlined.
According to the DoD, CUI stands for Controlled Unclassified Information and is defined as Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure. CMMC was created in part to protect federal data accessed by organizations in the DoD supply chain.
To achieve CMMC 2.0 compliance means all organizations who transmit, process, or store CUI must follow and be compliant with NIST 800-171. NIST stands for the National Institute of Standards and Technology. NIST 800-171 is a voluntary cybersecurity framework consisting of standards, best practices, and guidelines that helps organizations better manage and reduce their cybersecurity risks.
CMMC is organized into levels ranging from the basic level 1 to the highest level 3. Each level is cumulative and demonstrates a progression of cybersecurity maturity. At a high-level, the DoD currently describes them as:
- FOUNDATIONAL / LEVEL 1: Safeguard Federal Contract Information
- ADVANCED / LEVEL 2: Protect Controlled Unclassified Information
- EXPERT / LEVEL 3: Protect Controlled Unclassified Information and reduce risk of Advanced Persistent Threats
Your level is determined by the type of contracts you bid on as well as the federal data you hold and process.
Once CMMC 2.0 is implemented, assessments will be conducted the following in the ways:
- Certified C3PAO assessor audit, or
- DoD audit.
Depending on the type of contracts you hold and bid on will determine how you will be assessed. Level 1 assessments will always be self-assessments conducted annually. Some Level 2 contractors will only need to self-assess annually. Some Level 2 and all Level 3 organizations will be required to be audited by a C3PAO or DoD assessor every three years.
A C3PAO stands for CMMC Third Party Assessment Organization. This is an organization who is authorized to conduct CMMC assessments and report findings to the Department of Defense.
Systems Engineering is not C3PAO assessor. We do not conduct CMMC Compliance audits. We provide CMMC Registered Practitioners and compliance consultants who will prepare your organization for a CMMC audit,
A CMMC Gap Analysis involves reviewing your current systems and controls to determine how far or close you are to meeting compliance requirements dictated by your CMMC level.
A CMMC Assessment is done by an authorized C3PAO who discloses assessment findings to the DoD. If no deficiencies are found during their assessment, the C3PAO issues your organization the appropriate CMMC certificate.