From CMMC Readiness Assessment through Compliance Monitoring & Maintenance, we help your organization identify security gaps, create an action plan for remediation, and establish ongoing compliance measures.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the standard the government will utilize to mandate cybersecurity policies for contractors across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive set of processes and practices associated with achieving a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department of Defense that a company can adequately protect sensitive unclassified information to protect and secure our nation’s supply chain. The DoD released the new requirements for CMMC titled CMMC 2.0 in November 2021.
Any organization that contracts with the Department of Defense will require some level of the CMMC unless you are only selling commercial-off-the-shelf products.
The 3 Levels of CMMC 2.0
CMMC 2.0 is broken down into three levels. Each level constitutes a greater level of cyber hygiene. Since each level is an enhancement in your cybersecurity posture, they also include a larger set of processes and practices at each level.
CMMC Level 1
Geared towards businesses that provide general supplies and services, CMMC Level 1 focuses on the protection of FCI if you do not store or process CUI or CDI. This CMMC level is considered to be the Foundational Cyber Hygiene and consists of 17 basic cybersecurity practices. You can complete an annual internal assessment to attain this level.
CMMC Level 2
CMMC Level 2 focuses on the protection of CUI and covers all of the security requirements found in NIST 800-171. Level 2 is considered Advanced Cyber Hygiene and consists of 110 security practices. Organizations that are managing CUI that is critical to national security will require triennial third-party assessments.
CMMC Level 3
CMMC Level 3 requires an organization to optimize its process implementation across the business. Level 3 focuses on the protection of CUI and consists of 110+ security practices as defined in NIST 800-172. Level 3 is considered an Expert Cyber Hygiene. Organizations attaining Level 3 will require triennial government-led assessments.
The CMMC consists of 17 domains with each tier layering additional processes and practices for each domain.
Audit & Accountability
Awareness & Training
Identification & Authentication
System Communications Protection
System & Information Integrity
Why CMMC Matters
The concerns of the risk of cybercrime with government organizations are founded on the increased risk to national security. The CMMC is intended to assess and enhance the cybersecurity position of organizations that serve the Defense Sector. The risks around cybercrime are not just focused on the Defense Sector. All organizations should be focused on cybersecurity. Even if you are not engaging in government contracts, you should still have a Cybersecurity Assessment completed for your organization. The annual impact of cybercrime is over $600 Billion! Cybercrime is not just targeted towards enterprise organizations, it is heavily targeted towards small and medium businesses. Small businesses make up 54% of the Department of Defense contracts.
Mandated by the CMMC Interim DFARS Rule,this report is a line-item scorecard showing the results of the implementation review of each of the 110 controls included in NIST (SP) 800-171, and the total score based on the Department of Defense’s official scoring rubric, with a starting maximum score of 110, and specified deductions made for non-implementation of a given control.
The System Security Plan is the foundation of NIST 800-171 compliance. It must contain the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems.
POA&Ms describe why an organization cannot satisfy a requirement, the steps planned to address the shortcomings, and a date that the plan will be executed. You are required to document how you plan to correct deficiencies and reduce or eliminate vulnerabilities in your system. The POA&M will expose how many of the security requirements will need to be fully implemented. The POA&M is a requirement of the Interim Rule and includes information about security control implementation weaknesses and gaps found during the assessment. Our POA&M report is an Excel format and follows the DoD’s best practices template.
Executing your POA&M and achieving full compliance can be a full-time effort. However, completing the POA&M and implementing your remediation plan will ensure compliance with NIST and ensure you are prepared for CMMC.
Often overlooked, maintaining compliance with DoD security standards can be a complex undertaking, and requires a documented plan and sometimes daily activities. Once your assessment is done, plans to remediate any unfinished requirements are in place it’s time to move into the maintenance phase.
Why Do You Need a CMMC Consultant?
The CMMC Accreditation Body (CMMC AB) manages the Third-Party Assessor Organization (C3PAO). You will need to utilize a C3PAO in order to achieve your CMMC. The CMMC is heavily based on the NIST SP 800-171 which is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). The NIST Cybersecurity Framework outlines all the ways data needs to be protected to create a more secure organization. In order to make sure assets are adequately protected from malicious actors and code, the framework makes use of the same procedure each time. There will not be a self-assessment for the CMMC.
Abel Solutions offers a CMMC Readiness Assessment to prepare your organization for the certification process.
While authorized and accredited C3PAO’s are responsible for conducting the CMMC assessments, it is essential to note that you first should complete an internal readiness assessment. A readiness assessment will take you through the process for CMMC compliance before you submit your request to be certified. This process will help document your current security posture and action plan for compliance. This is also known as a Gap Analysis to determine how far off you are from compliance. Our readiness assessment process consists of the following five steps: